Colleges paying ransom only get 60% of data back. Here is how to protect it.

Cyber attacks are becoming more prevalent and more costly, but smart institutions can power through them.
By: | April 29, 2022
Getty Images

A new report from internet security provider Sophos shows that institutions of higher education not only were hit by cyber attacks often in 2021, but they also paid out hefty sums in ransom and still didn’t get back all the data they lost when it was stolen.

In its State of Ransomware 2022 study done of more than 5,500 organizations and sectors worldwide, colleges and universities that decided to pay hackers after breaches occurred only recovered about 60% of their precious information. Less than 5% got it all back. Across higher education, two-thirds that took part in the survey (100 to 5,000 employees) were hit by at least one ransomware attack in the previous year, up nearly 30% from 2020. The majority of hits were done using data encryption rather than simply holding the data hostage.

While two-thirds said they use some forms of backups, half of all institutions still paid to try to get data back. Although Sophos did not break down the payouts by sector, the average cost of ransomware recovery was a little more than $2 million. Cyber insurance has helped institutions, covering 100% of the payments and a lot of the clean-up costs, but only about a third paid out the ransom.

“The survey shows that the proportion of victims paying up continues to increase, even when they may have other options available,” said Chester Wisniewski, principal research scientist at Sophos. “There could be several reasons, including incomplete backups or the desire to prevent stolen data from appearing on a public leak site. In the aftermath of a ransomware attack, there is often intense pressure to get back up and running as soon as possible.”

Wisniewski said institutions try to take the easier, more expensive way out and pay hackers for a key that will decrypt their data, rather than go through the painstaking process of restoring information via backups. Not knowing what data has been breached is a major concern—from research to passwords—so they are more likely to just pay to mitigate the damage. Even then, there could be more to come if they aren’t careful. “If organizations don’t thoroughly clean up the recovered data, they’ll end up with all that potentially toxic material in their network and potentially exposed to a repeat attack,” Wisniewski said.

So what is the best strategy for colleges and universities, which may be hit with attacks at any time and may still have to pay out in the future? Having a second set of information is vital. “Higher education can’t rely solely on a ‘pay the ransom to recover’ approach to ransomware,” Christopher Budd, senior manager of threat research at Sophos told University Business, highlighting that institutions don’t get all of it back anyway. “Fortunately, our survey shows that while 50% of respondents paid ransom to recover, 70% used backups to recover. That means in this overlap of the two tactics, higher education organizations can be better placed for faster and fuller recovery when they follow a robust backup strategy.”


More from UB: Is cybersecurity insurance worth the investment?


Yet, because of the sheer volume of data and departments and the nature of institutions to be siloed, colleges and universities have many more challenges than the average business.

“The survey shows that higher education remains one of the slowest industries to recover, where around 2 in 5 took over one month to recover,” Budd said. “This tells us that while higher education may have good backup strategies that can augment ransom recovery as a tactic, there is still more work that can be done to make backup and recovery faster and more robust.”

Sophos highlighted five strategies that can be employed to help institutions prepare for the worst:

  1. Ensure security controls are continually monitored and updated and that the highest defense mechanisms are implemented.
  2. Don’t take a wait-and-see approach, even if staffing is thin. Colleges must be constantly performing checks to seek out threats. Sophos says that short of 24/7 protection from campus leaders, a third-party Managed Detection and Response (MDR) specialist might be needed.
  3. Look for potential openings that hackers can infiltrate, such as “unpatched devices, unprotected machines, open RDP ports.” Sophos says Extended Detection and Response (XDR) solutions can help.
  4. Have a stout plan in place to respond to an attack. Make it clear across departments what will happen in the event of a breach.
  5. Back up, back up, back up. And as other experts have suggested, have practice or trial runs for how you will get backups and data back in an emergency.