Tackling Ransomware’s Grip on Education

Educational institutions are facing a crisis. Over a short period of time, K-12 schools and universities became heavily reliant on technology. From online classes to managing student records, digitization is being embraced to enhance learning experiences and increase administrative efficiency. However, digital transformation comes at a cost – exposing these organizations to cyber threats.

From an outside perspective, schools don’t seem like high-value targets. Many have small operating budgets compared to enterprises, meaning they can’t pay a multimillion-dollar ransom. While universities hold valuable research, K-12 schools offer little IP worth stealing. So why is it that the education sector experienced 44% more cyberattacks in 2022 than in 2021?  

The truth is that schools hold vast amounts of sensitive student data yet lack the cybersecurity resources to protect that data adequately. That contradiction is the root of the problem. On average, educational institutions allocate less than 8% of their IT budgets to cybersecurity measures, with almost 20% spending less than 1%. Such minimal budgets leave organizations exposed and vulnerable – a situation hackers are happy to exploit, most often with ransomware.

Ransomware Against Schools: A Triple Payday

Ransomware has emerged as a favorite attack method for threat actors, accounting for over 30% of all breaches against schools. These attacks are often launched through phishing scams; while some teachers and administrators are acutely aware of the dangers attachments can hold, most are not, and neither are school-aged children, so education institutions are full of easy targets.  

A ransomware attack against a school uniquely offers a triple payday opportunity. In addition to double extortion, in which companies must pay once for an encryption key and a second time to ensure data won’t be leaked, threat actors who attack schools can add a third layer by threatening students’ families unless they pay up.  

Educational Institutions: Data-Rich, Resource-Poor Targets

School districts and universities have evolved into data hubs, creating a treasure trove for malicious actors and a nightmare scenario for everyone in the education system – students, teachers, administrators, and IT and security teams.

We’ve already seen how minor security budgets are problematic, but additional statistics from the Multi-State Information Sharing and Analysis Center report offer critical insights into why this sector is experiencing so many attacks.

Nearly 40% of K-12 organizations lack a cybersecurity response plan. A comprehensive cybersecurity response plan can minimize damage, reduce recovery time, and aid in preserving the institution’s integrity and financial stability. Without a response plan, schools can face extended operational disruption. Online classes, e-learning platforms, teachers’ lesson plans, and other digital resources can become inaccessible, impeding student progress and educational outcomes.

Almost a third of institutions don’t require MFA for any systems. MFA introduces an additional layer of security that isn’t easy to bypass, making it a simple yet powerful defensive tool against phishing attacks and ransomware. MFA can also act as an early warning system. If a user receives an MFA prompt for an action they didn’t initiate, it could indicate unauthorized access and provide an opportunity to stop an attempted attack.

Half of all schools report their IT teams are understaffed. School districts encompass multiple schools and are responsible for thousands of students. With each school having its own systems plus district-wide systems, there’s no realistic way a small IT team, sometimes consisting of only one employee, can maintain and monitor such extensive infrastructure 24/7, let alone execute a response plan should an attack occur.

In essence, all three of these issues stem from financial constraints, but even with bigger budgets, as many universities have, expert cybersecurity professionals who could address security gaps and harden systems are in short supply.

The Urgent Need for Action

Just a few months ago, we witnessed one of the most significant ransomware breaches in history. At the end of May, Progress Software Corporation announced that attackers were exploiting a zero-day vulnerability in one of its products, MOVEit Transfer, a managed file transfer (MFT) solution. The threat actors, part of the Clop ransomware group, accessed the MOVEit Transfer databases and began stealing sensitive data. As of the beginning of August, over 600 organizations have been breached worldwide, with US universities and public schools accounting for at least a quarter of the victim pool. Progress Software immediately alerted customers and provided temporary mitigation steps, followed by a security patch within 48 hours.

Once the vulnerability was made public, additional hackers only had to use network scanners to find new victims. Companies with substantial security teams were able to spring into action. However, the education sector suffered disproportionally due to a severe lack of experts available to respond quickly.

The MOVEit breach isn’t the first time educational organizations were primary targets. In 2020, one of the most common cyber threats against K-12 schools was Shlayer. This trojan malware specifically targeted Mac systems, which are used by at least 70% of schools. The most successful initial infection vector for Shlayer was malvertisement, a type of attack involving malicious advertising to deliver malware. When Shlayer was coupled with ransomware, a school’s data became encrypted, forcing it to pay or lose its data.

Empowering Educational Institutions

To safeguard digital domains, educational institutions must prioritize cybersecurity measures. While budget constraints can be challenging, security solutions are not a luxury but a necessity.

Schools can significantly reduce their risk by following best practices, including holding regular cybersecurity awareness training and hardening systems by implementing security configurations that reduce the attack surface, making it more difficult for cybercriminals to exploit vulnerabilities. Organizations should also deploy endpoint detection and response (EDR) systems to monitor and respond to suspicious activities, web application firewalls (WAF) to protect web-facing applications, and DNS filtering to block malicious domains.

While implementing these measures is crucial, monitoring them round-the-clock demands dedicated resources, which is where a Security Operations Center (SOC) comes into play. A SOC provider can offer a cost-effective solution for educational institutions with limited budgets. A SOC not only oversees and centralizes security solutions but also provides rapid incident response, threat hunting, and continuous 24/7 monitoring.

By adopting cybersecurity best practices, implementing security solutions, and partnering with a SOC provider, educational organizations can fortify their defenses and safeguard their operations and their students’ future.

Sign Up for Updates