Higher education institutions have become increasingly reliant on third-party vendors for a range of services, including cloud computing, online learning platforms, and student information systems. While these relationships bring many benefits, they also introduce new cybersecurity risks that must be managed effectively. That’s why higher ed institutions need to implement information security programs that include vendor risk management, and the recent amendment to the Safeguards Rule identifies third-party monitoring of third-parties.
In this blog post, we will explore the nuances of third-party ecosystems in higher education and discuss why it is essential for CISOs and security leaders at higher education institutions to understand and manage their third-party cyber risk.
Identifying and Mapping Out Your Third-Party Ecosystem
Higher education institutions work with a wide variety of third-party vendors and contractors, including software providers, cloud services, and facilities management companies. CISOs/Security leaders must identify all these vendors and map out their roles and responsibilities within the institution to better manage the risks associated with these relationships. Often times procurement departments bring in IT security after the fact to help with understanding the risk a vendor poses to their institution. This process can be challenging, as different departments within the institution may work with different vendors. However, it is essential to have a comprehensive list of all third-party relationships to effectively manage cybersecurity risks.
Higher education third-party ecosystems are unique and often complex and rich with personal data; with multiple vendors and contractors providing services to different departments and units within the institution. For example, a vendor that provides online learning platforms may have access to student information, while a facilities management company may have access to building systems that support the institution’s research activities. As a result, it is essential to identify and manage cybersecurity risks associated with each vendor and their specific roles and responsibilities within the institution.
Assessing Cyber Risk in Higher Education Third Party Ecosystems
Once all third-party relationships have been identified and mapped out, it is crucial to assess the cybersecurity risks associated with each vendor. According to a 2022 report by CRA Business Intelligence, just 29% of organizations, regardless of industry, use real-time information, risk metrics, and ongoing monitoring of third-parties instead still focusing on annual questionnaires designed to understand policies and processes related to risk. This can leave institutions vulnerable to cybersecurity threats. CISOs/Security leaders in addition to evaluating the vendor’s security practices, review contracts and agreements, should also conduct periodic or continuous risk assessments (depending on criticality of the vendor) to identify potential vulnerabilities from the third-party ecosystem.
Evaluate the sensitivity of the data and systems that third-party vendors have access to, and the potential impact of a cyberattack on your organization. Where applicable explore in-scope service assessments to focus on the specific assets and services a vendor is using to fulfill their service to you. Establishing cybersecurity requirements that all vendors must meet – like data protection policies, access controls, patching cadence, incident response plans, right to audit, right to assess, etc. are some elements that a higher education institution can take and also be sure to monitor vendor compliance with these requirements. You can do this with auto-validated questionnaires, that map the technology findings with applicable questionnaire responses in the questionnaire. Auto-validation can help in the vendor review process to flag contradicting responses between the respondent and the related technology.
Managing Third-Party Cyber Risk in Higher Education
Managing third-party cyber risk in higher education requires a proactive approach to cybersecurity. This includes establishing clear security requirements for all third-party vendors, conducting regular security assessments, and monitoring third-party activity for signs of a security breach.
Statistics show that higher education institutions are frequent targets of cyber-attacks. According to a recent report, the education sector experienced a 44% increase in cyber-attacks when compared to 2021, with an average of 2297 attacks against organizations every week, according to Check Point’s 2022 Mid-Year Report. This underscores the importance of taking a preventative stance that includes layered defense and also considers effective third-party cyber risk management to manage that threat vector in higher education.
How FortifyData Can Help
Understanding and managing the cybersecurity risks associated with third-party ecosystems in higher education is crucial for CISOs/Security leaders. By identifying and mapping out all third-party relationships, assessing the associated risks, and taking proactive steps to manage those risks, CISOs can help protect their institution from cyber threats.
FortifyData can help your higher ed institution evaluate third-party vendors and the specific services or products they provide. We focus on higher education and already have cyber risk and vulnerability profiles on many vendors and third parties that serve the higher education community. We can integrate the continuous assessments of your vendors’ assets into our embedded standard compliance questionnaires, such as HECVAT, or custom questionnaires to perform auto-validation that saves time in reviewing responses.
Learn more about all our third-party risk management capabilities for higher ed.