Cyberattacks keep targeting colleges. How can they protect themselves?

Months into the COVID-19 pandemic, hackers had taken control of data belonging to a University of California San Francisco research team testing a possible coronavirus vaccine. They were demanding $3 million in exchange for returning control of the data.

A university negotiator sent them a plea.

“The sense is that it’s not looking good,” the anonymous negotiator wrote, according to a chat transcript first reported by Bloomberg. “The more I ask around, the more I hear that all departments are hurting for money. I ask you to keep an open mind.”

The highly publicized ransomware attack in June 2020 was claimed by Netwalker, a group with a history of targeting healthcare entities. UCSF, like many colleges and universities at the time, was dealing with budget cuts of up to 10% to offset revenue losses related to suspending in-person operations. But the hackers weren’t buying the plea of poverty from a university system that collects billions in annual revenue.

“You need to take us seriously,” a Netwalker representative warned. “If we’ll release on our blog student records/data, I’m 100% sure you will lose more than our price what we ask.”

Major research institutions, especially those with ties to hospitals, carry incredibly sensitive data and are increasingly becoming targets for ransomware attacks. UCSF ultimately paid $1.1 million to regain control of its hijacked servers — likely a fraction of the amount it would have spent recovering the data otherwise.

“The FBI always advises against paying the ransom,” said Adam Hardi, a higher education senior analyst at Moody’s Investors Service. “But we have seen a fair number doing it anyway because it is more economically feasible to spend $1 million than potentially $10 million to retrieve the data.”

Cyberattacks on colleges and universities have been increasing over the years, but the pandemic ushered in a new era of urgency. The attacks pose not just financial risks but also operational risk, as was the case when the University of Massachusetts Lowell canceled classes for nearly a week in June after a security breach. Some institutions, like Wichita State University, have been sued over cybersecurity incidents.

“It is more economically feasible to spend $1 million than potentially $10 million to retrieve the data.”

Adam Hardi

Higher education senior analyst at Moody’s Investors Service

Now, as higher education institutions adjust to the new normal of hybrid learning and remote work, many are also making improvements to data security. But competition — whether with the private sector for talent or with other university departments for funding — is creating major headwinds that some fear will always keep higher education institutions one step behind.

“I’m a glass-half-empty kind of person. That’s the nature of being in security,” said Helen Patton, a former chief information security officer, or CISO, for Ohio State University. “But I’m very worried about it.”

Spending trails the pace of change

Even before the pandemic, U.S. colleges and universities were under enormous financial pressure in the face of declining enrollment, criticism over the high cost of education and constrained state funding. Resources were becoming increasingly focused on revenue generators like academics and research over investment in staff and technological infrastructure.

Cybersecurity doesn’t generate revenue, and cybersecurity improvements that money can buy are typically invisible — so spending on it often takes a back seat. In fact, the education sector ranked the lowest-performing of all industries on implementing cybersecurity measures to protect data in a 2018 report from SecurityScorecard.

“You have to think about risk and how much you’re willing to spend to mitigate it.”

Cyberattacks keep targeting colleges. How can they protect themselves?

Vicki Tambellini

Tambellini Group CEO and founder

Cybercriminals have noticed. During the first quarter of 2021, the education sector accounted for nearly 10% of globally reported cyberattacks, compared with 7.5% during the first quarter of 2020, according to data compiled by the cyberattack tracker Hackmageddon. Ransomware continues to be a favorite tactic. At least 26 ransomware attacks involved colleges and universities in 2020, according to an analysis by Emsisoft. In March 2021, the FBI issued a warning to education institutions about a rise in ransomware.

Part of the problem is that the shift to remote learning and remote work opened up thousands of access points via laptops, tablets and smartphones on networks not controlled by universities. That makes it harder to protect against a mistake. Moreover, the pivot further decentralized higher education’s data management environment, in which individual departments already retained much control.

Federal relief legislation provided billions of dollars in aid for colleges and universities, but it often wasn’t directed toward security. Much of it has so far gone toward student aid, revenue replacement and technology to enable remote operations.

One area of investment has received a lot of attention, however. The last two years saw a rapid acceleration in higher ed institutions adopting cloud-based systems, which has the effect of centralizing data management and giving IT departments more control over system security. The cost of moving to the cloud ranges from about $5 million for a small college over the first five years of investment to as much as $100 million for a large research university over the same time period.

Last year, nine out of 10 institutions investing in new finance and human resources systems opted for the cloud instead of updating their aging on-premise legacy systems, according to a report by the Tambellini Group, a research and advisory firm. A recent survey by Moody’s found 30% of U.S. higher education institutions were using cloud technology in 2021, compared with only 2% in 2020. Much of that increase has been driven by public universities affiliated with healthcare systems.

Washington State University, for example, migrated 100 data management systems to the cloud in just six months. The key to swift adoption was to make it easy for staff and faculty, said Sasi Pillay, vice president of information technology services and chief information officer.

“By creating a streamlined system that’s easy for faculty members to use, we are essentially able to monitor that ourselves,” he said.

Despite the investments in cloud-based systems, overall cybersecurity spending has remained relatively flat at colleges and universities. In 2020, even with the focus on remote technology, average college and university spending growth on IT merely kept pace with inflation, the Moody’s survey found. Moreover, that spending has been uneven. Actual budget increases over the last two years have been almost entirely driven by private institutions and universities with a healthcare component.

The definition of cybersecurity spending tends to differ from one university to the next, but as a percentage of IT budgets it ranges between 3% and 12%, according to Von Welch, Indiana University’s associate vice president for information security, who has studied the topic.

Checkout latest world news below links :
World News || Latest News || U.S. News

Source link

Back to top button