Educational institutions are a top ransomware target. What can you do?

Amy Chang

Just prior to Labor Day, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about how they have observed “an increase in highly impactful ransomware attacks occurring on holidays and weekends,” and to be “especially diligent” in network security practices leading into them. That weekend, Howard University was one of the latest educational institutions to fall victim to attacks; Howard University remained offline for over a week after the incident occurred on Friday, September 3, and finally came back online 10 days later. Faculty and staff were asked not to plug anything into Howard’s networks.

Howard University is only the latest example of educational institutions that have suffered a ransomware attack. In 2021, there have been at least 29 major attacks against the education sector and other victims include the University of California system, University of Colorado, University of Miami, and Michigan State University.

Educational institutions’ IT teams spent much of 2020 working to get students, teachers, and staff online for remote learning in response to the coronavirus pandemic, likely introducing a fair number of new vulnerabilities and attack vectors for state-sponsored and criminal actors alike. Furthermore, education and higher education institutions can be poorly equipped with legacy information technology systems, understaffing, and limited budget resources to dedicate to cybersecurity, exacerbating potential weaknesses in schools’ technological infrastructure.

The crisis facing the education sector becomes even direr when we consider one survey that found recovery costs are “48% above average.” Considering all aspects of a ransomware attack (including downtime, device and network costs, ransoms paid), the total cost averaged US$2.73 million.

The aftermath of poor cyber hygiene can put educational institutions at risk. Some institutions have turned to cyber insurance to transfer risk, which in itself is also controversial because institutions are not addressing the underlying cyber risk that still exists. But beyond the controversial payout of ransoms, insurance can provide real solutions to the problem.

Cyber insurance has typically been dismissed as a “nice to have” option in a toolkit. Despite insurance’s reputation for encouraging moral hazards, insurance can actually put incentives in place to change human behavior for the better. We’ve seen this with both automobile insurance (seatbelts and other safety features, for example) and fire insurance.

While cyber insurance can help drive towards these solutions, cyber-resilient technological infrastructure can only be built on a solid foundation. Before considering any fancy tech solutions, consider conducting an inventory of all the technological assets on your networks, because devices that are unknown or otherwise not actively tracked cannot be successfully scanned, logged, managed, or monitored. Following are five key controls you can implement within your network to greatly reduce the chance of being successfully targeted by ransomware.

  1. Conduct regular and redundant backups: If a ransomware incident does occur, the most effective strategy for recovering is restoration from recent, clean, and encrypted backups. Organizations should review and update corporate backup policies and perform a thorough audit of all business data and where it is stored.
  2. Conduct rigorous and effective security awareness and training: With malicious actors often lurking at an institution’s doorstep, solving the human element of ransomware has been a perpetual conundrum for the security community. Many infection vectors require a human to grant access into an organization’s network, and many people do so unknowingly. In order to prevent this, organizations should create a culture of security and make appropriate resources readily available, including regular training for employees about the dangers of phishing, unsecured networks and endpoints, and other key elements of cyber hygiene.
  3. Ensure proper email security controls: Email is the most commonly used vector to deliver malicious payloads to an end user. Advanced filtering and sandbox capabilities can also be used to detonate potentially malicious indicators and block those emails either at the firewall or at the email gateway. Some other key aspects of email security include:
  • Filter unsolicited and spam emails;
  • Alert users of messages originating from outside the organization;
  • Implement DMARC policy to lower the change of spoofed or modified emails from valid domains;
  • Disable the use of macros;
  • Record and track data loss with a corporate data loss prevention policy; and
  • Establish alerts on any accounts forwarding mail outside of the organization
  1. Protect endpoints: Keeping track of devices within an organization (endpoints) becomes increasingly difficult as a business grows. In order to properly monitor endpoints, organizations need to consistently track their inventory with an up-to-date list.
  2. Network Security: The network is an interconnected artery to your organization, therefore, it is important to establish stringent access control lists throughout the network in order to minimize risks to the business. Network activity should be analyzed consistently over time to understand legitimate network patterns and enable organizations to distinguish this activity from anomalous network activity. Network segmentation can provide physical or logical separation of networks and secure sensitive or personally identifiable information (PII) from unauthorized users.

While not exhaustive, this list is a helpful start for IT and cybersecurity teams to implement across your organization and stymie the rate of ransomware attacks on a critical sector of the U.S. economy.

Amy Chang is Head of Risk & Response at Resilience. She served in the U.S. Navy as an Intelligence Officer and is a graduate of Harvard University Kennedy School of Government and Brown University. She formerly served numerous leadership roles in the Global Cybersecurity organization at JPMorgan Chase and has over a decade of experience in cybersecurity, policymaking, intelligence, and strategy both in and out of government.

Most Popular