RiskOctober 1, 2024

Keeping Endowments Safe From Hackers

Cyberattacks on universities have soared, so university endowments are trying to catch up with other industries to ensure their portfolios are safe.

Reported by James Comtois

Art by Irene Servillo

Cyberattacks on universities have skyrocketed since the COVID-19 pandemic. In 2023, U.S. schools and colleges experienced a record-breaking 121 ransomware attacks, according to Comparitech—up 70% from the 71 attacks logged in 2022.

Since universities are particularly susceptible to data breaches, investment officers in charge of university endowments need to be prepared.

“Endowments are a prime target for bad guys,” says C. Todd Doss, senior managing director at the global security, investigations and compliance consulting firm Guidepost Solutions LLC. “To keep the bad guys out of the system … knowing who’s connecting to their systems is of the utmost importance.”

However, when it comes to universities’ cybersecurity hygiene, experts say the educational sector is behind other major industries and working to catch up.

Distinct Challenges

Universities face distinct cybersecurity challenges. For starters, the constant influx of new students and researchers accessing a school’s networks each year complicates data protection.

“Universities are open environments by design,” says Lou Steinberg, founder and managing partner in the digital research firm CTM Insights LLC. “It’s collaborative; it’s research; we’re supposed to work together, which frustrates security officers [and] creates opportunities for the bad actors.”

This openness, combined with budget constraints and aging infrastructure, make universities particularly vulnerable to data breaches.

“Many universities are running very thin IT budgets,” Steinberg adds. “Most universities underspend on technology because they’re focused on their product, which is either education or research.”

Lagging Behind (but Looking to Catch Up)

Shailendra Fuloria, managing director of global information technology and chief information security officer at IT services firm Nagarro, notes four key steps to maintaining proper cybersecurity: protection, detection, response and recovery. Prior to the COVID-19 pandemic, most organizations placed a disproportionate focus on protection. But the rise in ransomware attacks made most industries realize that “once protection is breached, they need to have a rapid detection and response mechanism, as well as a robust recovery system.”

When it comes to this four-pronged approach to maintaining strong cybersecurity practices, financial institutions—which invest heavily in cybersecurity—tend to be more proactive and better prepared to respond to attacks. Universities, by contrast, often only act after suffering a significant breach.

“The educational sector is not as far into the protection-and-detection journey as some of the more established industries,” Fuloria says. “A lot more needs to be done on the education side.”

While universities are behind many developed industries, Fuloria and other experts are seeing schools working to catch up. This effort to improve their security efforts is reflected in the increasing investment in cybersecurity technologies and strategies. John Price, CEO of the global cybersecurity firm SubRosa Cyber Solutions LLC, says he is “seeing a big interest from schools in investing in detection technologies.” Price adds that more universities are moving toward securing financial statements.

Mitigating Human Error

Maintaining strong cybersecurity is not just about dealing with attacks. Human error remains a significant vulnerability. Social engineering attacks are becoming more sophisticated, using artificial intelligence to impersonate officials or create deepfake videos. So investment offices need to make sure their staff is properly trained to prevent accidental breaches or the mishandling of sensitive information.

“Humans are going to be the biggest source of risk for an organization,” says Alastair Parr, senior vice president of global products and services at third-party risk management specialist Prevalent Inc. “They need to be trained sufficiently and generally made more aware of what people could be doing to get malicious access.”

Steinberg emphasizes the importance of multi-factor authentication and of limiting access to sensitive systems. Monitoring for unusual activity also can help detect potential breaches early.

Guidepost’s Doss explains that bad actors may compromise an email account, monitor the correspondence to identify who controls the finances and then wait for an opportune moment—like when the person is on vacation or otherwise vulnerable—to insert themselves into the conversation.

“People need to be trained on what that would look like,” Doss said. “If someone emails you and says they want to change a routing number, there should be policies in place to prevent that.”

Moreover, cyberinsurance has become a crucial component of risk management. “Cyberinsurance is becoming more mandatory,” Parr says. “There’s an expectation that you’ll have some cyber liability insurance.”

Matthieu Chan Tsin, vice president of cybersecurity services at cyberinsurance provider Cowbell Cyber Inc., emphasizes the importance of a proactive approach. “Institutions must have a comprehensive incident response plan in place before an attack occurs.”

Fuloria points out, however, that cyberinsurance is not a panacea: It helps institutions recover financially but cannot undo the reputational damage caused by data loss.

Chan Tsin also says that “insurance alone isn’t enough; it’s about minimizing risk and ensuring swift recovery.”

The Shift to Cloud and AI

With limited budgets and thin IT resources, many universities have turned to outsourcing as a means of improving their cybersecurity. The shift to cloud computing and software-as-a-service tools has allowed universities to leverage the security capabilities of specialized vendors, which often have more advanced defenses than institutions can afford on their own.

But while outsourcing can provide access to advanced security capabilities, Michael Richmond, a partner and cybersecurity and forensics services lead in EisnerAmper LLP, cautions about the risks involved.

“You may have gained technical ability, access to broader staff, with more technical acumen, but those third parties may be reliant on other third parties,” Richmond explains. “That requires some in-depth examination of their processes and their ecosystem and the services you’re actually .”

AI is also transforming both the threat landscape and defense mechanisms. While criminals use AI to automate attacks and enhance phishing scams, cybersecurity teams are using AI to improve threat detection and streamline response efforts. AI tools can process vast amounts of data and identify patterns impossible for human analysts to detect. This can help universities or other organizations quickly pinpoint vulnerabilities and mitigate threats before they become full-blown attacks.

“AI introduces more threats,” says Parr. “But as for the positives, this technology is enabling organizations to do more with less money.”

As university endowments navigate cybersecurity challenges, experts emphasize adhering to fundamental principles.

“At the end of the day, cybersecurity best practices are cybersecurity best practices,” says EisnerAmper’s Richmond. “If you’re not laying down those processes, you’re setting yourself up for failure.”