Dive Brief:
- Ransomware is the top security threat at higher education institutions, according to a BlueVoyant report released Tuesday. The research was based on open source data, including an automated analysis of threat searches across thousands of universities and a smaller analysis of top-ten schools, state schools and community colleges.
- Ransomware attacks on universities increased 100% from 2019 to 2020, costing an institution $447,000 on average. Clop, Ryuk, NetWalker and Doppelpaymer were the primary ransomware families targeting education institutions.
- Data breaches accounted for half of the security incidents universities dealt with in 2019, according to the report. Nation-state activity leading to data theft impacted at least 200 universities over the last two years, according to the report.
Dive Insight:
The pandemic ramped up the adoption of laptop, smartphone and tablet use in higher education institutions. While higher education always permitted a degree of remote work, like the enterprise, the pandemic "challenged the boundary" of stable security, said Raechelle Clemmons, a former CIO and VP of industry relations at Tambellini Group, a higher education technology analyst firm.
"Information security and higher ed has been somewhat tactical," said Clemmons. "There's a lot more thinking towards sort of risk registers, and what is our risk tolerance as an organization."
In 2020, Educause named information security the top IT issue for 2020. "To rely on perfect behavior from perfectly informed end-users using perfectly safeguarded systems, devices, and networks is … perfectly foolish. And yet we do," Educause said in its report.
The nonprofit encourages organizations to adopt a strategy based in mitigating operational, legislative and reputational risk to avoid large incidents.
Security incidents will likely encourage a conversation around what technology options there are, and how to be more proactive with vendors who are unresponsive in a certain area, said Clemmons. But it all depends on the maturity of a school's security program.
There's an appetite for in-house CISOs in higher education. "You might see three or four institutions sharing a CISO" or some outsource their security chiefs, said Clemmons. In responding to a security incident, unless an institute has experienced it before, "it can be challenging to know what to do."
BlueVoyant analyzed 30 institutions, including University of Michigan, Stanford University, and University of California, Los Angeles. The subset of the research was used to showcase the diversity in the higher education sector, including those with large legacy networks, large student bodies and community colleges with "more varied and dedicated online programs and services," according to the report.
All 30 schools had evidence of torrenting on their networks, a method for sharing large files from other devices over the internet. All 30 schools also had unsecured ports, with at least three-quarters of the schools with open remote desktop ports.
The security gaps are the most obvious weaknesses for the top threats: ransomware and data breaches. Between the two threats, which are often paired together, schools are faced with similar supply chain or vulnerabilities as companies.
In May 2020, cloud provider Blackbaud was hit by a ransomware attack. The company stopped the hack before encryption began, but not before some of its customers, including education institutions, healthcare organizations and nonprofits, became secondary victims, including:
- West Virginia University Foundation
- Valley City State University
- University of Bridgeport
- University of North Dakota
- Minot State University
Higher education institutions involved in COVID-19 vaccine research were subject to nation-state activity, according to the report. Russia-based Cozy Bear and Iran-based Scholar Kitten were identified as threats to the sector last year. At least five nation-state campaigns targeting universities have been identified over the last two years, though researchers expect the true number to be greater.
Before the Department of Justice and other international law enforcement agencies disrupted NetWalker ransomware operations in January, the strain was linked to at least four higher education ransomware attacks in 2020, according to analysis by Cybersecurity Dive.
One of the targets of NetWalker, the University of California San Francisco (UCSF) School of Medicine, paid hackers $1.14 million to the hackers. The school was working on academic work of importance to "the public good," and defended the payout.
Correction: In a previous version of this article, the cyberattack on Blackbaud was incorrectly attributed to AKO ransomware operators. There has been no attribution to a specific actor in the Blackbaud incident.