In a span of just 12 months, Bournemouth University in England was targeted by 21 ransomware attacks. The school is hardly the only example of educational institutions coming under fire from nefarious actors. Just last year, Canada’s University of Calgary paid hackers US$16,000 to recover data after its systems were impacted for 10 days. All across the globe, colleges and universities are becoming favorite targets for cybercriminals looking to make some easy money.
According to a recent BitSight report, educational institutions are doing the least to guard themselves from the threat of ransomware. While financial and retail businesses, in particular, are taking steps to thwart cybercriminals, educational institutions as a group are not doing enough to plan for an attack. BitSight, a leading cyber-security rating company, examined six different industry verticals (finance, retail, healthcare, government, energy/utilities, and education) to get a sense of how ransomware was impacting these industries. After researching these verticals and ransomware incidents in them, BitSight assigned a security rating to each. All industries fell into the intermediate category with a rating between 640 and 740 out of a possible 900…except for education, which lagged far behind the rest of the field with a security rating well below 550.
How to combat ransomware
So what can colleges and universities do to limit the damage done by ransomware? It starts with acknowledging the threat itself. The aforementioned Bournemouth University is a great example of how to combat ransomware. A spokesperson from the school reported that even with all the attacks, there had been no impact on the school’s systems. This is likely due to the preventative measures the university took in advance as it has a cybersecurity center on campus.
Other educational institutions should follow the example set by Bournemouth University and start by acknowledging the threat of ransomware and educating IT staff on how ransomware can infiltrate a system. Ransomware is often “invited in” by unknowing staff who click on an infected link or open an attachment from a malicious email. Educating staff is a key step to guarding against cyber-threats. It’s also important for universities to understand the dangers of paying a ransom. When I was at Gartner Data Center in London, one of the analysts talked about how paying a ransom could actually get a user added to a target list. In this scenario, criminals know that the user is likely to pay a ransom since they have already done so before, opening them up for other future attacks. In addition, the FBI advises against paying ransoms because “by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Educational institutions should start by acknowledging the threat of ransomware and educating IT staff on how ransomware can infiltrate a system.
The education of IT staff should be two-fold. Not only should the IT team know what to look for to prevent ransomware, but they should also be aware of signs that an attack is already underway. Cybercriminals most often try to scare victims into paying the ransom immediately by masquerading as government or police agencies and accusing the victim of committing criminal activity online. IT teams should realize that the systems are under attack and begin the process of unlocking or recovering files and getting the business back online.
The final step to help limit the damage done by ransomware is to have a backup in place. Backups are an integral part of a data protection and disaster recovery strategy. The ability to quickly restore critical information from a backup can be the difference between a business who is able to overcome a ransomware attack and one that is crippled by it. By recovering from a backup, victims are able to restore encrypted data and get back to business – without paying a ransom.
It’s clear that cybercriminals will continue to target educational institutions for as long as they refuse to protect against the impending threat as attackers and ransomware aren’t going anywhere anytime soon. With that in mind, it’s up to educational institutions to protect themselves from this very real and very dangerous threat.
Jesse St. Laurent is vice president of product strategy at SimpliVity