Why Boards Need to Prioritize Cybersecurity

By Sebastian Hess    //    Volume 29,  Number 1   //    January/February 2021

Cybersecurity continues to be one of the most quickly evolving global risks for all organizations, including those in higher education.

Consider these facts:

  • Twenty-eight percent of breaches at higher education institutions resulted from phishing attacks, and 23 percent of the breaches were the result of hacking via stolen credentials.1
  • The average time from an attacker entering an organization’s network to the execution of a malicious action has significantly decreased (with some attacks taking only a few hours in extreme cases).
  • Adversaries have moved to a new ransomware model. First, they steal the data and copy it; then they issue the ransom demand. Rather than demanding a single payment to decrypt data, they are now demanding two ransoms: (1) payment to secure decryption keys (“if you pay me, I will give you the keys to unlock your data”); and (2) payment to purge the data that was stolen.

In addition, the educational services field is specifically facing the following cyber risk challenges according to Verizon’s 2020 Data Breach Investigations Report:

Ransomware accounts for 80 percent of malware-related incidents, up from 48 percent last year.

Of all industries, according to non-incident data, only 24 percent of organizations showed any phishing reporting, and there were no organizations where more than 50 percent of the malicious emails were reported during phishing awareness campaigns.

Malware distribution to victims is more common via websites than email, such malware may ultimately have initiated from an email that was unmonitored by the educational institution (such as personal mail accounts from students through websites on bring-your-own devices connected to shared networks).

Organizations are investing heavily to protect their IT systems with security controls and other infrastructure with spending set to surpass $42 billion in 2020.2 But are they investing enough to ensure that their employees are the first line of defense when it comes to protecting data and systems?

Social Engineering and Business Email Compromise—Cybercriminals and their Mind Games

Incident forensic and claims analysis have shown that most attacks are made possible by (and require) some human interaction and collaboration, though often unknowingly, in order to open the door for the attacker to succeed. In fact, 95 percent of all breaches have a human element at their beginning.3

Therefore, attention to the human element is an important factor for educational institutions, as well as their governing boards, in addressing cybersecurity issues.

The human element is oftentimes the initial entry vector for an attack through social engineering. Social engineering is the art of tricking, seducing, scaring or blackmailing an individual into giving away personal or institutional information or taking action, such as authorizing a payment. Email remains the main attack vector for social engineering, ranging from malicious spam to business email compromise (BEC) to imposter attacks that can cost organizations millions of dollars. Such methods are popular because they require minimal hacking expertise and because these attacks have a high success rate.

Perpetrators of BEC often target individuals responsible for sending payments, such as chief financial officers. Approaches may vary from a simple lure designed to spark curiosity such as sending a fake invoice to an accounts payable team to more elaborate schemes. However, the goal is the same: for the recipient to make a financial transaction or provide financial or other sensitive personal information that can later be used to enable a financial transaction.

The human factor has less to do with actual error and more to do with inadequate security cultures and the exploitation of human behavior and goodwill. Humans naturally want to work quickly, with as little disruption as possible. This leads to a tendency to overlook security processes, particularly those measures that appear to go against productivity, workplace satisfaction, and convenience.

Conclusion

As the cyber threat landscape grows and evolves, the most resilient organizations will be those which tackle the threat on an economical, technological, and behavioral level. With a duty to students, faculty and other stakeholders, an educational institution’s board must prioritize how it addresses the threat.

Organizations would be wise to start to measure and model cyber risk in economic terms through data analysis. Potential sources of such data include threat data, knowledge, and insights from their cyber insurer’s claims experience and institutional information such as current controls and practices. The output of such analysis would help facilitate:

  • Assessing the threat likelihood and control strengths across internal and external attacks.
  • Understanding the effects on the business, including cyber peril impact, probability, and expected loss ranges.
  • Using residual risk scores and risk scenarios to prioritize implementation of controls and remediation.

This should not be a one-time process. In today’s constantly evolving cyber environment, boards should regularly assess the risk to their organizations to measure effectiveness of current practices and controls, determine the need for additional controls and justify investments to improve their risk profile. Cyber risk must be continuously managed.

The tone of any organization’s cyber- security culture should be set at the top with boards taking an active role in how their organizations are addressing the ever-evolving cyber risk landscape. Through collaboration and robust oversight, organizations can better understand—and improve—their cyber risk profile.

Sebastian Hess is a cyber-risk advisor at AIG. He joined AIG to help its European customers mitigate risk from emerging threats by using his 20 years of private/public specialization in information technology security and cyber defense. Prior to joining AIG, Hess was a chief information security officer for Isabel Group. However, his career has mostly been in the global public sector. He holds a master’s in computer science from the German Armed Forces University, a master’s in executive leadership from Georgetown McDonough School of Business, and a LLM degree from Katholieke Universiteit Leuven in Belgium.

Endnotes

  1. https://enterprise.verizon.com/resources/ reports/2020-data-breach-investigations-report.pdf
  2. https://www.weforum.org/agenda/2019/07/can-cybersecurity-offer-value-for-money/ 
  3. https://blog.getusecure.com/post/the-role-of-human- error-in-successful-cyber-security-breaches