Higher Education is a ‘Top Target’ For Cyber Crime
According to a recent Sophos poll of IT professionals, 44 percent of educational institutions suffered ransomware attacks in 2020, and 58 percent of those hit said the attackers successfully encrypted their data. Furthermore, the survey found, the average recovery cost for organizations in the sector (considering everything from downtime to ransom demands paid) came out to more than $2.7 million, which was 48 percent higher than in other industries.
“I think for higher ed in particular, one reason the sector has become a top target has to do with how decentralized a lot of organizations are,” says Frank Kim, a SANS Institute fellow and information security consultant. Especially at the largest universities, he explains, “there can be so many different divisions and systems that it’s difficult to have consistency of controls.”
Any university IT department is well versed in ransomware prevention best practices, Kim adds. “They’re patching, they’re using backups and they’re testing those backups to make sure they work.” The problem is that those cybersecurity tactics still aren’t enough.
“If you’ve got a culture like you do in higher ed, where your people and processes intersect with your technology, then you’re going to see gaps in your coverage, and that’s low-hanging fruit for attackers,” Kim says.
At CSU, Hudson says, an internal review led to a focus on several key areas where the school could improve. Working with consultants, the team conducted a number of Active Directory reviews to ensure security configurations were optimized. They separated networks into tiers to prevent lateral movement in the event of a future breach. They also bolstered system logging and monitoring to improve incidence response capabilities, and they ramped up vulnerability testing of internet-facing systems and services.
His team also reviewed student accounts, closing those deemed to be dormant, and later decided to accelerate a universitywide rollout of multifactor authentication.
“Finally, one of the biggest things we did was put a lot of time and effort into user education,” he says. “Everyone should know what a phishing email looks like. Most of these threats should be easy to identify.”