How MFA and Cyber Liability Insurance Effectively Manage Risk in Higher Education
Recently, while co-hosting a webinar that kicked off Cybersecurity Awareness Month, a panelist commented that cybersecurity and privacy are team sports on a campus, much like our athletic teams. We need to work with many different teammates on campus — risk management, legal, compliance and institutional review boards, to name a few — to effectively manage cybersecurity risk across our communities. We’re used to competing with each other on the field or in research and then collaborating on pretty much everything else.
One area where campuses have been collaborating recently are changes around cyber liability insurance for higher education, an opportunity for campus cybersecurity teams to combine forces with their risk management team. These groups are having lots of discussion around the fact that many campuses are required to use multi-factor authentication (MFA) for their cyber liability insurance.
In a recent Duo blog post, we gave an overview of cyber liability insurance. As part of National Cybersecurity Awareness Month and “Do Your Part. #BeCyberSmart,” with this post we’ll dig deeper on cyber liability insurance, MFA, and other cybersecurity trends impacting MFA usage in higher education to help campuses manage this aspect of cyber risk for their communities.
Cyber Liability Insurance Invests in MFA
Multi-factor authentication has been around longer than most current college students have been alive, but when it comes to strong authentication modern MFA changed the game. The use of phishing to take over user accounts as a first step to gain access to a campus for a ransomware attack has been making the headlines. MFA is core to implementing a zero trust stance to protect your campus. Many campuses have reported after deploying MFA extensively across their campuses that account compromises due to phishing have reduced significantly. Cyber insurance providers seem to have also noticed this from their ransomware incident response engagements for insurance claims, and in response they’re starting to require that their customers use MFA. They see the investment in MFA as critical to a campus cybersecurity program and managing risk for a campus.
We’ve heard from campuses that haven’t widely implemented MFA yet that their cyber liability insurance providers are now requiring it. Some campuses have reported significant price increases in their cyber insurance premiums if they don’t check the MFA box, and some are even reporting that they couldn’t get insurance without checking that box. This puts them in an obvious bind, trying to figure out solutions in a short time period to meet their complex requirements across all of their integrations, different campus communities and significant budget constraints.
Higher education campuses in the U.S. can leverage the NET+ Duo Security program, designed by Internet2 and Duo to make MFA more affordable with pricing based on the populations that campuses most frequently want to protect as part of their ransomware planning: faculty, staff and students. Campuses have integrated Duo into their SSO systems, applications, cloud services and even workstation security. Having this level of protection in place won’t stop all ransomware attacks, but some of the device security functionality can be used to assess where additional attention is needed for endpoint security to prevent ransomware attacks. This is part of protecting your campus and driving down information security risk for your campuses, but it also helps protect your faculty, staff, researchers and students from loss of productivity when a problem arises.
“We have found at ODU that the addition of 2-factor authentication with Duo has been one of the key foundations of our information security program for managing risks and in raising assurance, along with endpoint protection, SIEM and an advanced firewall.” —Doug Streit, Executive Director & CISO, Old Dominion University
In addition, EDUCAUSE provides resources for higher education to help address other aspects of cyber liability insurance on campus.
Other Cybersecurity Trends Impacting MFA Usage on Campus
While cyber liability insurance and ransomware have been in the news, other developments in higher education over the last year have also been driving campuses to fine-tune their Duo deployments. We talked about expanding MFA deployments in the Multi-factor Authentication Deployment in Higher Education blog post from 2019, and little did we know the pandemic would come.
Duo explored the overall state of authentication in The 2021 State of the Auth report, and we’re seeing a significant rise in overall 2FA usage as well as adoption in the workplace in higher education as well.
One of the biggest ongoing impacts from the pandemic has been moving everything online in higher education, where many campuses now need to protect resources they had previously made available only on-site. Some have moved computer labs online to make the software necessary for students to use in their classes available via remote desktops, which then required MFA to login to the systems. With helpdesks now virtual, campuses have reported liking the Help Desk Push functionality for remote identity proofing. It allows helpdesk teams to aid users without requesting sensitive information, and it helps protect privacy for the community.
As part of protecting accounts and campus resources, campuses started researching device security for laptops, smartphones, etc more and wanting to be able to use device security as part of risk-based authentication to secure access. This resulted in a Security Devices, Data, and Policy NET+ webinar, in which David Allen from Pacific Lutheran University and Duo discussed how to achieve this. Protecting access discussions have been active in the research community with the National Institutes of Health (NIH) deadline in September to implement MFA for all users accessing their electronic Research Administration. There are even some campuses that are deploying passwordless solutions, but more to come on that in the future.
With what we’ve learned as a community over the last couple years, we’re well positioned to address just about any cybersecurity issue. Ransomware and cyber liability insurance will continue to pose challenges for the research and education community, but we have options to help manage this risk collectively. If you have any questions about the NET+ Duo Security program or how it can help your campus, please reach out to me. I’m happy to go over the program, community resources like a community call on the Duo Universal Prompt, and NET+ Duo community calls for you to get engaged with your peers or our campus to sign-up for the program.
Try Duo For Free
With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.