Managing Cyber Risk in Education

As education providers increasingly rely on digital platforms for teaching, administration, and student engagement, the risk of cyber threats continues to grow. Cyberattacks can lead to data breaches, financial fraud, and operational disruptions, making cybersecurity a top priority for educational institutions.

Cyber insurance plays a crucial role in mitigating financial and operational risks, but institutions must also adopt proactive measures to strengthen their defences. This article highlights four key areas where education providers can effectively manage cyber risk. While there are many risk controls, cyber security tools and services available to physically manage cyber risk (eg Multifactor Authentication, End Point Detection and Response, Email filtering and protection), there are a number of additional steps an organisation can take to manage their cyber risk that work complimentary to such tools and controls. 

We see cyber breach events and chilling reports of severe ransomware impacts to large organisations often reported in the media, with eye watering extortion demands and crippling business systems impacts. While these events take the spotlight, what is often unseen is the steady flow of cyber losses affecting everyday SME and mid-sized businesses here in New Zealand. The following article explores four key areas of cyber risk management that can be understood and implemented without significant cost or expert knowledge.
 

1. Cyber Education and Awareness Training

First up, education and awareness is critical to strong organisational cyber security. Speaking with many IT security managers, often their number one concern is the people making a mistake, not their tools or controls failing. Human error remains one of the leading causes of cyber incidents. Phishing attacks, weak passwords, and poor cybersecurity practices can compromise an institution’s digital security. Implementing a comprehensive cyber education and awareness training program is critical.
Best practices include:

• Conducting regular cybersecurity training sessions for staff, faculty, and students.
• Running simulated phishing exercises to test and improve employee vigilance.
• Establishing clear policies on password management, device security, and data handling.
• Promoting a culture of cybersecurity awareness, where employees feel encouraged to report suspicious activity without fear of repercussions.

Insurance policies may require evidence of cybersecurity training as part of risk assessment. A well-trained workforce can reduce the likelihood of successful cyberattacks and improve an organisations insurability. Furthermore, some cyber insurers offer discounted or subsidised cyber awareness and phishing training services as part of their policy.
 

2. Understanding and Managing IT Service Providers

Many education providers rely on third-party IT service providers for network management, cloud storage, and cybersecurity solutions. While outsourcing IT functions can enhance efficiency, it also introduces risks if providers do not have robust security measures.

To manage this risk effectively:
•  Not all IT providers are equal, with differing standards and service levels offered. Conduct thorough due diligence before engaging an IT provider, assessing their security certifications, data protection policies, and incident response capabilities.

• Ensure contracts include clear security obligations, regular audits, and breach notification requirements and make sure indemnity under contract is understood. Often outsourced service providers will heavily restrict their liability to their customers. A reliance on service providers “to put things right” after an event is widely assumed but often unfounded, with most responsibility falling on the client of the provider - particularly if the root cause of the incident is not under the service providers control.

• Limit vendor access to sensitive data based on the principle of least privilege where possible.

• Monitor and review IT provider performance regularly to ensure compliance with agreed security standards. Ongoing audit of services expected vs services received is important.

Cyber insurance can provide coverage for breaches originating from third-party vendors, but strong contractual protections are essential as a first step for risk mitigation. 
 

3. Incident Preparedness

A well-prepared organisation can minimise the impact of a cyber incident by responding swiftly and effectively. Incident preparedness ensures that education providers can contain breaches, restore systems, and mitigate damage.

Key steps include:
•    Establishing clear understanding of what constitutes an “incident” – response should not just be thought of for the “major” events but also unauthorised mailbox access, inadvertent privacy breaches etc.

•    Developing and regularly updating a Cyber Incident Response Plan.

•    Conducting periodic tabletop exercises and breach simulations to test response capabilities.

•    Establishing a clear chain of command for reporting and handling cyber incidents.

•    Maintaining secure backups of critical data to facilitate recovery in case of ransomware attacks.

Cyber insurance policies typically cover business interruption and recovery costs, with proof of an effective incident response plan often beneficial when an insurer is considering a risk. 

Preparedness not only reduces downtime but also strengthens an institution’s ability to recover swiftly.
 

4. Processes to Manage Money Loss Scams

Educational institutions are prime targets for financial fraud, including email-based payment scams, business email compromise (BEC) attacks, and fraudulent invoices. Without proper controls, schools and universities can suffer significant financial losses.

To prevent and manage money loss scams:
•    Implement multi-factor authentication (MFA) for financial transactions and sensitive communications.
•    Establish strict verification processes for payment requests, account changes, new payees, including dual-approval mechanisms.
•    Educate staff on common fraud tactics, such as fake invoice scams and CEO fraud.
•    Use email filtering and monitoring tools to detect and block phishing attempts.

Some cyber insurance policies may cover financial losses resulting from fraud, but insurers often require proof that proper controls were in place. Implementing strong financial security measures can reduce the risk of monetary loss and ensure compliance with policy requirements.

Cyber risk management is an ongoing process that requires a combination of security controls/tools and proactive security measures, staff training, incident response planning. By focusing on these, education providers can strengthen their cybersecurity posture, reduce exposure to threats, and ensure that their risk profile meets cyber insurance expected standards.

Investing in cybersecurity is not just about compliance—it’s about safeguarding the future of education in an increasingly digital world and schools need to understand the changing risk landscape in order to make better decisions around the management of new exposures to achieve cyber resilience.

Talk to Aon New Zealand’s Cyber Risk specialist, Duncan Morrison, today to find out how we can help you manage cyber risk in educational institutions.

This website contains general information only and does not take into account your individual needs or financial situation. It is important to note that limits, excesses, terms and conditions and exclusions apply to the products and services outlined on this website. Please refer to the relevant policy documents for details of cover, the provision of which is subject to the insurer’s underwriting criteria that apply at the time. Please contact us if you have any questions.