How Does K-12, Higher Education Fare In A Ransomware Attack?
Ransomware is a high concern for universities, colleges and K-12 schools and districts. But, globally, education may face a somewhat more promising picture than other sectors, according to a recent Sophos report that surveyed 31 countries. Respondents included 5,600 IT professionals, of which 730 were from education organizations.
Worldwide, 64 percent of organizations in higher education and 56 percent in lower education suffered ransomware attacks in 2021 — less than the 66 percent global average, Sophos found. Schools also were less likely to see an increase in threats: 57 percent of organizations across sectors said 2021 brought a greater volume of cyber attacks, while just 53 percent of higher ed and 47 percent of lower ed said the same.
Lack of consistent reporting requirements prevents a precise picture of trends in the U.S., said Amy McLaughlin, cybersecurity subject matter expert for the Consortium of School Networking (CoSN), a K-12 professional association and advocacy group. Still, “a good number” of K-12 school districts she’s worked with have experienced at least a small-level ransomware incident.
“And even if a district hasn’t actually experienced a bigger ransomware event, they all know somebody who has,” McLaughlin told Government Technology*.
In higher ed, ransomware tends to be opportunistic and financially motivated, said Kim Milford, executive director of the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC), which serves higher education and research institutions.
Since January 2022, REN-ISAC saw more than 20 ransomware attacks against U.S. higher education that were significant enough to make the news, and many more likely went unannounced, Milford told GovTech. Notable ransomware groups conducted several of these: BlackCat (reportedly behind attacks on Florida International University and the University of North Carolina A&T), LockBit (allegedly also responsible for attacking Italy’s tax agency and a Canadian town) and Vice Society (which allegedly struck Austria’s Medical University of Innsbruck in June).
Elusive Cyber Staff
Limited funds leaves K-12 districts struggling to make some cybersecurity investments or pay competitive cybersecurity salaries, McLaughlin said. CoSN’s most recent survey found a quarter of district respondents had a dedicated cybersecurity employee. Others might add cybersecurity to a staff members’ other duties or get part-time help from a virtual CISO. IT leaders also still struggle to get included in districts’ leadership cabinets and get cybersecurity seen as an organization-wide concern.
Virtual CISOs are also drawing more attention from smaller higher ed institutions, according to Brian Kelly, director of the Cybersecurity Program for EDUCAUSE, a nonprofit focused on higher education IT. And while Milford said cyber staffing ranges widely from small community colleges to more deep-pocketed universities, competitive salaries are a common problem.
“Higher ed has been bleeding experienced cybersecurity experts to private industry,” Milford said.
That talent gap hinders institutions’ ability to conduct threat hunting and other manual labor-intensive, but important, cybersecurity practices, Milford said.
University and college campuses conduct a broad array of activities, meaning criminals have plenty of systems to target.
“Higher ed is like a small city,” Kelly told GovTech. “We’ve got all the risks everyone else has — whether they’re in financial services or health care, energy sectors — many of our EDUCAUSE members on campus have all of those things. They might have a medical school or hospital. Ohio State … they had a nuclear reactor on campus.”
And Milford said institutions with many systems often try to simplify user experiences with single or reduced sign-ons, which let staff and students use the same IDs and passwords to access different systems like email and student resources, HR or facilities, for example. But this is also an opportunity for criminals who steal logins to one service to then try to work their way into more sensitive parts of an organization.
Attackers can also pressure higher education by attacking at key times such as during finals or at the start of semester, when even two days of website downtime may be intolerable, Milford said. Today’s campuses rely on digital services for everything from homework to conducting tests and accessing student grades.
“If they’re locked up, the school’s probably going to have to pay to get resources back,” she said.
Higher Ed Pays, K-12 Resists?
Globally, 46 percent of organizations across sectors paid ransoms last year, according to Sophos. Higher education showed an above average rate of payment — 50 percent did so — while lower ed was slightly less likely to pay, with 45 percent doing so.
This latter figure jarred with McLaughlin’s experience in K-12: “I have not actually heard of very many organizations paying … it’s not consistent with what I’ve heard or seen,” though victims may also be reluctant to admit to paying, she said.
Instead, many districts emphasize building resilience and defenses through strong data backup and device management strategies, McLaughlin said.
Some states ban public entities from paying ransomware extortion, with North Carolina’s law restraining local school organizations and community colleges. This wouldn’t bind private universities, however.
Indeed, Milford said paying was “fairly common” in higher ed and that many institutions recover the ransom by working with the federal government or cyber insurance providers.
Recovery and Restoration
Victims have plenty of recovery work to do, even if they pay ransom. Sophos reported that lower education respondents worldwide recouped 62 percent of data after paying, while higher education recouped 61 percent. This was on par with global averages, but less than the 68 percent of data education entities got back in 2020.
And 26 percent of global lower education respondents and 40 percent of higher education ones said it took them more than a month to recover.
Kelly painted a somewhat brighter picture, saying most higher ed institutions he’d spoken with recovered most or all of their data post-incident. Anecdotally, a three- to four-week timeline to recover and clean up systems was “probably realistic,” he said. Milford said it can take months for repair, recovery and improving defenses.
Organizations victimized by ransomware often need to shut down systems to limit the malware’s spread and ensure they’ve purged the threat before bringing systems back online, Kelly said. Another wrinkle, Milford said, is that university systems often must be restarted in a particular order, and each one needs its defenses improved and updates applied before going back online.
In K-12, McLaughlin said timelines can vary widely depending on organizations’ setups and the extent of the attacks. A district may take systems offline for a couple days of cleanup or may spend months working behind the scenes to avoid service disruptions.
Globally, the education sector was among the least likely to secure ransomware insurance but most likely to see claims paid once they did, Sophos found. Eighty-three percent of organizations across sectors had cyber insurance that covered ransomware, compared to 78 percent of education entities. But among this latter group, insurers paid some costs on 100 percent of higher ed’s ransomware claims and 99 percent of lower education’s.
Those figures varied in the U.S., with McLaughlin saying a 2021 CoSN survey found 81 percent of K-12 respondents had some level of cyber insurance. In higher ed, Milford heard anecdotally that almost 50 percent of institutions had cyber insurance, while Kelly estimated more than 70 percent of EDUCAUSE members had cyber plans.
Those plans may not all cover ransomware: Kelly said policies increasingly include carveouts for this attack.
Education, like other sectors, is seeing cyber insurance become harder to qualify for and costlier to obtain, and concerns are rising over claims denials.
Speaking from personal experience, Milford said it takes “considerable effort” to fill out insurers’ application questionnaires. McLaughlin advised districts to ensure they assign or hire someone with the expertise to fully understand what the applications are asking — or else insurers may say districts misrepresented themselves and reject claims.
Schools often want to improve cybersecurity, in part to qualify for more coverage and lower premiums, and insurers often want to help guide them. But there can be painful transition periods.
“The challenge is that while you’re investing in those things, your insurance costs are also going up,” McLaughlin said. “So, it becomes a resource challenge to have enough funds to do the things you need to do and still pay for insurance.”
Milford spoke similarly: “[Insurers] will tell you exactly what you need to get that full coverage. But then if you get hit before you have the full coverage in place, you’re still at risk.”
Self-insurance hasn’t taken off as an alternative. Most K-12 districts couldn’t handle a major out-of-pocket cost coming in all at once, should ransomware strike, McLaughlin said. And in higher ed, self-insurance’s few adoptees tend to just be large institutions where the “campus is a small city,” Milford said.
*Government Technology is a sister site to Governing. Both are divisions of e.Republic.