The ransomware epidemic has affected and continues to affect all industries, including healthcare, manufacturing and finance. Since 2020, however, the education industry has been targeted as much as or more than any other sector. Indeed, approximately 23 percent of the 1,250+ data security incidents that BakerHostetler helped clients manage over the past year involved educational institutions – the highest percentage of any business sector.
It should not come as a surprise that cyber criminals are targeting educational institutions. First, educational institutions – especially colleges and universities – generally maintain a treasure trove of personal information about students and employees, as well as sensitive research data that they might be willing to pay threat actors not to post on the dark web. Moreover, educational institutions operate on strict timelines and can often ill afford to cancel classes for days or weeks at a time. As such, when faced with the choice of paying a ransom or risking being unable to hold classes or process student/applicant/donor information for several days or weeks, educational institutions often choose the path of least resistance and pay the ransom. In fact, a recent report issued by Sophos, The State of Ransomware in Education 2021, found that the education sector has the third-highest rate of ransom payment (35 percent), behind energy, oil/gas and utilities (43 percent) and local governments (42 percent). Last, and perhaps most significant, educational institutions often utilize numerous public-facing systems, have large numbers of users who access their networks, and do not have robust cybersecurity defenses in place, thus making them easier targets than entities in many other sectors. There are several measures that educational institutions (or any entity, for that matter) can and should take to protect themselves against cyberattacks. Among other things, they should: (a) implement multifactor authentication for all users; (b) implement password complexity/rotation requirements; (c) regularly patch software and systems; (d) provide regular and frequent cybersecurity training to employees; (e) utilize enhanced endpoint threat protection and detection solutions; and (f) maintain air-gapped backups of critical systems. Although these proactive measures can significantly reduce the likelihood that an entity will be victimized by a cyberattack, it is impossible for an entity to completely immunize itself from such an incident. Educational institutions are well served to accept the cliché that it is not a question of if they will experience a ransomware attack, but rather when. Recognizing that it is only a matter of time before they are faced with a ransomware incident, it is vital that educational institutions develop comprehensive incident response plans. In this series, we address several issues related to the incident response process that educational institutions should consider in advance of a ransomware incident and address in their incident response plans.