As Budgets Tighten, Colleges Still Vulnerable to Ransomware | Eastern North Carolina Now

Colleges and universities around the country are proving to be easy prey to hackers with ransom demands.

ENCNow
Publisher's note: The James G. Martin Center for Academic Renewal is a nonprofit institute dedicated to improving higher education in North Carolina and the nation. Located in Raleigh, North Carolina, it has been an independent 501(c)(3) organization since 2003. It was known as the John W. Pope Center for Higher Education Policy until early January 2017.

The author of this post is Matthew M. Robare.


    Colleges and universities around the country are proving to be easy prey to hackers with ransom demands. In Massachusetts, Cape Cod Community College was defrauded of $800,000 last year, while Colorado's Regis University paid an undisclosed amount to regain access to their files after a ransomware attack-and still did not get access back.

    Ransomware is a type of malicious software that, once it infects a computer system, allows attackers to lock out victims until they pay a ransom to regain access. With budgets getting tighter for public and private colleges in the wake of the coronavirus, funding IT security could slip through the cracks.

    In many ways, a college is an ideal target for hackers. Even a small one has hundreds of people connecting to its network, and many campuses have old machines with out-of-date software used by students and the public. It only takes one person clicking on the wrong email to compromise the entire system. Colleges are "a prime environment for these attacks," Jared Phipps, a cybersecurity expert, told Inside Higher Ed.

    When a college's IT system gets compromised, the ransom amount can vary considerably. When the admissions-tracking system at Grinnell, Oberlin, and Hamilton Colleges (which they share) was hacked, aspiring freshmen were offered the chance to see their files for around $4,000, which was later discounted to $60.

    In contrast, when for-profit Monroe College was the victim of a ransomware attack, hackers demanded $2 million. Crowder College in Missouri saw a similarly high price tag of $1.6 million to regain control of its system. The University of Calgary and Carleton University in Canada and Los Angeles Valley College paid ransomware demands that cost the schools up to $35,000, according to the cybersecurity company Acronis.

    Not all schools that get attacked are naïve about the threat of hackers, either. The Stevens Institute of Technology in New Jersey is known for the strength of its cybersecurity courses, but hackers still attempted to infiltrate its system. Stevens, however, was able to stop their system from being compromised.

    When a college gets attacked, it can attract a lot of media attention, but post-secondary institutions are not the only targets. Around 500 K-12 schools in the United States, Zdnet noted, were affected by cyberattacks through September of last year, including 15 public school districts comprising over 100 schools. After three public school districts in Louisiana were victimized, Governor John Bel Edwards declared a state of emergency so the state could access federal funds and resources to shore up their IT security.

    When a school succumbs to an attack, cybersecurity experts recommend not paying ransoms, according to the University of California-Berkeley Information Security Office. If schools do pay, experts worry that successful attacks will encourage hackers to target more places with vulnerable IT systems. The hard lesson of experience also cautions colleges not to cave: as Regis University showed, even if a school pays, they don't always get access restored.

    What college leaders need to do, according to UC-Berkeley, is to create a contingency plan in case a ransomware attack succeeds.

    Schools should maintain separate file backups and have a recovery plan in place. They also need to keep operating systems and antivirus software up-to-date and restrict users' permissions to install software. Multifactor authentication, where someone logging in needs to enter a code sent to another email or their phone after entering their password, can also reduce a system's vulnerability to attacks, as Inside Higher Ed noted. Colleges need to take steps to make a successful attack less likely, but they can't count on prevention to always work.

    The number of attacks appears to increase over the year and cluster around the beginning of the school year, Zdnet noted. However, determining the number of attacks that target educational institutions is almost impossible, as no one tracks the number of attempted or failed attacks (if they're even detected), and the number of attacks often depends on who is doing the counting.

    For example, one cybersecurity firm counted 500 attacks while another reported over 1,000. For example, Armor reported 72 attacks affecting 1,039 schools in 2019 while Emsisoft reported 89 attacks affecting 1,233 schools.

    Though difficult to track, the federal government is taking cybersecurity increasingly seriously. Last year, Congress passed a bill requiring the Department of Homeland Security to establish Cyber Incident Response Teams, which became law in December. It created "a permanent group of security specialists that agencies and industry could call on when their IT infrastructure gets compromised," journalist Jack Corrigan noted. The CIR teams have the potential to help colleges who face IT attacks they can't weather on their own, though Congress won't have any data on the teams' effectiveness for four years (when the Department of Homeland Security is required to provide a report).

    While the federal government is taking cybersecurity seriously and requesting $18.8 billion for it for 2021, including $2.6 billion for the Department of Homeland Security. State and local governments and affected schools are putting less money into this critical area.

    Many state and local governments don't have dedicated cybersecurity budgets, and the news isn't much better at colleges or universities. According to the 2019 Campus Computing Survey, 67 percent of college IT directors said that their budgets haven't recovered from cuts made after the 2008 recession. Without increased budgets, government and college IT departments can't retain employees for long, resulting in lost productivity from constantly training replacements.

    Some schools that have been affected by cyberattacks and ransomware have learned from their mistakes and taken action. Regis University not only rebuilt its computer systems but merged its Anderson College of Business with the College of Computer and Information Sciences because the process revealed that students could benefit from understanding how a large organization is managed and relies on information technology, according to a Regis press release.

    Their ransomware attack has also given them the opportunity to turn media attention into a marketing opportunity. Earlier this year, it hosted a cybersecurity conference called "Stronger Together" that focused on prevention strategies to stop cyberattacks. The conference's main theme was that it's only a matter of time before a business, institution, or government agency is affected by a cyberattack.

    As colleges become ever more reliant on the internet and the number of devices on campus increases, providing more ways for malevolent actors to cause chaos, college leaders need to consider how they'll react in a crisis.
Go Back


Leave a Guest Comment

Your Name or Alias
Your Email Address ( your email address will not be published)
Enter Your Comment ( no code or urls allowed, text only please )



Comment

( May 9th, 2020 @ 8:29 am )
 
Just a few years ago, many "brilliant bureaucrats" administering college websites were led to believe that it was best to switch from their current Content Management (CMS) Systems to ubiquitous and open-sourced Word Press CMS, where if one gets hacked, well, GOOD LUCK!

Why anyone, who cares about the safety of their critical site, acting as a data platform for their center of higher learning, would devolve to the Word Press CMS is mind boggling stupid to me and others like me that know better.



Lt. Gov. Forest on Governor's Phase 1 Announcement James G. Martin Center for Academic Renewal, Editorials, Op-Ed & Politics Democrats Divide Over Biden Allegations

HbAD0

 
Back to Top