Ransomware attacks in higher ed: How you can protect your data and mitigate risks
It’s a new year, but the cyber threats to institutions of higher education have not changed. Ransomware attacks have been on the rise over the past few years and continue to strike. While there were certainly some high-profile attacks, including the attack that shut down the Continental oil pipeline, and the infamous WannaCry worm that locked thousands of users, including several UK hospitals, out of their networks causing over $4 billion in damage, the most-targeted industry is rarely making such national headlines: education, notably higher education.
Educational institutions are attractive targets for cybercriminals for a variety of reasons. The userbase at many universities exacerbates the issue; in particular, the students are not necessarily educated on the risks associated with their use of online resources and social media websites, and many cyberattacks originate from poorly-secured network infrastructure. Many attackers gain access to a university’s system by tricking users into “opening the door,” a practice known as social engineering.
Universities also possess a great deal of personal and sensitive information. For example, they routinely collect social security numbers and banking routing numbers of students, faculty, and staff. Additionally, many universities operate on-campus health clinics that maintain a trove of sensitive information. Research universities maintain confidential data relating to pending patents, research, and publications. A university hit by ransomware would be hard-pressed to calculate the potential damage caused by the wide range of possible data loss.
Finally, COVID-19 forced every university to adapt quickly to online learning. While the pandemic has become the new status quo in the last two years, underfunded IT departments have largely failed to implement robust and permanent solutions. Besides the cost associated with technological upgrades, IT departments also need to contend with user training and acceptance among faculty (and students).
Researchers have observed a spike in COVID-driven phishing attacks as well. Phishing, a form of social engineering, is a technique in which attackers posing as legitimate IT, HR, or other personnel send emails requesting personal information or access to secure systems. These attacks can be highly elaborate and well-researched; attackers often pose as actual employees and send emails from domains that appear to be legitimate at first glance. Because COVID has prompted many institutions to collect new information, such as vaccination records and direct deposit details for emergency aid funds, users can find it challenging to differentiate legitimate emails from scams.
There are new threats every day; most recently, a threat from cybercriminals known as QRishing has arisen. Cybercriminals are taking advantage of the familiarity with QR codes after many businesses started using them at restaurants and other establishments during the pandemic. These QR codes are being used by criminals to embed malicious codes into otherwise benign QR codes in order to redirect a user to a malicious website where they then attempt to get the user to provide personal information, financial information, or other data that the criminals can use to perpetrate fraud or identity theft.
So, how can you prevent (or at least, be ready) for these attacks? What does your privacy and cybersecurity compliance plan look like? Have you updated it recently? Do your staff and students know about it? Who’s on your compliance team?
At a minimum, universities should map their data (in particular, the sensitive or highly confidential, proprietary data) and conduct risk assessments to determine which systems are most vulnerable to compromise and which would cause the most damage in the event of a breach.
Additionally, students, faculty, and staff should be trained to recognize and avoid phishing attempts and the university community at large should be educated about how to protect and secure their information as well as the university’s information. Universities should also develop a system for reporting suspicious emails to the IT department for analysis.
Conducting table-top breach exercises that simulate real situations is also a very important aspect of preparation so those in charge know what to do when an incident occurs.
While ransomware is a significant threat to higher education, it is not insurmountable. Cybercriminals tend to be opportunistic, so universities can protect themselves by becoming more trouble to hack than they’re worth. Cybersecurity is easy to overlook, but this is one area in which a little investment up front can pay massive dividends later.
Kathryn Rattigan is a member of the firm’s Business Litigation Group and Data Privacy + Cybersecurity Team. She advises clients on data privacy and security, cybersecurity, and compliance with related state and federal laws. Kathryn also counsels clients in assessing risks related to technology and software contracts, as well as with compliance-related issues with outsourcing and vendor management.
More from UB