School Cybersecurity Strategies as Ransomware Attacks Hit 56% of K-12
Editor’s Note: In the above video, Sai Huda’s company was incorrectly shown as “CyberCash.” The correct company name is CyberCatch, which is reflected in the write-up below.
Ransomware attacks are one of the biggest threats on the radar to businesses, from healthcare to QSR, especially since the several high-profile attacks in the last year. One of the most at-risk industries is education; primary school and colleges have been heavily impacted by ransomware threats as they often don’t have the infrastructure to stop or prevent attacks. It appears this gap between attacks and appropriate responses is only growing. A recent Sophos report conducted in February 2022 found that attacks are up across all of education, with 56% of K-12 schools and 64% of higher education institutions reporting a breach in 2021. This is up from 44% of the entire sector being affected by a ransomware attack in 2020.
“The reason why [schools] are in the line of sight is because these education institutions normally have vulnerabilities that can be easily exploited,” said Sai Huda, Founder and CEO of CyberCatch. “They have data and they would have a significant impact from a ransomware attack, let alone a data theft.”
If the Sophos report is any indication, the problem is only getting worse and schools need to invest in the right tools to protect themselves from future hacks. Experts explained that most educational institutions don’t make cybersecurity a priority, and attackers have caught on. The Sophos report reflects this; out of all the sectors studied, “education is the sector least able to stop data being encrypted in an attack,” with higher education reporting the highest data encryption rate at 74%. Hackers understand it’s fairly easy to access ransomable information from schools.
“The data is valuable because it is data about the students, about their parents and families, if they are a higher education institution, they may have research data that is of value to the attackers,” Huda said.
Schools therefore need to build the infrastructure and invest in a variety of resources to prevent their data from being leaked. While doing this can be timely and expensive, it’s likely less expensive than the average $1.5 million it cost educational institutions to retrieve ransomed data.
“[Schools should] get security advice from outside experts as there are organizations and individuals that will provide that on a pro-bono basis,” said Dave Cunningham, Senior Case Manager at Alvaka Networks.
Cunningham also mentions that educational organizations need to realize that there are different levels of security measures and they need to make sure they are implementing one that is high-caliber, proactive and responsive.
When a cybersecurity threat does happen to a school, the Sophos report found it takes them longer to address and stop the issue, usually because there aren’t specific staff members on hand that are trained to deal with this issue. This can amount to months on months of data being held hostage; higher education reported the slowest recovery time from a ransomware attack among all studied sectors, according to the Sophos report. It then costs taxpayers millions of dollars to satisfy the demands of the attackers.
While there are insurance companies that offer cyber liability insurance, it’s just now becoming a more popular solution and is not yet widely adopted. Educational institutions are reported to have below-average cyber insurance coverage, clocking in at 78% while the global average rests at 83%.
Hackers have recently taken on a double-extortion attack method where they not only hold sensitive data hostage under threat of public release, but they lock schools out of their systems all together until a ransom is paid, which includes access to admissions, enrollment, and school records.
The pandemic also opened up a lot of doors for hackers, as daily work projects and communications were suddenly conducted online and often done insecurely. Schools in particular were an easy target and collectively suffered a huge financial loss, upwards of $3.5 billion in 2021.
There are many ways that schools can try to protect themselves from cybersecurity attacks, from proper investment in personnel to more advanced network protection. The most important tip is for school and district administrators to proactively, instead of reactively, insulate against cyber breaches and to understand that even if their school wasn’t affected, the ramifications of being unprepared are enough to motivate investment into well-researched solutions.
Cunningham, who works with organizations to help recover ransomed information, advises for investments into immutable ransomware-resistant back-up solutions, multi-factor authentication for all remote and administrative access, and endpoint detection response software to create more oversight over potential or real-time attacks. Even just these basic investments will go a long way, he said.
“We’ve had eight school districts that have gotten attacked by ransomware that we have been part of helping to recover, and we can say in all eight of those school districts, the basic measures that I just listed off are not in place. And these are considered to be the starter measures, the basics that need to be in place,” Cunningham said.
According to Huda, the five main strategies that educational organizations can use in order to prevent data breaches are…
- Making sure there is an incident response plan
- Multi-factor authentication for all users
- Segmenting their networks
- Making sure backups are offline
- Instituting control testing in order to ensure all solutions are in place and working effectively
The time to make these investments is now, Huda explained. His own organization conducted a Small and Medium-Sized Businesses Vulnerability Report during Q1 2022, which included schools in the U.S. and Canada, and found that if organizations don’t make necessary changes, they’ll continue to be at risk from sophisticated hackers.
“75% said they would only survive a ransomware attack three to seven days. 55% either don’t have an incident response plan or it’s outdated, stale, and they haven’t tested it in about a year, which is not effective,” Huda said.
