We are seeing quite a few of our customers renew their cybersecurity insurance. Because of the increase in cybersecurity events recently, schools and school districts are seeing significant increases (some up to 300%) in their cybersecurity insurance rates. 

Here are a few strategies to keep your rates as low as possible.

Know your policy

While it seems silly to mention this, you must understand your cybersecurity policy, including what it does and doesn’t cover. It is also critical that you know your requirements concerning the policy and that you follow them to the letter. When it comes time to renew your policy, you need to fill out a risk assessment questionnaire so your carrier can price your policy according to your risk. Asking your insurance carrier for a copy of this questionnaire in advance is the first step to ensuring you get the lowest rates possible. There may be some items that you want to check off the list that will take time to implement. Timing is everything. Incorporating changes into your technology strategic plan to properly implement key initiatives, such as MFA, will ensure that minimal impact is felt by your staff.

Also, you must answer the questions honestly. If you answer a question incorrectly and you experience a breach, your claim may be denied based on an incorrect response.

Data Protection

Some of the most critical questions on your assessment will be concerning your data, including its storage, protection, backup, and recovery. You should conduct an unplanned test restore of your student data within a month of renewal. Insurance carriers will look very favorably on districts that can prove they can (1) backup and (2) restore critical data. 

Asset and Identity Management

Insurance carriers will also look to both your asset and identity management programs.  

You should ensure your IT department has a current inventory of all hardware and software in the district. The list should include desktops, laptops, student devices, portable equipment, smartboards, and network devices (switches, access points, servers, etc.). You should also make sure you account for software licenses. The district should document the policy for maintaining the inventory and retiring surplus equipment.

For identity management, you should ensure that your IT department works closely with human resources and your physical security teams to ensure new employees are promptly added (and removed) to the various programs and building-access systems. You should remove students who have graduated and employees no longer with the district. A documented point-person and procedure for conducting these activities will be vital to getting the lowest rates possible.

Password management should also be a key consideration.  Multi-Factor Authentication (MFA) should not be considered a future “to-do” item for districts – you should be implementing this now or over the summer.  Insurance providers are increasingly mandating this protection for all users, so if your district is not planning this implementation currently, it should be at the top of your list for summer work.

Endpoint Protection

We see insurance carriers beginning to require centrally monitored and managed Endpoint Detection and Response (EDR) rollout for all endpoints in the district. Gone are the days when Windows Defender was considered “good enough” for your cybersecurity insurance, not to mention relying on “there aren’t any viruses for Apple devices.” Investing in a solid EDR package will give you peace of mind regarding your cyber protection and ensure your insurance rates are as low as possible.

Security Awareness Training

Despite all of the technological updates and systems you put into place, social engineering continues to be one of the weakest links in a school’s cybersecurity plan. In fact, 98% of cyber attacks rely on social engineering. Social engineering is the concept a hacker will use to gain access to a school’s critical infrastructure through social or in-person exploits. The hacker may call the IT Help Desk, pretend to be a remote teacher, and ask for a password reset. They may contact a payroll clerk at 4:59 pm and say that there was a problem with payroll and they need to log in to the bank to process the direct deposit. 

Schools and school districts should have a routine security awareness training program for all system users, including staff, teachers, students, and parents. This training program should be well-documented and audited regularly. Some districts go so far as to conduct “phishing tests,” whereby a private company attempts to gain access to login credentials by sending fake e-mail messages (or “phishing”) to a school’s users to see how successful an actual attack might be. 

Security Audit and Response Plan

Schools and school districts should not only implement these suggestions, but they should conduct frequent (at least annual) audits of their security plans. We recommend using the NIST framework for these audits.

In addition to audits, schools and school districts should have a Technology Impact Assessment (TIA) and a Technology Recovery Plan (TRP), as recommended by the NIST framework. The TIA identifies each of the various information systems in use in a school/district, their relative importance, their priority for recovery, and the impact on an organization should they become unavailable. The TRP steps an organization through the recovery of critical systems, including restoring backup data, purchasing new devices, re-imaging desktops and laptops, and re-installing essential software, including student, finance, operations, transportation, etc.

Summary – Implement a Layered Approach

In summary, cybersecurity protection is more than installing an antivirus program. While that is important, it is just one layer of protection that schools and school districts need to consider when implementing their cybersecurity protection plan. Insurance carriers will evaluate you on the entirety of your cybersecurity program, so the more layers you can implement, the lower your rates will be.

Vinson Protect and Vinson Backup were purpose-built to address the needs of schools and school districts concerning cybersecurity, including EDR software, ransomware protection, security audits, security awareness training, and data backup/restore. Contact us to learn more and get a customized quote for your district.