Colleges and universities have recently seen a striking increase in cyberattacks, especially ransomware attacks. A study by Sophos (PDF) conducted in January and February 2022 found that 64% of higher education organizations had been hit by ransomware attacks during the previous year, a significant jump from 44% the year before. Why was there such an increase?
For starters, higher-ed institutions hold a lot of sensitive data, including personal and financial information on students and their parents. Many universities also work with government agencies on cutting-edge research, which draws the interest of nation-state actors. Part of the vulnerability problem also stems from the collegial nature of higher ed, where information is meant to be shared.
But one of the biggest reasons educational organizations have become such a popular mark is that they are easy targets. Institutions often struggle with cybersecurity basics in terms of weak policies, procedures, and defensive tools. Smaller colleges and universities often don’t have dedicated information-security staff, security budgets are slim, and, in at least one institution, there was faculty resistance to endpoint detection and response (EDR) software due to privacy concerns. Higher ed also struggles with the IT talent-retention problem seen in other industries.
Weak security practices, a wide range of vulnerabilities, and slow remediation times combine to make higher education institutions a potentially profitable target for attackers. According to that same Sophos report, ransomware attacks against higher education organizations pay off attackers at a higher rate than targets in other sectors — with 74% of ransomware attacks succeeding in encrypting data, as opposed to less-successful attacks on sectors such as healthcare (61%) or financial services (57%).
Five Steps to Improve Defenses
Security budgets and the realities of academic life may not change for organizations anytime soon, but that doesn’t mean institutions can’t implement changes that will make their data more secure. Here are five solid steps schools can take now to improve their defenses.
1. Implement Multifactor Authentication
One of the most important steps organizations can take is implementing multifactor authentication (MFA), particularly considering the increased use of remote access in the pandemic era. Widely available tools make it trivially easy for a criminal group to find soft targets that only require a username and password to gain entry to a network. By using stolen credentials, guessing commonly used passwords, or successfully phishing faculty and staff, they can look like an authorized user and bypass many controls.
2. Test and Protect Your Backups
Reliable backup systems are essential these days, especially with the rise in ransomware attacks. Before ransomware operators let an organization know they’ve been attacked, they look to find and destroy backup data. By encrypting or corrupting backup data, they reduce the likelihood of the target successfully surviving the attack without paying the ransom.
Protected backup systems, maintained separately from the rest of the network, enable effective recovery strategies and can (in some scenarios) allow organizations to refuse to pay a ransom. Immutable storage is also available from the major cloud providers, which prevents data from being modified or destroyed — even by administrators — over a set period.
3. Prioritize Patch Management
Applying updates and security patches in a timely manner is a basic step that organizations often overlook, leaving gaps in their network protection.
Bad patch management can be blamed on several factors, such as overburdened IT teams or a reluctance to deal with downtime (“we’ll do it over the break”). But the biggest cause of bad patch management is that many teams simply don’t have a routine process for patching. In many cases, teams apply and manage patches on an emergency basis, which is often too little, too late.
Establishing a patch management schedule — and sticking to it — can reduce security risk and provide greater stability for your environment.
4. Eliminate Local Admin Rights, Manage Global Admin Rights
Giving administrator rights to users who don’t need them is a widespread problem that makes life easier for attackers. Compromising super-users’ credentials gives attackers free rein to move about the network, install applications, change configurations, and steal or encrypt data.
Maintain good management of user accounts with powerful permissions across the network (e.g., Domain Admins in a Microsoft domain). This includes monitoring membership of powerful groups and changing passwords of powerful accounts when someone who knows those passwords is terminated.
5. Know What Your Network Looks Like
A good way to assess your security posture is to understand how your network looks to an attacker. They should only see websites — not file servers, admin consoles, databases, or anything else that might be on an internal network. Regularly scanning Internet-facing systems can help organizations know and limit their exposure. Universities can find myriad open source tools and commercial solutions that do an excellent job of assessing network risk factors. Vulnerability scanning is also freely available from some state governments and the US Cybersecurity & Infrastructure Security Agency.
Good Cybersecurity Hygiene Isn’t Expensive
Higher-education institutions are a big target primarily because they have a lot of sensitive information and are usually underresourced. But colleges and universities can protect themselves by following basic cybersecurity hygiene. The five steps listed above aren’t complicated or expensive, but they’re often ignored. Following those steps can help schools avoid becoming the next ransomware headline.