“At colleges and universities across the nation, leaders agree that the key to ensuring business continuity and sustainability is cyber resilience.”

Why this is important: As highlighted in previous editions of The Academic Advisor, the education sector is one of the most targeted parts of the United States economy for cyberattacks and ransomware attacks, outpacing health care, technology, financial services, and manufacturing. With financial viability already being a huge challenge for many colleges and universities nationally, one component that should not be overlooked in a higher education institution’s operating expense budget is cyber resilience.

Unsurprisingly, much of the financial discussion surrounding higher education has been related to the falling enrollment at public four-year universities since the COVID-19 pandemic. It is no secret that institutions of higher education have continued to increase the amount of long-term debt they hold during periods when enrollment growth in the education sector has slowed and is expected to continue slowing down. The Board of Trustees of Finlandia University in Michigan issued a statement on March 2, 2023, that cited “an unbearable debt load” as a key factor in their decision to not enroll students for the 2023-2024 academic year. The Trustees then unanimously voted to dissolve the institution and wind-up affairs in an orderly manner 12 days later on March 14, 2023. Thus, for some institutions, operational debt has been the root of their downfall.

However, as the article mentions, the average higher education data breach costs approximately $3.7 million. While it is safe to presume many institutions prioritize the cost of their efforts in being able to sustain performance in the midst of effectively responding to security incidents when calculating operating expense budgets, cyber resilience requires a bit more than continuity and recovery. “The goal of resilience is not only to respond to an event but also to emerge from that event in a better posture and a better position than before,” reported Wolfgang Goerlich, an advisory CISO for Cisco DUO Security.

In addressing ways higher education institutions can enhance their cyber resilience efforts, Goerlich raised a few key considerations including:

• Consistent budgeting in the areas of cyber resilience and support by c-suite-level executives at these institutions;
• Adopting a zero-trust security strategy to improve continuity and recovery; and
• Developing easy-to-follow approaches and simplified technology solutions to allow for fewer moving pieces and consistency with the aim of promoting a better understanding of institutional goals and risks by those within the institution.

Altogether, how might this look practically? To start, after assessing the current cyber resilience level, higher education institutions should cultivate a healthy and inclusive cybersecurity culture amongst their stakeholders, high-level executives, and institution members as a whole. For higher education institutions, stakeholders may include current students, alumni, faculty and staff, researchers, research sponsors, and surrounding community members. High-level executives may include the university president or chancellor, university provost, deans, faculty senates, and the board of trustees. The cultivation itself may include informative meetings/lectures by internal and/or external cyber professionals and legal professionals such as those within Spilman’s Cybersecurity and Data Protection Group, periodic cyber-security training by security awareness training providers, and internal resources that set forth the higher education institution’s simplified and easy-to-follow proactive processes and zero-trust incident plan procedures. While everyone within a higher education institution may not play a role in making budgeting decisions, it is important that the cybersecurity culture and resources are inclusive of everyone within the institution because, in addition to technology solutions, cyber resilience includes protecting from human error. Reportedly, 77 percent of cyberattacks are due to human error. A better understanding of what budgeted funds are producing and the risks of not “buying-in” to a healthy cybersecurity culture can promote adequate budgeting and smart investing. Furthermore, educational and training opportunities and accessible resource materials to a higher education institution's entire cohort can decrease risks of human error and simultaneously increase cyber resilience producing results that will encourage consistent budgeting by informed stakeholders and executives.