From the CTO and the ISO

2 May 2022
By Janet Scannell and Kendall George
Janet Scannell and Kendall George
Janet Scannell and Kendall George

This issue of the ITS Update will be focused on one topic – information security. The risks to our institutional data and to our personal privacy have exploded over the past 10 years, especially after the first “ransomworm” appeared in 2017. 

Cost of Ransomware

You are probably familiar with the Colonial Access Pipeline incident last year that resulted in the highest known ransomware payout at $5M. In higher education, we have seen similarly shocking ransomware payouts–$400K at the University of Utah and $1.4M at the University of California, San Francisco for example.This past Fall, Howard University had to delay the start of classes by two weeks after a ransomware attack. No institution or business sector is exempt from this risk, and Carleton continues to take steps to reduce risk and improve our position.  

The ransom itself is not the only cost associated with an incident. There are legal and technical consulting expenses as well as staff augmentation for investigation and remediation. If personally identifiable information (PII) was in scope of the breach, it may be necessary to pay for identity theft protection services for all affected individuals. The average ransomware incident can cost from 1 to 2 million dollars. Consequently, ransomware now accounts for roughly 80% of cybersecurity payouts causing insurance companies to lose money on the cyberliability front. They are correcting for that by increasing premiums and lowering coverage.

New Demands by Insurance Companies

Insurance companies have started requiring certain security controls as a condition for insurability. The main one is multi-factor authentication (MFA), which Carleton achieved with our Duo implementation in 2018. Colleges that have not deployed MFA will likely find they cannot obtain insurance. Even with MFA, many insurers consider the higher ed market too risky. For example, insurance broker EIIA went to 30 insurers and found only three that would insure their group. 90% of the companies were just not interested in insuring higher ed institutions.

We have been checking in with our insurer for the past year to get a read on what new controls they would require. Just recently this guidance has crystallized. Here are some of the biggest new controls our insurer is requiring:

  • Endpoint Detection and Response (EDR) for all institutional machines
  • Email sandboxing
  • Air-Gapped or Cloud-Tier Backups
  • Annual web-based training for all faculty and staff
  • Phishing simulations including all faculty and staff four times per year

New Protections at Carleton

Several of these changes will be noticeable to Carleton users: 

  • The EDR software “Malwarebytes” is currently being rolled out.
  • In early May, Carleton will upgrade to paid Google licenses, which provide email sandboxing to more effectively inspect attachments for malicious code. [This will also bring other new features, which will be announced in a later communication.] 
  • ITS has started implementing a method for backing up critical data in AWS Glacier, which provides a network separation to protect our data from a ransom. 
  • Starting in October, we will be requiring annual security training and annual phishing simulations for all staff, faculty, and students. This is an expansion from our current focus on requiring those steps only for employees with access to “high-risk data”. 

Better Protection Brings Value

Complying with these required changes will mean that we are able to retain insurance coverage. If a security incident occurs, our insurance company will provide a case manager, a lawyer with expertise in cybersecurity incident response, and technical resources for investigation and remediation. Their resources will help minimize the impact of the incident and allow Carleton to recover as quickly as possible. 

Even more importantly, these changes in policy and process will result in a genuinely stronger security posture, making a ransomware incident less likely while providing better protection to our important institutional information.