Main menu


How are K-12 and higher education institutions fighting ransomware?

featured image

Ransomware is a major concern for colleges, colleges, K-12 schools and school districts. But globally, education may face a slightly more promising picture than other sectors, according to a recent Sophos report that looked at 31 countries. Respondents included 5,600 of her IT professionals, 730 of whom were from educational institutions.

Globally, 64% of higher education and 56% of lower education organizations will experience a ransomware attack in 2021, below the global average of 66%. Schools are also unlikely to see an increase in threats, with 57% of organizations across the sector saying the volume of cyberattacks will increase in 2021, compared with 53% of higher education 47% of respondents said the same.

The lack of consistent reporting requirements prevents us from accurately tracking developments in the United States. Still, a “significant number” of K-12 school districts she’s worked with have experienced at least a small-scale ransomware incident of hers.

“Even if the school district hasn’t actually experienced a bigger ransomware event, I know someone who has,” McLaughlin said. government technology.

In higher education, ransomware tends to be opportunistic and financially motivated. Kim Milford, executive director of the Center for Research and Education Network Information Sharing and Analysis (REN-ISAC), which serves higher education and research institutions, said:

Since January 2022, REN-ISAC has identified more than 20 ransomware attacks against U.S. institutions of higher education that are newsworthy and likely many more were unannounced. Expensive, says Milford. Gabatek. Prominent ransomware groups have carried out several of these: BlackCat (reportedly behind attacks on Florida International University and University of North Carolina A&T), LockBit (Italian tax authority and The Vice Society (allegedly attacked an Austrian medical institution at the University of Innsbruck in June).

The Elusive Cyberstaff

Due to limited funding, K-12 districts are struggling to invest in cybersecurity and pay competitive cybersecurity salaries, McLaughlin said. CoSN’s latest survey found that a quarter of respondents in his district have a dedicated cybersecurity officer. They may also add cybersecurity to other duties of their members of staff, or receive part-time assistance from a virtual CISO. And the IT leader still struggles to join the school district’s leadership her cabinet and make cybersecurity an organization-wide concern.

According to Brian Kelly, director of the cybersecurity program at EDUCAUSE, a nonprofit focused on higher education IT, virtual CISOs are also attracting attention from smaller higher education institutions. And while his staff are spread across small communities from colleges to wealthy universities, Milford said, competitive salaries are a common concern.

“Higher education institutions are draining experienced cybersecurity professionals to private companies.” Milford said.

These talent gaps hinder organizations’ ability to conduct threat hunting and other manual but important cybersecurity practices, Milford said.

education risk

There are many different activities going on at colleges and university campuses. So criminals have a lot of systems to target.

‘Higher education is like a small town,’ Kelly said Gabatek. “We have all the risks that everyone else has, whether it’s in the financial services, health care, or energy sectors. Many of our EDUCAUSE members on campus have them all. It might have a medical school, or a hospital, Ohio State University…had a nuclear reactor on campus.”

And according to Milford, educational institutions with many systems often try to simplify the user experience by using single sign-on or reduced sign-on. This allows staff and students to use the same ID and password to access various systems such as email, student resources, human resources, and facilities. But this is also an opportunity for criminals to steal her login to one service and try to break into the more sensitive parts of the organization.

Attackers can also put pressure on higher education institutions by attacking at critical times, such as during final exams or at the start of a semester. Even two days of downtime for his website can be unbearable, says Milford. Today’s campuses rely on digital services for everything from homework assignments to testing to access to student grades.

“If they get trapped, the school will probably have to pay to get the resources back,” she said..

Higher Education Will Pay, But Will K-12 Resist?

According to Sophos, 46% of organizations across sectors worldwide paid ransoms last year. Higher education showed above-average payout rates — 50% did — while lower education was slightly less likely to pay, 45%.

This latter figure contradicts McLaughlin’s experience with the K-12. .

Instead, many school districts focus on building resilience and defenses through strong data backup and device management strategies, McLaughlin said.

Some states prohibit public agencies from extorting ransomware, and North Carolina law restricts local school organizations and community colleges. However, this does not bind private universities.

In fact, Milford said ransom payments are “fairly common” at higher education institutions, and many institutions are working with the federal government and cyber insurance companies to collect ransoms.

Recovery and restoration

Even if you pay the ransom, the victim will have to do a lot of recovery work. Globally, the lower-educated respondent recovered 62% of her data after payment, while the higher-educated respondent recovered 61% of her, according to a Sophos report. This was in line with the global average, but less than 68% of her data education entities recovered in 2020.

In addition, 26% of respondents in lower education and 40% of respondents in higher education globally said it took them more than a month to recover.

Kelly painted a slightly brighter picture by saying that most higher education institutions he spoke to recovered most or all of their data after the incident. He said the timeline was “probably realistic.” Milford said repairs, recovery and improved defenses could take months.

Organizations hit by ransomware often need to shut down their systems to limit the spread of malware and clean up the threat before bringing systems back online, Kelly said. Another drawback of his, Milford said, is that the university’s systems must be rebooted in a certain order, each having to improve its defenses and apply updates before it can go back online. .

With K-12, McLaughlin said timelines can vary greatly depending on the organization’s setup and the scope of the attack. School districts may take systems offline for a few days of cleanup, or spend months behind the scenes to avoid service interruptions.

cyber insurance

Globally, Sophos found that while the education sector is one of the least likely to secure ransomware insurance, it is most likely to be paid once. 83% of organizations across sectors have cyber insurance covering ransomware, compared to 78% of educational institutions. However, in this latter group, insurance companies paid some cost in 100% of higher education ransomware claims and 99% of lower education institutions.

These numbers vary in the United States, with 81% of K-12 respondents in the 2021 CoSN survey having some degree of cyber insurance, McLaughlin said. At higher education institutions, Milford anecdotally heard that almost 50% of institutions have cyber insurance, while Kelly says more than 70% of her EDUCAUSE members have cyber plans. Estimated.

Not all of these plans may be ransomware-proof. Kelly said policies increasingly include carve-outs for this attack.

Education, like other sectors, has seen cyber insurance qualifications become harder and more expensive to obtain, raising concerns about denied claims.

Speaking from personal experience, Milford said it takes “a lot of effort” to fill out an insurance company’s application questionnaire. McLaughlin advised districts to assign or hire someone with the expertise to fully understand what the application was asking for.

Schools often want to improve their cybersecurity. This is also to qualify for increased coverage and lower premiums, which insurance companies often want to help with. However, a painful transition period can occur.

“The challenge is that while we’re investing in them, premiums are also rising,” McLaughlin said. “So it becomes a resource challenge to have enough money to do what is needed and pay the premiums.”

Milford spoke as well.[Insurers] It tells you exactly what you need to do to get full coverage. However, you are still at risk if you are attacked before full cover. ”

Self-insurance has not taken off as an alternative. McLaughlin said most of his K-12 districts couldn’t handle the huge out-of-pocket costs incurred all at once in the event of a ransomware attack. And at higher education institutions, the minority of students who adopt self-insurance tend to be large institutions with “small city campuses,” Milford said.