While doing some research about the state of cybercrime in the education sector, I came across the recent story of a historical U.S. college closing its doors following a ransomware attack.
I was surprised by how much cybercrime is affecting schools and colleges, the financial losses it‘s causing, not to mention the frustration among administrators, students, and parents alike.
Let’s Take a Look at Some of the Facts
- According to Microsoft, the education sector has reported the largest proportion (~83%) of all malware encounters over the last 30 days (Data from June 13), compared to other verticals.
- Perhaps it’s not too surprising, but ransomware is leaving some lasting effects on schools and colleges with:
- 222 separate ransomware attacks
- ~4,000 individual schools impacted
- 3 million students affected
- Financial losses vary per organization but they are always significant:
- On average, each school spent $960k recovering from ransomware
- Ransomware payment requests went from $5k to $40 million (recent examples shown below).
- When we count the losses, we need to add downtime to the mix:
- Schools and colleges spent almost 10,000 days recovering from ransomware
- In 2020, schools were closed for an average of 7 days due to a cyberattack
- Each school/college spent about 60 days recovering from a cyber attack.
- Ransomware payments vary greatly depending on the institution:
Why Is This Happening Now?
There are a few reasons why.
First, cybercriminals have perfected the ransomware business model, where the victim is also their buyer. There is no need to monetize their operations on the dark web or go through complex alliances to become lucrative. The victim has consistently been the party most invested in getting their (often) encrypted data back and they are willing to pay the price.
More on the vicious cycle of ransomware here.
Second, the education sector has long underinvested in cybersecurity—including protection and defense mechanisms—which puts them in a particularly vulnerable position. Not enough investment makes them an easy (if not the easiest?) target of all. Also, other industries like the financial sector, retail, and healthcare have invested in cybersecurity. Cybercriminals are opportunistic and, like lions that relentlessly hunt the weakest member of the herd, will choose a target where they can conduct their operations quickly and easily.
Third, a large attack surface. Any small school or college has at least 1000 assets between administrators, teachers, and students. Larger colleges can have up to 100,000 assets to protect and monitor. This is an attack surface as large as a major corporation but with the budget of a small or medium-sized business. To add to this, there are many bring-your-own devices entering and exiting colleges’ network perimeters. Unfortunately, cybercriminals know this and they thrive in scenarios where protection is low, the attack surface is large, and the pressure to stay operational is very high.
Where Do We Go From Here?
Advising organizations to build a cybersecurity stack similar to a large corporation is not only unrealistic but also ineffective.
We often advise organizations to focus on a few pillars that really make a difference. What we have seen work the best is:
- Increase Your Visibility: Have the most possible visibility of your current attack posture. This means that any time one of your assets (endpoints, phones, printers, cameras, or anything connected to the network) is in contact with infrastructure from the adversary, you are alerted immediately. This does not only help organizations react quickly to things actually happening but also tells you exactly how the adversary is getting in so you can reinforce your protection accordingly.
- Couple Visibility with Automation: This combination gives educational institutions a cost-effective way to have a managed detection and response solution.
- Don’t Disregard the Summer or Holiday Breaks: The Summer, end-of-year period presents a great window of opportunity for cybercrime in the education sector. Many organizations lower their guard or delay the deployment of defense technology when we should do the opposite.
In Conclusion
We know this is not the most encouraging of posts but it is critical to know what we are dealing with, why it is happening, and what our options are. The time to prioritize protection and defense mechanisms is right now. Containing the impact of cybercrime in the education sector is our best bet and in cybersecurity, timing is everything.