On September 17, 2020 the National Cyber Security Centre (NCSC) of Great Britain issued an alert to UK schools, colleges and universities about a recent spike in ransomware attacks against the educational sector. The BBC promptly picked up the advisory and reported on the rising trend of attacks in the country. Meanwhile in the U.S., during the first three months of 2020 there were 17 identified school districts and colleges that had been subjected to a ransomware attack. In comparison, during the same period in 2019 there was less than half that number. The spike NCSC advises of is thus certainly not unique to the UK, and in fact mirrored ‘across the pond’.
Why is higher education being targeted? In an article for The Conversation, Nir Kshetri argues that these institutions are an easy mark for ransomware attacks due to their inherently under-developed cyber security infrastructure. A 2018 report on the matter stated, “Alarmingly, out of 17 industries in the U.S., Education comes last in terms of total cyber security. This should be a cause for serious concern among students, parents, school boards, and the education industry as a whole. And yet, despite the ubiquity of data collection and the ever increasing number of schools nationwide storing data digitally, the Education industry is not doing its part to protect its students (and, essentially, itself) from such risks.” The UK is not faring any better as a report from 2019 found that hackers could breach university’s cyber defenses within two hours.
These weak cyber security measures are an open invitation for cyber-criminals that are looking for a quick pay cheque. If a university is in session and a ransomware attack shuts down their network, the school may well feel that the quickest remedy would be to pay the ransom. Even more so during the covid-19 pandemic, when more students are relying on online, remote learning. In addition to highly detailed Personally Identifiable Information (PII), universities often also have highly sensitive IP stored in their networks such as research and patents. If that data is not properly backed up and becomes encrypted, it could prove disastrous for the institution.
To beat cyber-criminals, educational institutions need to invest in comprehensive cyber security infrastructure. For readers interested in learning more, I recommend a thorough review of the two reports referenced in this blog post, the Security Scorecard’s 2018 Education Cybersecurity Report and the Higher Education Policy Institute’s report “How safe is your data? Cyber-security in higher education”. Additionally, The Cybersecurity & Infrastructure Security Agency provides a Cyber Essentials Guide to assist in implementing organizational cyber security practices.