How colleges can be proactive about the ransomware threat

by Joseph K. Clark

Criminal hackers drew national attention when they brought down a major East Coast oil pipeline for several days in May, triggering a panic that led to gasoline shortages and price increases. Colleges have been similarly hit, knocked offline for days or weeks by attackers who froze — and sometimes threatened to sell — their data and demanded payment for it to be restored.

ransomware threat

Called ransomware, these attacks doubled in frequency within higher education between 2019 and 2020, according to one industry report, which pegs the average cost of such an event for institutions at $447,000. They have affected colleges nationwide, from a community college in Iowa to Michigan State University and a California system campus. One two-year system in Arizona said it narrowly averted such an attack.

Federal law enforcement agencies warned colleges of the increased threat earlier this year.  Von Welch is the executive director of OmniSOC and associate vice president for information security at Indiana University.

Von Welch

Ransomware attacks are hitting colleges at an inopportune time. Institutions have been relying far more heavily on their virtual systems for instruction and student support during the pandemic than ever before. This has made the impact of such attacks that much more significant for colleges, said Von Welch, associate vice president for information security at Indiana University.

Welch is also the executive director of OmniSOC, founded in 2018, and brings together security officials from several universities to provide 24/7 coverage of their systems. The collaborative approach also lets them apply lessons from an attack on one school to that on another.

Higher Ed Dive talked with Welch about the recent spate of ransomware attacks, and colleges should be watching for other cyber threats.

HIGHER ED DIVE: With OmniSOC member schools doing more online during the pandemic, did the group’s structure or priorities change?

WELCH: There are subtle differences, but it’s not as big a change as you might expect. It’s not like universities have been excellent, neatly contained boxes, frankly, ever. We’re very used to this dynamic nature, as opposed to organizations where the physical boundary of their building is more meaningful in terms of their computer infrastructure.

We’re seeing more headlines about cyberattacks happening on campuses. Is that something schools should be worried about?

Most of the increase in threats I’ve seen to higher ed, and really all of the world, have been related to ransomware, but it’s not mainly due to covid. Ransomware has gotten popular because criminals can go after so many more victims. Five or 10 years ago, all cybercrime was basically around getting things like social security numbers, credit card numbers, access to bank accounts — stuff they could convert into money quickly.

When someone makes a ransomware attack, they’re attacking your business continuity. So all that has to happen now is your infrastructure has to be important to you. If you think about this from who can be a victim, it grows incredibly. It’s been very effective during the pandemic because — guess what — everyone is highly reliant on their computer systems, so the impact of a ransomware attack is much more significant.

Would colleges have been as big of a target for ransomware had the pandemic not happened and pushed everything online?

They would have been a target, but because we weren’t doing everything online, it probably wouldn’t have been quite as big of a story. But I don’t think going online has necessarily made schools all that more vulnerable. They’re using software from places like Microsoft, Zoom, and others that are relatively mature products.

Do you notice any patterns or trends in the kinds of schools getting hit with ransomware?

Information technology has gotten so complicated that smaller schools are having a more challenging time keeping up with the demands of keeping it secure. They typically don’t have as big of an IT budget. These hardworking people are being pulled in more directions and don’t have the specialization you can get at larger schools.

When we see more prominent universities hit, it tends to be their departments rather than central IT. In central IT, we have a lot of trained staff who are very focused on keeping things secure. Once you get to a department, the balance between priorities shifts between security work and other support.

What should a school do if they get hit with ransomware?

One of the critical things they’re going to have to figure out at that moment is do they have good backups. If you have good backups of all your IT systems, you can restore those backups and get online without having to worry about extortion.

If you don’t have good backups, you might have the question of should you pay the ransom. That can be a tricky ethical issue. With the pipeline attack, you have the FBI and the Department of Justice asking people not to pay ransoms because if you do, you’re giving money to the criminals; they’re investing it to become better. It encourages them to go after more victims. On the other hand, from the perspective of the pipeline CEO, they had people running out of gas all up and down the Eastern Seaboard, so they had a compelling reason to want to get back online quickly.

That may be something senior leadership wants to talk about before they get in that situation. Which of the critical services on their campus would cause them to have to shut down if they were suddenly unavailable? Ask their IT staff: Do we have a backup for that server? When was the last time we made sure the backup worked? Could we recover if that server was hit by a ransomware attack? It’s basically a disaster recovery exercise.

Has this threat been on schools’ radars long enough for them to have done this preparation?

Our first look at ransomware here at Indiana University was five years ago, which was a little bit early on. The Department of Justice said it will give ransomware a similar priority to terrorism, so it’s on the national radar. If you believe your organization needs to keep running through any sort of disaster, it’s past time to have had a conversation.

It’s a tricky subject to tackle because the IT infrastructure has gotten so complicated. The big challenge is making sure you’ve got all your critical systems identified and have them secured, and have good plans in place. People struggle to do that at the scale of something with the complexity of a college or university.

What other threats should schools be more aware of now that they are doing more online?

There are phishing attacks, which are fraudulent emails. There’s also voice phishing, which is basically calling somebody up and saying, “Hey, this is your CFO; we need to get $50,000 to this vendor by the end of the day.” Those are still out there and a little easier during the pandemic because we’re doing many more things via phone or otherwise. It’s certainly not a good time to let your guard down on issues like that.

What would you like non-tech leaders to know about their role in helping teams like yours protect the institution?

Leaders have to balance many risks every day, and I recognize cybersecurity is just one of them. It’s hard because cyber is changing so rapidly, relatively speaking. Things like tornados and financial risks can be relatively well understood — we’ve got actuaries and meteorologists. Cyber is such a dynamic field that it can be hard to stay on top of it. And so recognizing that although it is challenging, it needs to be an ongoing conversation between the cybersecurity experts and the leaders to understand how the cyber risks are changing and how those changes relate to our education and research missions.

Do you think the pandemic has made leaders more or less interested in those conversations?

The pandemic introduced substantial public health risks for universities. Suddenly we were spending a lot of time trying to keep students and staff safe from the pandemic itself. You can just look around at all the deaths and the lives that have been impacted by the pandemic, and it puts the cyber risks in a little bit of a different context. It’s money versus lives.

But on the other hand, the role cyber has played in helping with the pandemic is we’ve had to keep a lot more health data secure, sometimes on systems that have been set up very quickly. Speed and urgency are not the friends of cybersecurity. It had to adapt to keep up.

Related Posts

Leave a Comment