ANSWER: What is an incident response plan.

QUESTION: What’s the most important security measure colleges and universities must put in place to mitigate cyber threats?

This is one Jeopardy! question that you want to be able to answer not only in words but with a well-thought-out incident response (IR) plan that you can take action on the minute you realize your organization might be under attack.

Candidly, it sucks to think that higher education institutions are at the top of many cybercriminals’ hit lists. Like the healthcare organizations that are also at the top of many an attacker’s target list, colleges and universities exist to do good in the world: educate, enlighten, enrich, and improve the world through research and collaboration. Alas, in the process of providing these outcomes, higher ed institutions end up looking like a smorgasbord of irresistible delights to cybercriminals due to the institutions’ financial resources, lack of cybersecurity maturity, and need to maintain day-to-day operations.

The Verizon® 2022 Data Breach Investigations Report (DBIR) indicates that there were 1,241 cybersecurity incidents in educational services in the year reported, over 30% of them ransomware attacks. According to the most recent tracking on Statista, there were 35 publicized ransomware attacks in the higher ed sector in 2021 worldwide, second only to the government sector.

Think about it: Many higher ed institutions are like mini cities, and some of them are not so mini. They have stores, restaurants, healthcare facilities, financial services, gyms, performance centers, and housing. They have many different types of people — students, educators, administrators, staff, industry professionals, medical professionals and more — representing a gold mine of potentially valuable personally identifiable information and protected health information  records or exploitation paths. And the cherry on top? Intellectual property. Many colleges and universities engage in research, both with other higher ed institutions and with industry, that often results in innovations worth millions or billions of dollars.

But it’s not just all of these treasures that entice cybercriminals; it’s the fact that these treasures are almost always inadequately protected. Security technology budget and staffing challenges, thousands of disparate and insecure devices on a university’s systems and networks, no centralized IT, insufficient security awareness …  all of these things combine to make higher ed institutions especially vulnerable to cyberattack.

If you’re a higher ed IT or security professional, maybe you’re rolling your eyes by now thinking to yourself, “OK, OK, we’re in the thick of it and we know the challenges, but what can we do about it?”

Zero trust or bust

What does zero trust have to do with managed detection and response (MDR), the business Pondurance is in? Honestly, the concept of zero trust is associated more closely with access control and authentication. But in the college and university setting especially, both zero trust and MDR are very important foundational elements for your cybersecurity program.

In a recent Gartner webinar titled Prepare for the Top Cybersecurity Threats in Higher Education, one of the speakers, Senior Director Analyst Charlie Winckless, said this about zero trust: “Start to look at a zero trust environment, where access to critical resources is not defined by location, or by who owns the device, it’s defined by the identity and context of the user… Zero trust is a massively overused term today, but there are realistic benefits to be found by starting to shift your approach and think about how to make access more appropriate.”

Colleges and universities have long been committed to open access to information and collaboration, so changing some of the rules related to those who have access to what in order to apply the principles of zero trust might create a bit of a culture clash.

Information sharing is integral to the world of academia. At times, however, colleges and universities must restrict access to sensitive information to those who truly need it. A zero trust security model is a helpful tool to reorient security decision-making. With it, institutions assume that their systems will be breached, and therefore shift their focus to understanding the identity, device, data and context of each entry into the system…

How to address cyber threats against higher ed, Higher Ed Dive, 
June 6, 2022

IT and cybersecurity leaders at colleges and universities must work to get buy-in from senior leadership across the institution on plans for implementing zero trust as well as other cybersecurity measures. These initiatives cannot be done in a vacuum: “Executive-level buy-in is critical for supporting the visibility and viability of this initiative to drive security forward.” (EDUCAUSE Review, Zero Trust Architecture: Rethinking Cybersecurity for Changing Environments, Feb. 15, 2022)

Ensure you’re insured

In the recent The State of Ransomware 2022 report published by Sophos, it was reported that 64% of higher ed organizations were hit by ransomware in the last year, and even when the ransom was paid, only 60.8% of the stolen data was restored on average. Ransom demands and payments can vary a lot, but consider the University of California, San Francisco — it made a ransom payment of $1.14 million to the attackers who hit the School of Medicine in 2020. That’s not chump change.

The good news? Cyber insurance can lessen the sting of such an attack. The Sophos report also reported that “Reassuringly for those with cyber insurance coverage, 98% that were hit by ransomware and had cyber insurance that covered ransomware said the policy paid out in the most significant attack – up from 95% in 2019.”

The bad news? Cyber insurance policy costs are going way up, and the premium might be even higher if it covers ransomware. However, there are way more advantages to funding this insurance than there are to funding criminal activity through ransom payments — like the survival of your institution. The other big benefit of cyber insurance: It forces your institution to have some baseline of security controls in place to address cyber risk, as insurance firms enforce mandatory requirements to qualify for insurance.

One of the mandatory requirements insurers are insisting on, by the way, is 24/7/365 security operations, which is where Pondurance comes into play. Our MDR services can provide exactly this: year-round, around-the-clock threat monitoring, detection, and response. We don’t just throw threat alerts over the fence at our clients for them to resolve on their own; our security analysts and threat hunters identify the real threats that need to be acted on and work collaboratively with your team to respond appropriately and mitigate the threat. 

The quality of the continuous monitoring that we provide, combined with our IR capabilities, is one of the reasons Pondurance has been able to establish strong relationships with some of the nation’s top cyber insurance firms.


This is the Pondurance IR hotline, and if you’re an IT or security pro at your college or university and don’t have an IR hotline programmed into your mobile phone, it’s time.

Having a plan for how to deal with an incident is absolutely critical — hence the opening Jeopardy! question. According to the 2021 Cost of a Data Breach Report (IBM Security), organizations with IR plans can save millions of dollars as a result of being able to contain a breach quickly. But it’s not just the cost savings that validate the need for an IR plan; the sooner you can stop an attack in its tracks, the less of a business impact a breach will have on your institution. An IR plan is often required before cyber insurance firms will provide coverage, so that’s another great benefit of having a plan in place.

Some colleges and universities publish their IR plans on their websites, and EDUCAUSE provides a helpful guide on incident management and response, so there are plenty of great models out there to help you if you’re just getting started on creating a plan for your higher ed institution. And of course, Pondurance would love to help you with your plan. We have many years of experience with IR and, through the combination of our MDR and IR services, have helped many higher ed institutions stay safe, get insured, and mitigate threats.

ANSWER: Who is [name of your institution].

QUESTION: Which higher education institution avoided becoming another ransomware statistic because it had the right MDR services and a great IR action plan in place?

Additional helpful resources: