Dive Brief:
- Ransomware is the top security threat at higher education institutions, according to a new report from cybersecurity services firm BlueVoyant. The research was based on open-source data, including an automated analysis of threat searches across thousands of colleges worldwide.
- Ransomware attacks on colleges doubled from 2019 to 2020, costing an institution $447,000 on average. Clop, Ryuk, NetWalker and DoppelPaymer were the primary ransomware families targeting education institutions.
- Data breaches accounted for half of the security incidents colleges dealt with in 2019, according to the report. Nation-state activity leading to data theft impacted more than 200 institutions over the last two years, it found.
Dive Insight:
The pandemic ramped up the adoption of laptop, smartphone and tablet use within colleges and universities. While higher education has long permitted a degree of remote work, the pandemic "challenged the boundary" of stable security, said Raechelle Clemmons, a former college chief information officer and now the vice president of industry relations at the Tambellini Group, a higher education technology analyst firm.
"Information security and higher ed has been somewhat tactical," Clemmons said. "There's a lot more thinking towards sort of risk registers, and what is our risk tolerance as an organization."
Educause named information security the top higher ed IT issue for 2020. "To rely on perfect behavior from perfectly informed end-users using perfectly safeguarded systems, devices, and networks is … perfectly foolish. And yet we do," the ed tech advocacy group said in its report.
To avoid large incidents, it encourages organizations to adopt a strategy based on mitigating operational, legislative and reputational risk.
Security incidents will likely encourage a conversation around what technology options there are, and how to be more proactive with vendors who are unresponsive in a certain area, Clemmons said. But it all depends on the maturity of a school's security program.
There's an appetite for in-house chief information security officers, or CISOs, in higher education. "You might see three or four institutions sharing a CISO," or some outsource their security chiefs, Clemmons said. In responding to a security incident, unless an institution has experienced it before, "it can be challenging to know what to do."
BlueVoyant analyzed 30 institutions, including the University of Michigan, Stanford University and Fox Valley Technical College, in Wisconsin. This subset of the research was used to showcase the diversity in the higher education sector, including those with large legacy networks, large student bodies and community colleges with "more varied and dedicated online programs and services," according to the report.
All 30 schools had evidence of torrenting on their networks, a method for sharing large files from other devices over the internet. All 30 schools also had unsecured ports, with at least three-quarters of the schools having open remote desktop ports.
The security gaps are the most obvious weaknesses for the top threats: ransomware and data breaches. Between the two threats, which are often paired, schools are faced with similar supply chain issues or vulnerabilities as are companies.
In May 2020, cloud provider Blackbaud was hit by a ransomware attack. The company stopped the hack before encryption began, but not before some of its customers, including education institutions, healthcare organizations and nonprofits, may have been affected, such as:
- West Virginia University Foundation
- Valley City State University
- University of Bridgeport
- University of North Dakota Alumni Association and Foundation
- Minot State University Development Foundation
Higher education institutions involved in COVID-19 vaccine research were subject to nation-state activity, according to the report. Russia-based Cozy Bear and Iran-based Scholar Kitten were identified as threats to the sector last year. At least five nation-state campaigns targeting universities have been identified over the last two years, though researchers expect the true number to be greater.
Before the Department of Justice and international law enforcement agencies disrupted NetWalker ransomware operations in January, the strain was linked to at least four higher education ransomware attacks in 2020, according to an analysis by Cybersecurity Dive.
One of NetWalker's targets, the University of California San Francisco School of Medicine, paid hackers $1.14 million. The school defended the payout, saying the related data was of importance to "the public good."
Correction: In a previous version of this article, the cyberattack on Blackbaud was incorrectly attributed to AKO ransomware operators. There has been no attribution to a specific actor in the Blackbaud incident.