Dive Brief:
- Ransomware is the top security threat at higher education institutions, according to a new report from cybersecurity services firm BlueVoyant. The research was based on open-source data, including automated analysis of threat searches across thousands of colleges worldwide.
- Ransomware attacks on colleges doubled from 2019 to 2020, costing an institution $447,000 on average. Clop, Ryuk, NetWalker, and DoppelPaymer were the primary ransomware families targeting education institutions.
- According to the report, data breaches accounted for half of the security incidents colleges dealt with in 2019. It found that nation-state activity leading to data theft impacted more than 200 institutions over the last two years.
Dive Insight:
The pandemic ramped the adoption of laptops, smartphones, and tablets within colleges and universities. While higher education has long permitted remote work, the pandemic “challenged the boundary” of stable security, said Raechelle Clemmons, a former college chief information officer and now the vice president of industry relations at Tambellini Group, a higher education technology analyst firm.
“Information security and higher ed have been somewhat tactical,” Clemmons said. “There’s a lot more thinking towards sort of risk registers and our risk tolerance as an organization.”
Educause named information security the top higher ed IT issue for 2020. “To rely on perfect behavior from perfectly informed end-users using perfectly safeguarded systems, devices, and networks is … perfectly foolish. And yet we do,” the ed-tech advocacy group said in its report.
It encourages organizations to adopt a strategy to mitigate operational, legislative, and reputational risks to avoid significant incidents.
Security incidents will likely encourage a conversation around what technology options there are and how to be more proactive with unresponsive vendors in a particular area, Clemmons said. But it all depends on the maturity of a school’s security program.
There’s an appetite for in-house chief information security officers, or CISOs, in higher education. “You might see three or four institutions sharing a CISO,” or some outsource their security chiefs, Clemmons said. In responding to a security incident, unless an institution has experienced it, “it can be challenging to know what to do.”
BlueVoyant analyzed 30 institutions in Wisconsin, including the University of Michigan, Stanford University, and Fox Valley Technical College. This subset of the research was used to showcase the diversity in the higher education sector, including those with large legacy networks, large student bodies, and community colleges with “more varied and dedicated online programs and services,” according to the report.
All 30 schools had evidence of torrenting on their networks, a method for sharing large files from other devices over the internet. All 30 schools also had unsecured ports, with at least three-quarters having open remote desktop ports.
The security gaps are the most apparent weaknesses for the top threats: ransomware and data breaches. Between the two threats, which are often paired, schools face similar supply chain issues or vulnerabilities as companies.
In May 2020, cloud provider Blackbaud was hit by the AKO ransomware gang. The company stopped the hack before encryption began, but not before some of its customers, including education institutions, healthcare organizations, and nonprofits, may have been affected, such as:
Higher education institutions involved in COVID-19 vaccine research were subject to nation-state activity, according to the report. Russia-based Cozy Bear and Iran-based Scholar Kitten were identified as threats to the sector last year. At least five nation-state campaigns targeting universities have been identified in the previous two years, though researchers expect the actual number to be more significant.
According to an analysis by Cybersecurity Dive, before the Department of Justice and international law enforcement agencies disrupted NetWalker ransomware operations in January, the strain was linked to at least four higher education ransomware attacks in 2020.
NetWalker’s targets, the University of California San Francisco School of Medicine, paid hackers $1.14 million. The school defended the payout, saying the related data was essential to “the public good.”