Insights is a SmartBrief Education Originals column that features perspectives from noted experts and leaders in education on the hot-button issues affecting schools and districts. All contributors are selected by the SmartBrief Education editorial team.
Although the first quarter of 2022 experienced a concerning rise in ransomware — including double the number of 2021 Q1 attacks — many education institutions still neglect to address gaps in their education cybersecurity protocols. K-12 education institutions have only “modestly” improved their cybersecurity over the past five years, according to K12 Security Information Exchange’s annual report on cybersecurity.
Education cybersecurity continues to lag behind the offensive capabilities of emerging bad actors. Industry research finds that encryption-based attacks are more successful against educational institutions than organizations in other sectors (73% vs. 65% success rate). Several breached K-12 and higher education institutions take more than three months to recover. With many principals struggling with teacher shortages, administrators don’t have time to lose on cyber-recovery.
These trends become even more problematic when examined alongside modern evolutions of ransomware. Take, for example, the recent rise in ransomware as a service, a subscription model allowing affiliates to use malware to attack their organization of choice. The advent of RaaS has lowered the barrier to entry for unskilled hackers seeking confidential — and therefore valuable — data, such as student records. Additionally, geopolitical events like the Russian invasion of Ukraine have created an unstable cybersecurity environment in which all organizations must be more vigilant.
Education administrators and IT leaders can address contemporary ransomware with equally modern protocols that take advantage of recent advances in artificial intelligence and machine learning. For student and faculty safety, these education cybersecurity enhancements need to be enacted sooner rather than later.
Schools and colleges seeing more ransomware attacks
More than half of all educational institutions were ransomware targets in 2021, up from 44% of institutions in 2020. This significant increase underscores a crucial point: All educational institutions will inevitably become a target for ransomware. Many school districts are learning this firsthand.
In September 2022, the Los Angeles Unified School District — which comprises more than 400,000 K-12 students — suffered a ransomware attack. Although students continued attending school during the outage, the attack suspended several infrastructural capabilities, such as staff and student email. The Vice Society eventually claimed credit for the attack, after which the Cybersecurity and Infrastructure Security Agency identified the ransomware group as a threat to the education sector. CISA classified the education industry as a “particularly lucrative target” due to sensitive student and faculty data.
Following the attack, Vice Society hackers leaked thousands of sensitive and confidential documents, representing a significant security threat for students, employees, alumni, and parents. The Vice Society breach is the second large-scale ransomware attack against LAUSD in many years. It is unclear whether LAUSD took steps to bolster its cybersecurity following the 2021 attack.
In 2022, LAUSD decided not to pay the ransom, a vital decision. Institutions should never pay a ransom. Doing so provides an incentive for bad actors to replicate an attack and, therefore may make an institution a repeat target. Often, organizations that dole out a ransom fail to regain lost data.
How to craft a preventive and restorative ransomware strategy
As AI and machine learning capabilities evolve, ransomware becomes increasingly complex and challenging to combat. But IT leaders and school administrators have access to the same technologies that hackers do. As such, education decision-makers have the choice to update their cybersecurity strategy and meet modern threats where they are. The key is deciding to make those changes today and follow through.
But where does a holistic approach to ransomware protection start? Quick data recovery protocols and preventive ransomware measures are crucial and need to be appropriately balanced. But institutions likely need a guiding hand to create that equilibrium.
Robust education cybersecurity plans are not usually crafted and deployed in-house. That’s because third-party vendors can supply reliable around-the-clock monitoring and insights solutions alongside greater industry expertise. And with the right provider, ransomware-protection-as-a-service solutions can be specifically tailored to an institution’s needs. RPaaS is the all-inclusive solution to addressing traditional ransomware breaches and new variants like RaaS. Its flexibility is important given the array of multi-cloud operations in the education industry. The number of cloud computing and storage services employed across one campus necessitates a more nuanced approach to cybersecurity. The right third-party solution will provide this flexibility by quickly adapting to on-premise data centers and cloud-based and hybrid data needs.
The minimum for education cybersecurity
Although the correct toolkit will vary by institution, IT leaders and school administrators should keep an eye on specific offerings to ensure their provider’s solutions are holistic. At a minimum, third-party vendors should offer:
- Endpoint detection and response, which provides trusted cybersecurity measures like single sign-on and multifactor authentication.
- Security information and event management, which compiles cybersecurity data using AI and machine learning to fuel critical functions like admissions and retention.
- Backup-as-a-service is a fail-safe that automatically creates file backups in an emergency or cyberattack.
Reliable providers will also offer a breadth of scope. IT leaders looking for dedicated cybersecurity staff should have access to a full-time team.
Education leaders looking for supplemental staff to bolster their IT strategy will also have options. Software-as-a-service vendors will offer a range of pay-as-you-go options that scale with an institution’s growing or diminishing cybersecurity needs. Administrators who find themselves on the fence about their education cybersecurity needs should consider consulting a SaaS cybersecurity expert to determine their best course of action.
No institution is the same, and the right provider will acknowledge that by bringing a host of industry knowledge to the table.
The only course of action that’s incorrect for all institutions? Waiting for a cyberattack to occur. Because in today’s age of cybersecurity, it’s no longer if but when. IT leaders must attack fast to prepare their institutions for rising cybercrime.
Allen Jenkins is the chief information security officer and vice president of cybersecurity consulting at InterVision, a managed services provider that delivers and supports complex IT solutions for mid-to-enterprise and public sector organizations throughout the US.