State and local Government Agencies -- Along with Education -- Must Reevaluate Cyber Risk Strategies to Remain Eligible for Cyber Insurance
New York, January 10th, 2024 -- The demonstrated inability of state and local government agencies -- as well as educational institutions -- (SLED) to effectively manage cyber risk in today's worsening threat landscape has prompted many major insurance carriers to charge more for premiums and cover fewer losses with many underwriters taking a pass altogether on preparing policies for this sector.
"These threat dynamics put pressure on leaders within the SLED community to reexamine how they assess, budget and manage risk across their organizations," said Mark Sangster, Chief of Strategy with Adlumin, in a recent Cysurance Institute interview.
While all sectors of the economy have struggled to limit the number and severity of incidents, SLED organizations have steadily fallen behind the overall market in demonstrating an ability to protect themselves since 2017. Indeed, covered cyber incidents in the public sector peaked in 2020, at the height of the pandemic.
Covered incidents have trended down in the ensuing years. But there is no way to characterize the decline as good news. It simply reflects how cyber insurance providers are restricting -- or at least reducing their exposure to -- this segment of the market.
"What must be frustrating for the sector is that these cyber-risk management struggles happened despite increases in information security spending," said Sangster.
"During the pandemic, a flood of federal and state-level funding options were available to help agencies and institutions roll out new technology platforms and security solutions to deal with remote work and learning. We're finding that we have moved into a hangover phase in which administrators, educators, technologists and cybersecurity professionals deal with the consequences of the money they spent on technology expansion," said Sangster.
While many SLED organizations have reopened their physical doors, the digital avenues of engagement activated during COVID-19 remain in place. Significant portions of the SLED workforce -- and, in the case of education, students -- still log into mission-critical applications remotely. They often use their own personal devices and home networks -- which broadly lie outside the administrative control of internal IT staff and security teams. It takes the concerns expressed about the consumerization of IT and "bring-your-own-device" to work to an entirely new level.
In the case of educational institutions, educators deploy consumer-grade services, independent of security overview. This shadow-IT represents a real risk when connected to the institution’s network.
"As a result, they're now facing a much broader threat surface than they had before the pandemic, which has resulted in a dramatic surge in ransomware attacks and other events that have caused significant outages," he said.
Many in the SLED sector responded by investing in a cornucopia of security point solutions introduced to the market through the pandemic to address discrete threats and vulnerabilities. It has not taken long for the consequences of this strategy to play out.
"New monitoring, security and detection solutions create alert overload. The majority of alerts are false. But most organizations in the sector lack the ability to automate the prioritization and assessment of alarms to take appropriate action," said Sangster.
This is a problem on multiple fronts because, on the one hand, there is too much to address, and on the other, an ignored or un-prioritized alarm that results in a breach can be an additional problem in the post-event audit. It can put decision-makers involved during the incident on the spot.
"That's why consolidating tools and taking a holistic risk-adjusted approach to security is better than simply buying a cart full of unconnected point solutions. Tools are just one part of the response and strategy. Taking care of certain basics requirements and developing a rational organization-wide strategy requires a more comprehensive level of engagement -- but perhaps with fewer tools," he observed.
To this end, a growing number of SLED organizations are taking a hard look at managed detection and response services that continuously integrate and rationalize ongoing security feeds from protected endpoints. It also provides resource-constrained agencies and educational institutions with access to highly trained staff that can monitor, investigate and respond to incidents before they become a major catastrophe.
"At Adlumin, we keep things simple. Our mission is to bring the security protection typically enjoyed by big, top-tier businesses and federal agencies and make it available to small and medium-sized organizations. In so doing, we can demonstrate an objective reduction in risk exposure, making agencies and educational institutions eligible for high-quality and affordable cyber insurance products."
These are among the reasons that Cysurance is working with the underwriting community to certify and warranty Adlumin offerings and to offer Adlumin customers -- through its managed service provider partners -- rapid access to cost-effective cyber insurance coverage.