How to Mitigate Cyber Threats in Education

Protecting kids, data, and operations across the education industry with ransomware mitigation solutions

Drew Schlussel
Drew Schlussel
Senior Director, Product Marketing
10/31/2022

Cyber threats in schools escalate

Cyberattacks in general, and ransomware in particular, are on the rise across all organizations. The education sector is no exception. Recent research by Sophos indicates that 56% of K-12 schools and 64% of higher education institutions around the globe were hit by ransomware in 2021, up from 44% in 2020.

In May, NPR reported that at least 14 U.S. colleges or universities and nine school districts had already been hit by ransomware demands so far in 2022 and that data had been stolen in 13 of the 23 cases.

When launching a ransomware attack, a hacker infiltrates an organization’s digital systems and files using malware that could be embedded in an email attachment or document download. The hacker takes control of critical files and denies access to them (or threatens to leak them) unless a ransom is paid. In exchange, the hacker promises to provide a decryption key that unlocks the data. While the school figures out what to do, certain operations are likely to grind to a halt unless the organization has created immutable backups of its data that it can quickly and reliably restore.

What’s the potential risk to education institutions?

In 2021, it cost schools an average of $1.5 million per incident to recover from ransomware attacks, according to a study early this year of 5,600 global organizations, which included 730 education institutions. Researcher Vanson Bourne conducted the study on behalf of the cybersecurity company Sophos. By some estimates, ransomware in 2021 cost U.S. schools a collective $3.56 billion in downtime alone, not including any ransoms paid.

If a school doesn’t have staff experts trained to deal with ransomware, data might be held hostage for months. This is particularly problematic in the education sector, where pockets aren’t always as deep as those of corporations. That makes it hard to attract top cybersecurity talent at a time when cybersecurity skills shortages are at an all-time high, totaling an estimated 3.5 million globally, according to Cybersecurity Ventures.

It took Lincoln College in Lincoln, Ill., for example, until March 2022 following a December 2021 attack to determine that it would have to close its doors after 157 years of operation. The college said the attack “thwarted admissions activities and hindered access to all institutional data.” COVID-19’s impact on admissions also played a role in the shuttering.

Higher education reported the slowest recovery time from a ransomware attack among all sectors in the Vanson Bourne/Sophos 2022 report. More than three-fourths (80%) reported that it took between one and six months to recover from a ransomware incident.

Why are ransomware attacks targeting schools?

In the education sector, most threats are external and financially motivated, according to Verizon’s 2022 Data Breach Investigations Report. K-12 organizations store valuable data and personally identifiable information (PII) about students and their parents and families. Higher-education schools often create and store cutting-edge, confidential R&D data that attackers may want to steal for their own advancement or sell on the black market.

Nearly all K-12 and higher-education institutions that reported a 2021 ransomware attack in the Vanson Bourne study this year said their ability to operate had been impacted by the incident: 94% of K-12 and 97% of higher-ed schools said this was the case. While the overall attack rate on schools is slightly below the cross-industry average, according to the report, hacker success rates with ransomware encryption are significantly higher in the education community.

The report concludes that schools are comparatively less prepared to defend against malicious encryption than other industries. One reason is the expertise shortfall mentioned. Another is that almost all schools have some systems with external accessibility through remote access systems or web portals, particularly since the upsurge in remote learning coincided with the onset of the COVID-19 pandemic. With access now possible from nearly anywhere, school’s servers have grown more susceptible to attack.

What can schools do to mitigate ransomware risks?

Schools need to protect their IT infrastructures and data from vulnerabilities with a multifaceted set of defenses that include technology and user education alike. Like other industries, they should regularly review, test, and possibly reinforce their data backup and disaster recovery plans. Here are a few recommended steps:

• Educate students and employees about cybersecurity risks and practices. It’s important to raise awareness of all users—students, faculty, staff, employees, and others—about the tactics of hackers seeking to steal their access credentials by cracking passwords or using phishing scams. Making users aware of the types of emails, attachments, links, and websites to avoid goes a long way toward decreasing the school’s vulnerability. Also, make sure users know who to contact if they spot suspicious activity or believe they’ve been breached so the properly established mitigation strategy can be employed quickly and efficiently.

• Create immutable data backups. Having at least one backup copy of your data that’s immutable and not connected to primary data servers that users access every day affords the greatest defense against ransomware. Leveraging at least one (virtually) air-gapped and immutable copy, such as with the Wasabi Object Lock solution, prevents anyone—even the root user or administrator on the account—from deleting or changing files until a retention period you specify has passed. In the Wasabi solution, this immutability capability can be applied to each file, or “object.” You can also create a “bucket” with an associated retention policy that’s automatically applied to any objects/files added to that bucket.

Should a ransomware attack lock you out of your school’s primary storage data, you can wipe the primary data and fully restore your immutable backup as your primary copy. Immutability is critical because cybercriminals attack backups and archives to increase the chances that they’ll receive the ransom they demand. Be sure to test this recovery process regularly to make sure it works accurately and swiftly.

• Consider cyber insurance. Cyber insurance is growing in popularity, as it allows schools to share the cost of a hefty ransom. What’s covered depends on your policy, but in general, cyber insurance can be purchased to cover ransom fees, loss of revenue due to business interruption, expenses incurred to recover from an incident, liability costs resulting from lawsuits filed by affected individuals or companies, and regulatory compliance violation penalties. Note that cyber insurance doesn’t let you completely off the hook from infrastructure and data protection investments, however. It’s not uncommon for the cyber insurer, looking to minimize its liability payouts, to require that you take certain steps to protect yourself before it will agree to insure you—at your expense. Some will provide a free risk assessment to identify gaps in your security, which in itself can make investigating cyber insurance worth the effort.

Time to act

The increase in ransomware in education has created an urgency to deploy mitigation strategies that reduce the likelihood of occurrence and minimize the impact of a successful strike. Storing immutable backups that are impervious to being encrypted by hackers is a primary defense against the potential devastation of a ransomware attack. Immutability is a key component of a comprehensive data protection and recovery plan that should be tested often.

For more insight into how immutability works, read the case study about how Clarke University in Iowa protected its infrastructure with immutable backups using Wasabi Hot Cloud Storage.

Drew Schlussel
Written By

Drew Schlussel

Senior Director, Product Marketing