But globally, education may face a somewhat more promising picture than other sectors, according to a recent Sophos report that surveyed 31 countries. Respondents included 5,600 IT professionals, of which 730 were from education organizations.
Worldwide, 64 percent of organizations in higher education and 56 percent in lower education suffered ransomware attacks in 2021 — less than the 66 percent global average for all targets, Sophos found. Schools also were less likely to see an increase in threats: 57 percent of organizations across sectors said 2021 brought a greater volume of cyber attacks while just 53 percent of higher ed and 47 percent of lower ed said the same.
Lack of consistent reporting requirements prevents a precise picture of trends in the U.S., said Amy McLaughlin, cybersecurity subject matter expert for the Consortium of School Networking (CoSN), a K-12 professional association and advocacy group. Still, “a good number” of K-12 school districts she’s worked with have experienced at least a small-level ransomware incident.
“And even if a district hasn’t actually experienced a bigger ransomware event, they all know somebody who has,” McLaughlin told Government Technology.
In higher ed, ransomware tends to be opportunistic and financially motivated, said Kim Milford, executive director of the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC), which serves higher education and research institutions.
Since January, REN-ISAC saw more than 20 ransomware attacks against U.S. higher education that were significant enough to make the news, and many more likely went unannounced, Milford told GovTech.
ELUSIVE CYBER STAFF
Limited funds leave K-12 districts struggling to make some cybersecurity investments or pay competitive cybersecurity salaries, McLaughlin said. CoSN’s most recent survey found a quarter of district respondents had a dedicated cybersecurity employee. Others might add cybersecurity to a staff members’ other duties or get part-time help from a virtual chief information security officer (CISO).
Virtual CISOs are also drawing more attention from smaller higher ed institutions, according to Brian Kelly, director of the Cybersecurity Program for EDUCAUSE, a nonprofit focused on higher education IT. And while Milford said cyber staffing ranges widely from small community colleges to more deep-pocketed universities, competitive salaries are a common problem.
EDUCATION’S RISKS
University and college campuses conduct a broad array of activities, meaning criminals have plenty of systems to target.
“Higher ed is like a small city,” Kelly told GovTech. “We’ve got all the risks everyone else has — whether they’re in financial services or health care, energy sectors — many of our EDUCAUSE members on campus have all of those things. They might have a medical school or hospital. Ohio State … they had a nuclear reactor on campus.”
And Milford said institutions with many systems often try to simplify user experiences with single or reduced sign-ons, which let staff and students use the same IDs and passwords to access different systems like email and student resources, HR or facilities, for example. But this is also an opportunity for criminals who steal logins to one service to then try to work their way into more sensitive parts of an organization.
HIGHER ED PAYS, K-12 RESISTS?
Globally, 46 percent of organizations across sectors paid ransom last year, according to Sophos. Higher education showed an above average rate of payment — 50 percent — while lower ed was slightly less likely to pay, with 45 percent doing so.
This latter figure jarred with McLaughlin’s experience in K-12: “I have not actually heard of very many organizations paying. … It’s not consistent with what I’ve heard or seen,” though victims may be reluctant to admit to paying, she said.
Instead, many districts emphasize building resilience and defenses through strong data backup and device management strategies, McLaughlin said. Some states ban public entities from paying ransomware extortion.
Indeed, Milford said that paying was “fairly common” in higher ed and that many institutions recover the ransom by working with the federal government or cyber insurance providers.
RECOVERY AND RESTORATION
Victims have plenty of recovery work to do, even if they pay ransom. Sophos reported that lower education respondents worldwide recouped 62 percent of data after paying, while higher education recouped 61 percent. This was on par with global averages, but less than the 68 percent of data education entities got back in 2020.
And 26 percent of global lower education respondents and 40 percent of higher education ones said it took them more than a month to recover. Kelly painted a somewhat brighter picture, saying most higher ed institutions he’d spoken with recovered most or all of their data post-incident. Anecdotally, a three- to four-week timeline to recover and clean up systems was “probably realistic,” he said.
In K-12, McLaughlin said, timelines can vary widely depending on organizations’ setups and the extent of the attacks. A district may take systems offline for a couple days of cleanup or may spend months working behind the scenes to avoid service disruptions.
CYBER INSURANCE
Globally, the education sector was among the least likely to secure ransomware insurance but most likely to see claims paid once they did, Sophos found. Eighty-three percent of organizations across sectors had cyber insurance that covered ransomware, compared with 78 percent of education entities. But among this latter group, insurers paid some costs on 100 percent of higher ed’s ransomware claims and 99 percent of lower education’s.
Those figures varied in the U.S., with McLaughlin saying a 2021 CoSN survey found 81 percent of K-12 respondents had some level of cyber insurance. In higher ed, Milford heard anecdotally that almost 50 percent of institutions had cyber insurance, while Kelly estimated more than 70 percent of EDUCAUSE members had cyber plans.
Education, like other sectors, is seeing cyber insurance become harder to qualify for and costlier to obtain, and concerns are rising over claims denials.
Schools often want to improve cybersecurity, in part to qualify for more coverage and lower premiums, and insurers often want to help guide them. But there can be painful transition periods.
“The challenge is that while you’re investing in those things, your insurance costs are also going up,” McLaughlin said. “So it becomes a resource challenge to have enough funds to do the things you need to do and still pay for insurance.”
*This article first appeared in Government Technology, a sister publication of Industry Insider — Texas. The Center for Digital Government is part of e.Republic, parent company to all.
