(This is the second in a series of articles on ransomware attacks, cybersecurity and their impacts on higher education.)
Is your institution at risk of a ransomware attack? That might depend on your network security, the openness of your platforms, and the proactive steps being taken to ensure data are continually protected.
Colleges and universities have been relatively soft targets for online thieves looking to steal the latest research or personal information on students. Howard University, the University of California at San Francisco and University of Utah are among at least two dozen institutions where major breaches have occurred since the start of the COVID-19 pandemic.
When those incidents happen, institutions are often asked to pay large sums of money to recover sensitive data or prevent it from being released to the public. In short, they either lacked the right tools to stave off attacks, or bad actors seized on weaknesses to shut down systems before relaying their demands.
Jim Shreve, a Chicago-based partner at Thompson Coburn LLP, is one of a number of attorneys across the U.S. who help advise institutions on their potential risks to cyberattacks, giving clients a deep assessment of how well prepared they are for attacks. That may include a look at staffing, user access and multilayer authentication, and whether proper endpoint protection and response are being employed. Should an incident occur, legal teams like Thompson Coburn can ensure institutions are responding smartly and swiftly, reporting regulatory requirements to all state, federal and global entities. Having that kind of backing during an incident can be enormous in a crisis moment, when leaders may not be thinking as clearly about demands or the loss of data.
Part I: Held for Ransom: Why colleges must be proactive to prevent cyberattacks
Shreve, who chairs his firm’s Cybersecurity Group, has been working with clients for more than 20 years on privacy matters and incident response. He also has been working with the U.S. Department of Education on developing cybersecurity standards for higher education.
University Business sat down with Shreve for a conversation on the prevalence of ransomware, responses that can make a difference and proactive measures institutions can take to protect data:
Tell us about the clients you serve; who they are across higher education.
It varies greatly from very large research institutions to smaller specialty schools, nursing schools, some that are their traditional brick and mortar and some that are exclusively online. The challenges and risks vary among those institutions. That’s one of the things that makes it hard in working with the Department of Education is finding something that works for a nursing school of 50 students, as well as a university that has 70,000 students.
How prevalent is ransomware in higher education?
Ransomware is enormous, and it’s continuing to get bigger. Higher education is maybe not the most prevalent target, but certainly among the more prevalent ones. I would say that because you can view higher education institutions as being a bit of one-stop shopping. If you’re a hacker, you may find financial information, healthcare information, valuable IP and other data there. Higher education has an infrastructure with a lot of users that are often distributed and with different access rights.
What are the hackers looking for?
The most common kind of hacker is simply looking to make money. They get into ransomware because it’s profitable. If you steal a large amount of personal information and then you want to repackage it, sell it on dark websites, it may take you quite a while to get paid. Ransomware allows you to do something and be paid potentially within hours or days. There is also potentially a high reward for sensitive IP, including a lot of research work. In those attacks, you can get nation-state attackers that are much more sophisticated and much harder to detect and repel. If you have a nation-state attacking you, they can bring a lot of resources to bear, more than a small criminal organization.
What is different about the cyberattacks on higher education compared with other entities?
Higher education is not so different from other industries, but we’ve seen an evolution of ransomware attacks. A few years ago, most ransomware attacks would exploit a known vulnerability, try it on a lot of different entities and demand a ransom amount that was pretty low. They would bank on the fact that the target might say, ‘Maybe we could recover from backups, but it’ll be just cheaper and easier to pay to get the decryption key.’ Now, the attacks are much more targeted. They know more about who they’re attacking and are demanding larger ransom amounts. Whereas before, where we were looking at a few thousand dollars, now it’s very common to see ransom amounts that are over a million dollars.
What are the potential outcomes if colleges and universities decide not to comply with demands?
There are risks if you pay and risks if you don’t. If you do not pay, there may be a business interruption. You may not be able to get back the systems or the data that was encrypted as part of the ransom demand. You may lose some functionality or be down for a while.
One of the best ways is to defend against ransomware attacks is to have really good backups for your systems and have those backups not be vulnerable. If you can restore from those backups, you don’t need to pay the ransom for the most part. But the hackers recognize that. So oftentimes they’re taking data as well. Before launching the encryption, they’ll take data off the system to use it as further leverage. They’re saying, we have this data. We will release it or sell it on the dark web unless you pay.
Another potential risk in paying is that if you facilitate payments to a known terrorist or organized crime organization, you can be brought up on criminal charges. If you do pay the ransom, you also can hurt your relationship with law enforcement. particularly in a situation where you didn’t really need to pay.
What are some of those strategies that institutions can utilize to be proactive in trying to prevent ransomware attacks?
- Tabletop exercises of incidents. A tabletop is a practice cyber security incident, whether it’s on ransomware or hacking or another type of attack. The exercise is helpful to test your systems and your people. It is being done by the information security people regularly, but it oftentimes doesn’t involve some of the senior executives that need to make the important decisions. You can point out news items, and say, What if something like that happened here? How do you deal with it? That will provide invaluable knowledge about your systems, your preparation, and then you can adapt it.
- Cybersecurity insurance. But it’s important to know what is covered and what is not covered in policies. Pepper your insurer or broker with questions: ‘If this kind of thing happened here and we had to pay the ransom, is the ransom amount covered, or are we covered for business interruption? Are we covered for any number of outside people we need to bring in to address this?’
- Good backups. They are key to recovering from ransomware attacks. That more than anything lessens your need to pay the ransom.
- Greater use of encryption. If you encrypt the data that’s sitting on your system and the hackers can’t access it, it’s not valuable for them to steal. They can’t extort from you as easily.
- Consider limiting access rights. Do users have access only to what they need? Does everyone with administrator privileges really need them?
- Improving user authentication, as in multifactor authentication, and where possible using longer passwords (or passphrases) or passwords that are hard to crack.
Why is protecting against ransomware so important?
This is an area where you want to be proactive. You want to be known as somebody who takes this seriously. Part of your image as an institution is you want to make that brand strong.