When it comes to educational institutions, they face a unique challenge to manage cyber risk: The very organizational structure that supports education and research can be detrimental to risk management. While the decentralized nature of educational institutions works well for research and learning it can create silos from a risk-management perspective. It is then required to quantify risk in a nomenclature that matters to the risk manager as well as to finance, the board of trustees and the provost.
This can be achieved by undergoing the following exercise:
Start understanding the institution’s risk exposure in financial terms by asking: “If a cyber event happens to us, what might it look like?” For clarity, generate scenarios based on various aspects of the school, how technology is used and what the impact of that technology failing might be. Consider scenarios like a data breach, an interruption in grading systems, a hacker duping someone in treasury into wiring money to a fraudulent account, or a hack into the admission database that can expose students’ financial records.Take a sampling of these scenarios to get various operational and functional folks around a table and use their collective knowledge to estimate the cost of those events should they materialize.
Afterwards, choose a maturity-based cyber evaluation framework and align it with the scenarios quantified above. This will help you to work down by allowing prioritizationof high-cost scenarios that will have the most impact on your security posture. While a maturity-based approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavour, compliance frameworks and standards often produce a false sense of confidence once the checklist is complete and the compliance framework met.