We’ve seen an alarming rise in the number of cyberattacks against universities in the last few years, particularly as schools moved entirely or partially online during the COVID-19 pandemic. CSO reports that cyberattacks on education and research targets increased an astonishing 75 percent between 2020 and 2021. These attacks threaten to take critical functions offline, disrupting teaching and research, and put sensitive data at risk. And with many universities coping with already reduced budgets, paying to recover lost data can make a crunch worse.
As schools prepare for the fall semester, now is a good time for institutions to review their cybersecurity defenses and consider bolstering them. Here’s a look at why universities are being targeted, how cyberattacks are impacting universities, and strategies for mitigating the threat.
Why are universities targeted?
Universities possess sensitive data attractive to hackers. Data like student loans and fees move through the Bursar’s office, with sensitive financial data stored on department computers, and other personally identified information for students is typically accessible via the university’s intranet, making universities a lucrative target.
Also consider the disruption a ransomware attack can have on daily campus operations. With many courses taught entirely online, or at least featuring a hybrid component, locking students out of learning platforms can bring courses to a halt. If administrators can’t access the intranet, basic enrollment functions can’t be completed. Because some larger universities also have their own utilities operations, shutting down access to these systems can make buildings unusable. These are situations universities can’t afford to face for long, making them more likely to pay the ransom.
How are universities being impacted?
The challenges mentioned above aren’t hypotheticals. In 2020, at least 26 colleges and universities faced a ransomware attack, according to an analysis by Emsisoft. At least 14 have encountered ransomware attacks already this year.
The schools that have the resources to fight back will. In 2020, the University of California – San Francisco faced a ransomware attack impacting its School of Medicine, encrypting some of its important data. The school ultimately paid more than $1 million to get back online, a steep cost even for one of the nation’s largest higher education systems. Michigan State University faced a similar attack that year, but refused to give in to the ransom, resulting in sensitive data being leaked online.
At the other end of spectrum lie colleges without the resources to fight back quickly, and for them, the consequences of a ransomware attack can be fatal. Lincoln College, a private university in Lincoln, Illinois, faced a ransomware attack in late 2021, as it continued to struggle with enrollment decreases during the COVID-19 pandemic. Because it lost access to critical enrollment functions for three months, it was unable to recover in time to recruit new students for the Fall 2022 semester – leading the university to shut down this spring.
How can universities mitigate the threat?
Mitigation starts with education. Universities can start with training tools that go beyond a one-hour session on spotting obvious threats – cyberthreats have become more sophisticated, so training should be as well. Today’s training offerings can even simulate phishing attempts, sending out test emails to students and staff and, if the victim clicks on a link in the email, direct the user to complete additional training.
Promising advances in AI-driven cybersecurity tools can also help universities dodge potential threats. These solutions go beyond standard spam blockers, identifying users to potential threats, cataloguing the language and tactic used in the phishing email, and adding that knowledge to its database, ensuring that the tool evolves as threats do.
Higher-ed institutions should invest in strong backups, either in the cloud or on premise and air-gapped from potentially infected systems, to ensure there’s no disruption in operations if a system goes offline. Universities should also consider segmenting their network to hinder the spread of any potential cyberattack beyond the first system infected.
Now’s the time to prepare
Cyberattacks aren’t a challenge to take lightly. All it takes is one click to impact an entire campus – and even if the university can afford to pay the ransom and get back online, there’s no guarantee it will get full access back or all of its data returned.
Start preparing for an attack now by upgrading your training procedures, improving your security toolset, and ensuring continuity if an attack does slip through your defenses. These may be the smartest – and most financially prudent – initiatives your university takes on this year.