How colleges can be proactive about the ransomware threat

by Jeremy

Criminal hackers drew national attention when they brought down a major East Coast oil pipeline for several days in May, triggering a panic that led to gasoline shortages and price increases. Colleges have been similarly hit, knocked offline for days or weeks by attackers who froze — and sometimes threatened to sell — their data and demanded payment for it to be restored.  Called ransomware, these attacks doubled in frequency within higher education between 2019 and 2020, according to one industry report, which pegs the average cost of such an event for institutions at $447,000. They have affected colleges nationwide, from a community college in Iowa to Michigan State University and a University of California system campus. One two-year system in Arizona said it narrowly averted such an attack.

 

Federal law enforcement agencies warned colleges of the increased threat earlier this ye.How colleges can be proactive about the ransomware threat

Von Welch

Ransomware attacks are hitting colleges at an inopportune time. Institutions have relied far more heavily on virtual systems for instruction and student support during the pandemic than ever. Von Welch, associate vice president for information security at Indiana University, has made the impact of such attacks much more significant for colleges. Welch is also the executive director of OmniSOC, founded in 2018, and brings security officials from several universities together to provide 24/7 coverage of their systems. The collaborative approach also lets them apply lessons from an attack on one school to that on another.  Higher Ed Dive talked with Welch about the recent ransomware attacks and other cyber threats colleges should watch for.

Editor’s note: This interview has been edited for clarity and brevity.

HIGHER ED DIVE: Did the group’s structure or priorities change with OmniSOC member schools doing more online during the pandemic?

WELCH: There are subtle differences, but it’s not as big a change as you might expect. It’s not like universities have been excellent, neatly contained boxes, ever. We’re very used to this dynamic nature, as opposed to organizations where the physical boundary of their building is more meaningful regarding their computer infrastructure.

We’re seeing more headlines about cyberattacks happening on campuses. Is that something schools should be worried about?

Most of the increase in threats I’ve seen to higher ed and worldwide have been related to ransomware, but it’s not mainly due to covid. Ransomware has gotten popular because criminals can go after so many more victims. Five or ten years ago, all cybercrime was around getting things like social security numbers, credit card numbers, and access to bank accounts — stuff they could convert into money easily.

When someone makes a ransomware attack, they’re attacking your business continuity. So all that has to happen now is your infrastructure has to be important to you. It’s been very effective during the pandemic because — guess what — everyone is extremely reliant on their computer systems, so the impact of a ransomware attack is much larger. It grows incredibly if you think about this who can be a victim?

Would colleges have been as big of a target for ransomware had the pandemic not happened and pushed everything online?

They would have been a target, but it probably wouldn’t have been quite as big of a story because we weren’t doing everything online. They’re using software from places like Microsoft, Zoom, and other relatively mature products. But I don’t think going online has necessarily made schools more vulnerable.

Do you notice any patterns or trends in schools getting hit with ransomware?

Information technology has gotten so complicated that smaller schools are having a more challenging time keeping up with the demands of keeping it secure. They typically don’t have as big of an IT budget. These hardworking people are being pulled in more directions and don’t have the specialization tou can get at larger schools.

When we see more prominent universities hit, it tends to be their departments rather than central IT. In central IT, we have a lot of trained staff who are very focused on keeping things secure. Once you get to a department, the balance between priorities shifts between security work and other support.

What should a school do if they get hit with ransomware?

One of the critical things they will have to figure out at that moment is whether they have good backups. If you have good backups of all your IT systems, you can restore those backups and get online without worrying about extortion.

That can be a tricky ethical issue. If you don’t have good backups, you might question whether you should pay the ransom. With the pipeline attack, you have the FBI and the Department of Justice asking people not to pay ransoms because if you do, you’re giving money to the criminals; they’re investing it to become better. It encourages them to go after more victims. On the other hand, from the perspective of the pipeline CEO, they had people running out of gas all up and down the Eastern Seaboard, so they had a compelling reason to want to get back online quickly.

That may be something senior leadership wants to discuss before getting into that situation. Which critical services on their campus would cause them to shut down if they were suddenly unavailable? Ask their IT staff: Do we have a backup for that server? When was the last time we made sure the backup worked? Could we recover if a ransomware attack hits that server? It’s a disaster recovery exercise.

Related Posts