Crisis and security risk consulting for the higher education sector

Higher ed in a "polycrisis" world 

Leaders at higher education institutions face the daunting challenge of protecting their colleges and universities amid an increasingly complex "polycrisis" risk environment. An wide array of dynamic risks come to mind, such as sophisticated cyber threats targeting the sector, nation-state espionage, on-campus active shooter events, changing security risks to students and faculty traveling abroad and climate-driven natural disasters.

• Cyberattacks targeting higher education institutions have risen sharply. According to the 2023 SonicWall Cyber Threat Report, higher education institutions saw a 26% rise in malware attacks between 2021 and 2022. Post-secondary institutions are particularly vulnerable to targeting given the large size of their communities (students, staff and faculty) and threat actor perceptions of outdated controls and resource limitations, combined with the move to remote working.
• Traveling students, faculty and alumni often encounter changed security environments and emerging risks they may not have considered before COVID. Social unrest and protests are popping up with more frequency, and in places they previously hadn’t. With increased levels of disruption and even violence, these events require travelers to proactively consider their personal security risks prior to and during travel. 
• FBI data demonstrates an uptick in active shooter attacks targeting higher education institutions in the US in recent years. Ensuring the safety of university and college communities, which can resemble small cities and represent educational, workplace and residential environments, is a complex task. This combination is unique and presents a variety of security vulnerabilities—as well as a variety of potential stressors—for students, faculty and staff. Recent targeted attacks have also highlighted the myriad crisis management issues that can emerge during a critical incident in high schools and universities, including mass notification challenges, shelter-in-place protocols, traumatization, and post-incident recovery.
• Higher education institutions face increasing threats to personnel and property alike from wildfires, flooding and hurricanes and other events associated with the climate crisis. In 2023, several universities in Canada were forced to evacuate their campuses due to wildfires. Zurich Insurance has reported that weather and climate-related events cost the global economy USD 313 billion in 2022.
• Nation-state espionage targeting high-value research which involves collaboration between academics and potential hostile actors further adds to the scale of the challenge colleges face.   

How should post-secondary organizations navigate these challenges? 

Amid such challenges, post-secondary organizations cannot afford to be caught flat-footed. They must take proactive steps and be prepared to act with speed and efficiency to protect their people, community, data, and reputation. In order to do so, higher education institutions should adhere to four core principles: 

• Understand their existing and emerging threat and risk profile to identify areas of potential concern and how they could impact their community, programs and activities.
• Reduce the likelihood of reasonably foreseeable disruptions/crises materializing, where possible.
• Reduce the impact of incidents and crises through effective response capabilities.
• Embrace continuous adaptation and improvement 

Within each of these principles, colleges and universities must also recognize that effective readiness, response and recovery require a combination of long-standing crisis management orthodoxy and innovations to keep pace with today’s (and tomorrow’s) threat environment, modes of operation and stakeholder expectations. 

Understanding threats and risks and taking steps to reduce the likelihood of materialization 

Understanding and assessing an organization’s key threats and risks at the outset and using those to inform one’s program have long been part of crisis management orthodoxy. Without first understanding the threat and risk environment in which the college or university operates, it’s extremely difficult to know what level of controls and monitoring are sufficient. Truly mature programs, however, go one step further to recognize that these threats and risks will change over time and can be influenced by both internal and external factors that could be out of the organization’s control. Threat and risk assessments need to be both:

• Thorough and holistic, identifying the key threats and risks the institution faces across all aspects of its programs and activities and how those risks could negatively impact its community and things it cares about the most (e.g., including students, faculty and staff, campuses, intellectual property)
• Dynamic and objective, and consistently refreshed using reliable and comprehensive analysis 

In addition, leading higher education organizations with a commitment to crisis avoidance are moving beyond basic risk assessment techniques and investing in real-time monitoring capabilities focused on both existing and emerging threats (aka the “next COVID” or the next geopolitical crisis). This includes intelligence analysis, forecasting tools, social media aggregation, internal alert data and other monitoring tools as well as stakeholder analysis to not only predict and interdict potentially disruptive events before they happen but also to allow organizations to initiate their incident and crisis response plans quickly and efficiently.

Reducing impact through effective crisis response 

Even if post-secondary organizations take reasonable steps to minimize the chances of a crisis occurring, it is unrealistic to think that all crises can be avoided, particularly in this “‘polycrisis”’ world. With that in mind, colleges and universities must take concrete steps to enable effective crisis response and reduce the impact of future disruptive events. First and foremost, support from leadership is crucial. In addition, empowered governance and defined roles and responsibilities, effective teams with thoughtfully selected members, robust incident and crisis response planning, and informative training and exercising are equally critical. In addition, a truly integrated and therefore effective response is only feasible if based on a better alignment and shared understanding of previously complementary yet disparate capabilities around crisis management, business continuity, cyber, disaster recovery and emergency response. 

One cannot overstate the value of crisis exercising. Leading-edge colleges and universities conduct exercises of increasing complexity using diverse scenarios and provide teams the opportunity to practice responding to crises in a “safe” environment. Post- secondary institutions seeking to ensure that their programs are forward-looking increasingly build their exercise scenarios around key emerging and complex risks, with the goal of “poking holes” in their readiness for such events. This has become increasingly popular as leaders look to be more proactive to avoid finding themselves on their backfoot as many did during recent large-scale crises (e.g., COVID). These exercises often pull in diverse teams from across the institutions and test the organization’s ability to respond both tactically and strategically. In addition, organizations are increasingly using technologies (e.g., tools for mass notification/accounting for personnel) in exercises and asking key response providers such as their legal counsels and crisis responders to participate. This helps intensify realism and identify gaps that illustrate a more realistic picture of how the organization will respond in an actual crisis. 

Control Risks has been supporting organizations, including post-secondary institutions, in responding to and recovering from acute crises since 1975. In that time, we have seen some of the best responses to crises; we have also seen organizations make critical and impactful errors. Throughout our history, there remains some enduring orthodoxy. Organizations can emerge stronger regardless of the type of crisis, if they:

• Put people first
• Lead with their values
• Focus on recovery from the start of and throughout the response
• Preemptively and holistically attack impact while determining root cause
• Empower their crisis leaders with authority and decision-making abilities 
• Use lessons learned from previous crises  

That said, colleges and universities are being pushed ever harder to evolve the way they approach crisis and incident response itself. Successful crisis management that focuses on impact reduction and rapid recovery in today’s polycrisis world includes looking outside the walls of one’s institution and recognizing the need for external assistance. This includes the use of external counsel, crisis PR firms and breach coaches, among others. We are also seeing a rise in organizations partnering with crisis response providers that have localized on-the-ground expertise and can provide in-the-moment support during any crisis, including in far-flung geographic areas where faculty or students might be. 

Embracing continuous adaptation and improvement 

So how do organizations truly embrace continuous improvement and reap its benefits for greater resilience? The good news is that if you are already embracing the first two principles discussed above (i.e., focusing on likelihood and impact reduction), you are halfway there. For instance, exercises are a fantastic way to continually improve response skills and readiness for whatever a university or college may face.  

Organizations should not only improve capabilities before a crisis hits, but also continuously improve their capabilities to extend beyond the crisis response and into the recovery phase. Whether it be through a lessons-learned analysis or post-incident review, we recommend institutions formalize mechanisms that allow them to review their performance during a crisis and dig into how well prepared they were and how they responded.  

In order to fully embrace continuous improvement, these reviews must result in action. Colleges and universities should not only share these results with leadership for both awareness and support, but also formally assign responsibility for resolving identified gaps as well as monitoring progress. Where possible, it is helpful to share these risks and issues across the organization as many of these discoveries point to campus-wide issues and could be connected to other risks already being addressed (e.g., enterprise risk management). Ongoing risk monitoring adds further rigor to such activities. If one of the goals in recovery is the avoidance of similar crises in the future, there are fewer more effective tools than proactive risk monitoring. 

Relevant Control Risks services for the higher education sector 

Control Risks has a long history of advising colleges and universities across a variety of disciplines. Examples include the following: 

• Threat and risk assessments – international, on-campus or specific to a risk type (e.g., security)
• Enterprise risk management program development and improvement
• Ongoing threat, risk and intelligence monitoring – international, campus or specific to a risk type (e.g., cyber)
• Crisis management, business continuity, cyber and physical security, emergency management:
  • Maturity assessments and health checks
  • Governance and policy support
  • Plan development and integration
  • Training and exercising 
• Investigative support 
• Crisis communications strategy development and training 
• Insider risk / intellectual property vulnerability assessments and protection
• Workplace violence and active shooter program development and training
• Acute crisis (e.g., kidnap-for-ransom, extortion and unlawful detention) planning, training/exercising and response services 
• Travel security support  

For more information 

For more information on how Control Risks can help your organization, please Contact us.