Ransomware events targeting colleges and universities doubled from 2019 to 2020 according to one recent study, while another 2021 report indicates that the average cost of such an attack jumped from US$115,123 in 2019 to $312,493 in 2020—a staggering 171% increase. When we layer reputational costs on top of the concrete financial implications of a cybersecurity breach, the scale of risk comes into even sharper focus. It’s a critical Enterprise Risk Management (ERM) issue that can only be solved through dedicated investment in specialised cybersecurity support. Yet for too many higher education institutions, cybersecurity continues to languish low on the list of organisational priorities.
Cybersecurity is no longer a localised ‘IT issue’
For most colleges and universities, particularly those of small- to medium-scale, cybersecurity has long been viewed as an IT infrastructure challenge best managed tactically by an internal technology team. Yet such teams, however skilled, are rarely versed in the specialised practices required to combat today’s sophisticated threats, nor are they typically funded at the level required for effective, long term, enterprise-scale risk mitigation. It’s not surprising that in this context, investing to guard against cyber-attacks – a seemingly vague and distant threat – is routinely sidelined in favour of other initiatives. Yet, as the 2019–2020 data indicates, this traditional approach has yielded an unfortunate result, with small-to-medium colleges and universities emerging as a prime vulnerable target for cybercriminals. As bad actors grow ever more advanced in their tactics, institutions fall further and further behind in their security tools and practices. At best, internal teams struggle to fill gaps with limited knowledge and resources; at worst, they are not even aware of the magnitude of the threat at hand – until they become a target.
“At best, internal teams struggle to fill gaps with limited knowledge and resources. At worst, they are not even aware of the magnitude of the threat at hand—until they become a target”
At TCS Education System, The Community Solution in Higher Education™, we’ve seen cybersecurity emerge as a critical issue as we collaborate with colleagues throughout the sector. As a system of colleges and universities based on a scaled, resource-sharing model, we protect our community by implementing specialized, up-to-date cybersecurity best practices that would simply not be feasible for smaller institutions attempting to address the problem on their own. By leveraging both centralised expertise and economies of scale in product and service investments, colleges and universities can equip themselves with 50% more cyber capabilities than are typical at schools of similar size and resource levels.
Meaningful action requires quantitative data
As in many areas, knowledge is power in the realm of cybersecurity. Education providers should recognise consistent monitoring, auditing and reporting as key pillars of security excellence, and a practice that allows them to quickly identify and address gaps in protection.
In addition to routine audits, strategic investment in cyber-threat assessment through an ERM lens is recommended. Best practices include analysing the value of both operations and data to establish a thorough and specific understanding of the potential financial and reputational risks of a cyber-attack. Only by rigorously quantifying these potential costs can an organisation make informed strategic decisions about the appropriate level of investment in cybersecurity protections. Yet, such enterprise-scale risk analysis is understandably beyond the capability of many internal IT teams. Furthermore, even once the threat is quantified, many smaller organisations lack the resources and knowledge base to take effective protective action.
Insurance and compliance demand specialised expertise
Cybersecurity insurance is another area of critical and increasing importance – especially for smaller-scale organisations with less capacity to withstand the cost of an attack. It’s crucial to ensure that the policies in place are commensurate with organisational risk levels, priorities, and resources.
With the right support, protection is possible
The days when colleges and universities could afford to sideline cybersecurity concerns are long past. And unfortunately, maintaining appropriate security standards in today’s dangerous environment requires a level of specialised expertise that’s beyond the scope of many academic institutions. No longer a siloed internal ‘IT issue’, this topic belongs at the top of every organisation’s ERM strategic priority list, on an equal footing with enrolment management and academic excellence. For trustees and leaders throughout the higher education sector, it’s time to recognise that cybercrime isn’t going away. With clear-eyed acknowledgement of the threat, an orgisation-wide commitment, and necessary investment in specialised professional services, your institution can dramatically reduce its potential to do harm.
You might also like: Embracing virtual GCSEs