If you’re an IT professional at a university, the question is no longer whether your institution will encounter a cyberattack—it’s when.
So says Eyal Benishti, founder and CEO of IRONSCALES, an Atlanta-based company that provides email phishing detection and prevention software. Benishti spoke with StrategicCIO360 about the latest criminal approaches, how they’re impacting victims—and what can be done to fight back.
How is the higher education industry being targeted by cybercriminals, and what cyberattack tactics are most commonly used against these institutions?
Higher education isn’t immune from the types of attacks typically directed toward other government entities, with ransomware one of the leading methods of attack. In fact, a recent study found that 26 universities were the victim of a ransomware attack in 2020, and at least seven have faced attacks so far this year. Sophos reports that the average attack on a higher education institution results in $112,000 in payments, and nearly $3 million to resolve in total. And because many schools are already managing stretched budgets, a cyberattack can be devastating.
Think of a university as a small city, and you’ll understand why it can be an enticing target for a ransomware attack: thousands of dollars in payments per student are going in and out of the bursar’s office. Enrollment logs contain personally identifiable information about students. Many universities have hospitals attached, which can’t afford any time offline, as well as extensive utilities operations. Then, factor in that some departments may be conducting secretive research that could be valuable if leaked.
What are some examples of recent attacks on colleges and universities? What were the responses and results?
Perhaps one of the most concerning examples involved Lincoln College, a private institution in Lincoln, Illinois. The school had already seen enrollment losses as a result of the pandemic, but its challenges were compounded by a ransomware attack in December 2021. The cybercriminals took control of most of the school’s enrollment data, preventing officials from completing even the most basic recruitment and fundraising efforts. It took three months for the systems to come back online, and when they did, Lincoln was unable to recover enrollment loses. It closed its doors last spring.
Not every attack ends as tragically, but they all cause long-lasting pain. Michigan State University faced a ransomware attack in 2020 that exposed sensitive data after the university refused to pay, and the University of California San Francisco ended up settling with cybercriminals to the tune of $1.14 million in a similar attack. Howard University in Washington, D.C., had to cancel several days of classes in 2021 to resolve an attack. Florida International University and North Carolina A&T are among the universities that faced attacks in the last semester alone. Unfortunately, the question is no longer whether your university will encounter a cyberattack, it’s when.
How can higher education institutions better protect themselves from cyberattacks?
First, universities should continually educate their students and staff about cyberthreats, with regular reminders via email and resources available through the university’s online hub for students to report suspected threats. Regular cybersecurity training for staff can go a long way toward prevention. Technology such as artificial intelligence-driven security solutions are also helping us better protect against evolving cybersecurity threats. As cybercriminals try new tactics for breaching systems through email or collaboration platforms such as Microsoft Teams and Slack, these solutions detect and remediate the threat.
And although it can be a headache to consider, universities need to have a plan in place to reduce disruption in the event of a successful attack. It’s essential that critical information is backed up in the cloud or on servers disconnected from the impacted network, making it easier to get back online quicker—and universities should also remember there’s no guarantee they’ll get all their data back even if they pay the ransom. Segmenting the campus network to prevent the ransomware attack from spreading across the entire university is also an effective strategy.
What types of training can be provided to these institutions for administrators, faculty and students, to strengthen their overall cybersecurity?
Most of today’s college students don’t know a world before the internet, so by now, they’re likely numb to reminders like, “do not click suspicious links.” It’s important both students and faculty understand how threats have evolved beyond obvious scams. Emails can look and sound as if they came from friends, family or co-workers. That means training needs to evolve too.
Universities can invest in online training solutions that offer short, interactive lessons highlighting today’s top threats. These solutions often include simulation tools as well, allowing the university to send “test” emails to students and staff. These emails, designed to mimic today’s tricky phishing emails, ensure recipients are keeping an eye out for potential threats. If the recipient opens a link in the email, they’re directed to additional lessons to help them better understand the threat. Often these types of simulations can be a wake-up call for complacent users.
