As Budgets Tighten, Colleges Still Vulnerable to Ransomware

Colleges and universities around the country are proving to be easy prey to hackers with ransom demands. In Massachusetts, Cape Cod Community College was defrauded of $800,000 last year, while Colorado’s Regis University paid an undisclosed amount to regain access to their files after a ransomware attack—and still did not get access back.

Ransomware is a type of malicious software that, once it infects a computer system, allows attackers to lock out victims until they pay a ransom to regain access. With budgets getting tighter for public and private colleges in the wake of the coronavirus, funding IT security could slip through the cracks.

In many ways, a college is an ideal target for hackers. Even a small one has hundreds of people connecting to its network, and many campuses have old machines with out-of-date software used by students and the public. It only takes one person clicking on the wrong email to compromise the entire system. Colleges are “a prime environment for these attacks,” Jared Phipps, a cybersecurity expert, told Inside Higher Ed.

When a college’s IT system gets compromised, the ransom amount can vary considerably. When the admissions-tracking system at Grinnell, Oberlin, and Hamilton Colleges (which they share) was hacked, aspiring freshmen were offered the chance to see their files for around $4,000, which was later discounted to $60.

In contrast, when for-profit Monroe College was the victim of a ransomware attack, hackers demanded $2 million. Crowder College in Missouri saw a similarly high price tag of $1.6 million to regain control of its system. The University of Calgary and Carleton University in Canada and Los Angeles Valley College paid ransomware demands that cost the schools up to $35,000, according to the cybersecurity company Acronis.

Not all schools that get attacked are naïve about the threat of hackers, either. The Stevens Institute of Technology in New Jersey is known for the strength of its cybersecurity courses, but hackers still attempted to infiltrate its system. Stevens, however, was able to stop their system from being compromised.

When a college gets attacked, it can attract a lot of media attention, but post-secondary institutions are not the only targets. Around 500 K-12 schools in the United States, Zdnet noted, were affected by cyberattacks through September of last year, including 15 public school districts comprising over 100 schools. After three public school districts in Louisiana were victimized, Governor John Bel Edwards declared a state of emergency so the state could access federal funds and resources to shore up their IT security.

When a school succumbs to an attack, cybersecurity experts recommend not paying ransoms, according to the University of California-Berkeley Information Security Office. If schools do pay, experts worry that successful attacks will encourage hackers to target more places with vulnerable IT systems. The hard lesson of experience also cautions colleges not to cave: as Regis University showed, even if a school pays, they don’t always get access restored.

What college leaders need to do, according to UC-Berkeley, is to create a contingency plan in case a ransomware attack succeeds.

Schools should maintain separate file backups and have a recovery plan in place. They also need to keep operating systems and antivirus software up-to-date and restrict users’ permissions to install software. Multifactor authentication, where someone logging in needs to enter a code sent to another email or their phone after entering their password, can also reduce a system’s vulnerability to attacks, as Inside Higher Ed noted. Colleges need to take steps to make a successful attack less likely, but they can’t count on prevention to always work.

The number of attacks appears to increase over the year and cluster around the beginning of the school year, Zdnet noted. However, determining the number of attacks that target educational institutions is almost impossible, as no one tracks the number of attempted or failed attacks (if they’re even detected), and the number of attacks often depends on who is doing the counting.

For example, one cybersecurity firm counted 500 attacks while another reported over 1,000. For example, Armor reported 72 attacks affecting 1,039 schools in 2019 while Emsisoft reported 89 attacks affecting 1,233 schools.

Though difficult to track, the federal government is taking cybersecurity increasingly seriously. Last year, Congress passed a bill requiring the Department of Homeland Security to establish Cyber Incident Response Teams, which became law in December. It created “a permanent group of security specialists that agencies and industry could call on when their IT infrastructure gets compromised,” journalist Jack Corrigan noted. The CIR teams have the potential to help colleges who face IT attacks they can’t weather on their own, though Congress won’t have any data on the teams’ effectiveness for four years (when the Department of Homeland Security is required to provide a report).

While the federal government is taking cybersecurity seriously and requesting $18.8 billion for it for 2021, including $2.6 billion for the Department of Homeland Security. State and local governments and affected schools are putting less money into this critical area.

Many state and local governments don’t have dedicated cybersecurity budgets, and the news isn’t much better at colleges or universities. According to the 2019 Campus Computing Survey, 67 percent of college IT directors said that their budgets haven’t recovered from cuts made after the 2008 recession. Without increased budgets, government and college IT departments can’t retain employees for long, resulting in lost productivity from constantly training replacements.

Some schools that have been affected by cyberattacks and ransomware have learned from their mistakes and taken action. Regis University not only rebuilt its computer systems but merged its Anderson College of Business with the College of Computer and Information Sciences because the process revealed that students could benefit from understanding how a large organization is managed and relies on information technology, according to a Regis press release.

Their ransomware attack has also given them the opportunity to turn media attention into a marketing opportunity. Earlier this year, it hosted a cybersecurity conference called “Stronger Together” that focused on prevention strategies to stop cyberattacks. The conference’s main theme was that it’s only a matter of time before a business, institution, or government agency is affected by a cyberattack.

As colleges become ever more reliant on the internet and the number of devices on campus increases, providing more ways for malevolent actors to cause chaos, college leaders need to consider how they’ll react in a crisis.

Matthew M. Robare is a freelance journalist based in Boston. His work also appears frequently in The American Conservative and University Bookman. Follow him on Twitter: @MattRobare.