In June 2020, the University of California, San Francisco announced it had paid a $1.14 million ransom to a hacker who took over several servers at its medical school. Two months later, University of Utah officials spent $457,000 to prevent cybercriminals from spreading confidential student, faculty, and staff data. Since then, multiple institutions — from regional community colleges to Howard University — have dealt with the financial toll of canceled classes, data leaks, and network outages caused by cyberattacks.
These incidents are no longer considered anomalies — nearly half of all higher education institutions worldwide reported being targeted by similar attacks last year, according to a recent survey by the cybersecurity firm Sophos. Between 2019 and 2020, cyberattacks targeting colleges and universities increased 100 percent, according to an analysis by the cybersecurity services company BlueVoyant.
Known as ransomware attacks, these incidents involve hackers using malicious software to block an organization’s access to its own computer system unless officials provide a financial payout. In some cases, attackers also threaten to publish personal data. Of the institutions that were targeted last year, 58 percent said the criminals were successfully able to encrypt their data, rendering it inaccessible to information technology (IT) administrators.
Hackers are often able to gain entry to a system through email phishing scams, BlueVoyant reports. Even worse is the fact that students tend to use simple passwords that are easy to compromise. Additionally, institutions often put themselves at risk by using third-party software that is more susceptible to data breaches. Several — including Harvard Business School, the University of Miami, and the University of Colorado system — fell prey to a cyberattack when the filesharing company Accellion Inc. was hacked in July 2021. In September, Blackbaud, a cloud-based service provider used by many higher education institutions to manage alumni and donor databases, announced that hackers had gained access to its customer data, including Social Security numbers and banking information.
Between 2019 and 2020, cyberattacks targeting colleges and universities increased 100 percent, according to an analysis by the cybersecurity services company BlueVoyant.
The FBI’s Cyber Division determined in March 2021 that the extreme vulnerability of educational institutions to these cybercrimes was serious enough to warrant an advisory notice. The notice states that colleges, universities, and K-12 schools are particularly at risk due to the vast amount of sensitive information stored on their networks. The FBI urged campus officials not to cave to hackers’ demands, as such a response may “embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
With the private information of thousands of students and employees subject to compromise, many feel they have no choice but to pay up. Schools that do make ransom payments can expect to experience demands, on average, of close to $115,000, according to the Sophos survey. When the additional cost of network outages for higher education institutions is factored in, that price skyrockets to $2.73 million on average — the highest of any industry.
Furthermore, paying ransom is not a guarantee that data will be fully returned; 35 percent of schools surveyed said they handed over money to their attackers, but only 68 percent of those had their data restored.
“This is an industry that has had to rapidly pivot to online learning, changing their standard methods of learning, practically overnight,” Jim Rosenthal, co-founder and CEO of BlueVoyant, said in a statement. “The education sector is also under huge financial and regulatory pressure. Threat actors know that there are vulnerabilities to be exploited, and they are taking advantage of these vulnerabilities at every opportunity — making it an imperative for universities to adopt a solid cybersecurity threat posture to ensure that the wealth of sensitive data is properly defended against adversaries.”
To thwart the success of attempted attacks, the FBI and other experts advise that university officials implement more robust security measures, such as using multifactor authentication, regularly updating software and systems, and providing training to students and staff. For many institutions, this effort may require directing more funding toward campus IT offices.
Some schools may be forced to take these measures in order to comply with new requirements from the U.S. Department of Education’s Federal Student Aid Office. In December 2020, the office released a memo announcing it would be forming a Campus Cybersecurity Program over the next several years that will assess whether Title IV institutions are properly protected. While specific guidelines have yet to be released, schools that fail to meet federal standards could potentially lose their Title IV designation, costing them significant funding and taking away their ability to distribute financial aid. This loss could have devastating effects on students, especially those from underrepresented groups.
Not all institutions are financially prepared to make costly security updates, especially while recovering from the tremendous economic impact of the COVID-19 pandemic. In fact, in a May 2020 survey by the nonprofit Educause, most reported they planned to reduce their IT budgets by 5 to 30 percent.
In response, the nonprofit organization Student Freedom Initiative (SFI), a public charity dedicated to reducing the financial stress experienced by students at historically Black colleges and universities (HBCUs), has partnered with technology corporation Cisco to ensure that these institutions do not lose their Title IV status. Cisco committed $100 million to SFI to improve the networking, security, and collaboration technologies at HBCUs. The partnership began with nine schools and expanded to include another 37 when the United Negro College Fund joined this effort in May of this year.
“We are thrilled to welcome Cisco and AVC Technologies as strategic partners for SFI in addressing the digital divide faced by our HBCUs,” said Robert F. Smith, chairman of SFI, in a press release. “Their expertise and generosity will ensure that HBCUs are secure and robust institutions that empower Black students.”
The increased use of new technologies over the past year has demonstrated that cybersecurity must be a top priority for colleges and universities in the future. Experts at companies such as Sophos recommend that schools should assume they will be hit by a ransomware attack, develop action plans for how to respond in advance to avoid major disruptions, and safeguard important data. ●
Lisa O’Malley is the assistant editor of INSIGHT Into Diversity.
This article was published in our January/February 2022 issue.