The education sector has become one of the most frequent targets of ransomware attacks and other cybercrime.
In one high-profile example, the University of California San Francisco paid over $1 million in ransom after threat actors infected several servers in the UCSF School of Medicine with NetWalker ransomware. School officials agreed to pay the ransom because they couldn’t risk having sensitive medical records released or losing access to critical data.
Another university in Massachusetts had to shut down its campus for nearly a week after a cybersecurity incident.
K-12 school districts also experience frequent cyberattacks. The K12 Security Information Exchange (K12 SIX) notes more than 1,330 incidents since 2016 on its interactive map, an average of one incident every school day for the past six years.
The costs associated with these attacks can be significant. In its most recent State of Cybersecurity report, K12 SIX documented four separate incidents with financial damage ranging from $206,000 to $9.8 million, resulting from an incident where an attacker obtained information from the district’s investment advisor and bank. This doesn’t include the cost of ransom payments.
The FBI recently issued an alert warning of an increase in PYSA ransomware targeting educational institutions. This malware exfiltrates and encrypts student data or employee payroll information from colleges, universities and K-12 school districts, then threatens to release the data unless the school pays a ransom. PYSA most often gains access through remote desktop protocol (RDP) credentials or phishing emails, according to the FBI.
Most educational institutions were unprepared for the immediate shift from in-person instruction to remote learning for their student and teacher populations, according to a report published in the ISACA Journal.
This made them easy targets for malicious actors looking to exploit a lack of education data security.
Federal laws such as the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Rule (COPPA) and the Children’s Internet Protection Act (CIPA) are designed to protect students but can leave schools vulnerable to attackers looking to exploit education records.
Additionally, states are stepping up data privacy enforcement. Forty-five states and Washington, D.C. have enacted new student data privacy laws since 2014. Those laws include the Student Online Personal Protection Act (SOPPA), which requires the Illinois State Board of Education to publish a list of all online services or applications the district uses, what data it collects and why and to notify parents of data breaches within 30 days, among other requirements, and similar laws regulating education data in other states.
Funding is a “critical roadblock that prevents school districts and higher education institutions from investing in cybersecurity training and tools,” IBM's Chris Scott told CBS News. School administrators are the most likely to be trained in cybersecurity, but districts lack the budget to also train teachers.
Sixty percent of teachers who responded to the IBM survey said they received no additional security training during the pandemic, despite relying on virtual and remote learning tools. Half of the respondents said they did not receive any cybersecurity training.
Funding is also lacking for school IT departments. More than a third of K-12 administrators said their school district’s employ just one to three IT staffers, according to CBS News.
In addition to targeting vulnerable students and faculty through phishing schemes or malicious domains disguised as legitimate websites, the Cybersecurity and Infrastructure Security Agency (CISA) said attackers also exploit exposed ports using remote desktop protocol services and software that hasn’t been updated to address the latest bugs. This can lead to data breaches and the theft of sensitive student data.
Ransomware attacks on schools can take a financial toll. The average ransom is about $50,000, according to CBS News, but the biggest payments have been up to $1.4 million.
The report in ISACA said in addition to financial loss, other effects of ransomware attacks on school districts and higher education include the unauthorized access to confidential and personally identifiable information. That information can contain financial details, names, addresses and Social Security numbers. Compromised personally identifiable information (PII) can lead to identity theft and even lawsuits by victims whose information was stolen.
Even underfunded IT departments at K-12 districts and higher education institutions can take steps to improve data security at schools and other educational institutions.
One basic step is to educate teachers with basic cybersecurity training available at no cost through the National Institute of Standards and Technology (NIST), CISA and Amazon. This training is designed to increase awareness of the importance of data security in education and what they can do to prevent attacks, including protecting their devices and spotting malicious emails.
CISA and the FBI also recommend IT leaders take steps to secure their networks and data, including:
While these recommendations will improve your cybersecurity posture, they cannot entirely prevent ransomware attacks.
Eighty-four percent of companies across industries experienced at least one ransomware attack in the past year, despite many having enterprise-level cybersecurity protections in place.
Instead of focusing solely on prevention, educational institutions with limited resources should prepare to withstand inevitable attacks. That means encrypting their files in a way that makes it impossible for attackers to gain any useful data and ensuring they are able to recover their data immediately.
Traditional best practices for data protection, backup and recovery carry inherent risks. Encryption keys can be lost or stolen. Ransomware gangs are increasingly targeting backup and recovery solutions. Myota’s patented technology decentralizes risk management by separating the data plane from authentication, separating sensitive data from identity and device, and decentralizing encryption key management. The technology is compatible with any type of storage and uses best-in-class encryption and micro-segmentation to break sensitive data into shards stored in separate repositories so attackers cannot decrypt them. In the event of a security breach, your administrators can easily retrieve and restore your protected files.
Learn more about how Myota improves education data security and cyber resilience.