If bad weather serves as an unpleasant reminder to fix a leaky roof, then COVID-19 has been something of a perfect storm for colleges and universities. As we uncovered in our recent Education Cybersecurity Threat Index, the pandemic has made addressing cybersecurity weaknesses an urgent operational necessity in higher education. Between the changing nature of how education is delivered, and emboldened threat actors, higher ed now faces an unprecedented threat level.
Indeed, according to a report by Checkpoint, the number of attacks on educational institutions has grown faster than in any other sector: a 30 percent increase compared to a 6.5 percent increase across all industries in July and August. Microsoft Security Intelligence found similar, with 62.8 percent of almost 9.4 million malware encounters reported in the last 30 days detected in the education sector.
While the move to remote learning is an obvious culprit for this dramatically increased threat level, it's not the only cause for concern. Higher education institutions were already vulnerable before COVID-19; the rise in remote learning has only exacerbated existing problems.
Most Students and Faculty in Higher Education Institutions Are Ill-Informed About Cyber Threats
One of the most worrying cybercrime trends which emerged during the COVID-19 pandemic was an explosion in ransomware attacks. According to Bitdefender, the number of detected ransomware attacks, which paralyze victims' systems or threaten to release confidential information until they pay a ransom, has increased by 715 percent compared to the same period last year.
Because higher education institutions have a low tolerance for downtime, store vast amounts of student and staff personal information, and keep valuable research data on file, they’re particularly vulnerable to this kind of cybercrime. As thousands of students and staff now connect to educational networks remotely, COVID-19 has made breaching higher education networks even easier for threat actors. However, even as the threat level rises dramatically, many higher education faculty remain regrettably unaware.
Indeed, in our Education Cybersecurity Threat Index, we found that only 13 percent of educators feel ransomware poses the most significant threat as they move to online learning. Furthermore, only 54 percent of educators at such institutions report being familiar with the concept of ransomware itself. In contrast, 30 percent have only heard the term and 16 percent do not know about ransomware at all. Not surprisingly, research shows that only a fraction of educators know what to do when they click on a phishing email or in the event of a ransomware attack.
This could have something to do with the fact that most educators haven't received proper cybersecurity training. Our study found that only 58 percent of educators in higher education institutions were warned about ransomware's specific dangers by their institutions.
Higher Education Institutions Are Falling Victim to Ransomware
In every industry, victims are understandably reluctant to disclose that they have fallen prey to a successful ransomware attack and paid a ransom. In this respect, higher education is no exception. A poll of 103 higher education institutions in the UK saw 35 universities admitting to being attacked by ransomware in the past five years, but none owned up to having paid a ransom while 43 refused to answer. Ransomware attacks that become public knowledge are likely only the tip of an iceberg.
In June of this year, the University of California San Francisco (UCSF) paid $1.14 million in Bitcoin to recover School of Medicine data that's important to some of the university’s academic work. Similarly, in July, a ransomware attack shut down many of New York City-based Monroe College's systems, leaving students, staff, and faculty unable to access the college's learning management system, email, and website. The attackers demanded $2 million in Bitcoin. And, near the end of August, the University of Utah paid almost half a million dollars to recover data following a ransomware attack.
This points to a worrying trend where cybercriminals are recognizing the premium colleges and universities place on student data and demand large ransoms when their attacks are successful. Recently, there have also been reports of cybercriminals requesting two separate ransoms: one for a decryptor and one for not publishing sensitive data online.
Higher Education Cybersecurity Measures Are Often Lacking
Despite being subject to a relentless onslaught from cybercriminals, colleges and universities are often among the least prepared to prevent and deal with cyberattacks. This is due to several reasons. Firstly, colleges and universities, especially those reliant on public funding, may struggle to find the budgetary resources for adequate cybersecurity. With reduced student tuition this year, fiscal constraints are set to become an increasingly important issue.
Higher education networks are also vulnerable by nature. Educational institutions need to be accessible to their students. Consequently, they run networks that are accessed by thousands of users, many of whom lack adequate security awareness or use insecure devices. Despite being considered "digital natives," students are frequently unaware of even the most basic cybersecurity practices. Accordingly, more than 30 percent of higher education breaches are likely due to students falling victim to email scams, misuse of social media, or other careless activity.
Our Education Cybersecurity Threat Index uncovered that only 30 percent of higher education staff and faculty use an antivirus to protect themselves from potential attacks. Furthermore, only 29 percent of educators at this level are using VPNs to encrypt their activities, which is concerning as many higher education institutions rely on third-party apps that could be exploited by bad actors. In our survey, 69 percent of educators said they use video conferencing tools like Zoom and Google Meet, applications which are vulnerable to threat actors.
While the COVID-19 pandemic has highlighted existing weak points, shoring up higher education cybersecurity is not a matter of applying bandages by deploying more ineffective AV solutions.
With so many vulnerable endpoints, a growing threat level, and a lack of security awareness among students and faculty, institutions need to take a proactive approach to higher education cybersecurity. The most effective cybersecurity practices for colleges and universities combine security awareness training for students, faculty, and staff with prevention-first cybersecurity solutions like moving target defense.
Balancing a need for increased cybersecurity with greater educational access is no mean feat. However, with more at stake than ever, there are no marks for effort when it comes to protection.