Students at six different institutions of higher learning in Louisiana missed days to weeks of class this month because of cyberattacks. At one university, Southeastern University of Louisiana, many students turned to TikTok to raise concerns and complaints about not being able to access their emails, Google Drives, or Moodle for almost two full weeks following a ransomware attack on the school. Classes at the nearby Nunez Community College were suspended from the 24th to the 29th when the Louisiana State Police (LSP) notified the school of an “indicator of compromise” on its network. Four other institutions of higher education in Louisiana were also notified by LSP that their networks were compromised to varying degrees on March 24th including the Louisiana State University Agricultural Center, the University of New Orleans, River Parishes Community College, and Southern University at Shreveport.
A Unique Problem
Universities and institutions of higher education are a place of open collaboration between peers, departments, and even other universities. They embody a spirit of sharing ideas and engaging in lively debates that get lost outside of the academic bubbles created on college campuses.
The internet itself only escaped the military silo it was created in because of universities collaborating to solve complex defense research questions. The internet we use today would not exist without this jump into supporting open communication and collaboration across the country.
This foundation of openness and working together that is at the core of both universities and the internet makes the combination of the two ripe for exploitation by cyber actors. Criminal groups and state actors alike see large, less-than-diligent pools of students, adjuncts, professors, and staff that get hundreds of emails or LinkedIn messages daily who will often click without double checking (in fact, phishing is the number 1 attack vector taken on higher education targets). Networks are made more difficult to monitor because of constant resource sharing across academic institutions, not to mention insufficient budgets that make solutions to the problem that much more out of reach.
Ransomware groups, in particular, take advantage of a general lack of sufficient backups on university networks, making universities more likely to pay the ransom rather than permanently lose their data. State actors are enticed by massive pools of research across a wide variety of sectors, waiting to be quietly taken.
Institutions of higher education are different from the rest of the education sector because of these pools of research, payment information stored for tuition and other fees, the significant number of devices being brought in and out of their networks by students, faculty, and guests on campus, and the insider threat posed by curious students looking to test the skills they are learning in computer science and cybersecurity classrooms. Higher education also sees the same risk factors as the broader education sector of underfunded and overworked cybersecurity teams, a lack of data backups, and owning massive pools of sensitive personal data.
This is not an issue organizations can continue to under-resource. The year-over-year increase in attacks seen by the education sector between 2020 and 2021 was 75% while other industries saw a 50% increase in attack frequency. Recorded Future threat intelligence analyst Allan Liska believes that this trend of increasing attacks on institutions of higher education is not likely to change. On average, ransomware payments cost a victim $112,000 with total costs adding up to around $2.7 million. Economically, it is a better investment to protect the networks and build resiliency before an attack rather than begin looking for solutions after an attack.
What Can We Do About It?
Aside from the State and Local Governments Cybersecurity Grant Program (covered in last month’s overview of K-12 education here), there are no existing programs to receive federal funding for cybersecurity programs.
On their own, colleges and universities should invest in a number of solutions and policies that go into two different categories: building resilience and defending your network. No matter how good of a cybersecurity program an organization has, eventually, someone will get in– this is why resilience or an organization’s ability to bounce back from a cyberattack is critical. This doesn’t mean, however, that an organization can’t make it too difficult for an opportunistic attacker to breach their systems– that is where defensive measures come in. Both are necessary for a strong cybersecurity program.
- Cyber Insurance: Every organization should invest in cyber insurance. Policies can be built in a way that makes sense for your budget and your needs, but insurance is a necessary baseline to protect your organization when a breach happens. Insurance policies almost always include incident response and crisis communications services via third-party and will usually cover a large percentage of the total cost of an attack.
- Backups: The best way to get out of needing to pay a ransom payment is to have peace of mind knowing your organization has up-to-date, reliable data backups, either on-site or in the cloud. Backups are the number one driver of ransomware attacks trending down in other sectors because they no longer need to pay to know they will still have their data. Institutions of higher education should make obtaining and maintaining backups a critical priority.
- Incident Response Plan: Having, testing, and maintaining an incident response plan is crucial to ensuring your organization is resilient to an attack. Tabletop exercises should be conducted at least once a year to ensure your team knows what to do when an attack occurs. The worst thing an organization can do when hit by an attack is not know what to do or who to involve.
- Disk and Database Encryption: Ensuring that an attacker cannot easily access data once in a network is critical to network security. Keeping communications and data encrypted helps tremendously in preventing data leaks.
- Comprehensive Asset Inventory via Network Asset Discovery: Given the nature of colleges and universities with new devices coming in and out constantly, the ability to pull up all connected devices and find which ones are compromised efficiently is incredibly important. You can’t defend against the unknown so having visibility into your network is key to a strong cyber defense.
- Endpoint Detection and Response (EDR) and Network Detection and Response (NDR): EDR and NDR provide full coverage in being able to find a breach with EDR protecting the perimeter and NDR, the internal network. With both of these tools deployed across your network, you will have much better visibility and security.
- Data Loss Prevention (DLP): DLP solutions will alert if a user is exfiltrating a large amount of data as an attacker looking to steal R&D, credentials, financial information, or other data would need to do.
Obviously, cybersecurity budgets at institutions of higher education are very limited and personnel are already stretched thin, so it is by no means an easy feat to launch a comprehensive program like the one we have outlined here. However, Consortium Networks would be happy to help in one or a number of ways from connecting you with solutions providers to writing and practicing an incident response plan and everything in between to make building a program work for your organization.