Ransomware attacks are a growing threat for universities and colleges. They should be on every senior leadership team’s radar. But while the risk is great, preparation is everything in building resilience to attacks.
1. Every organisation is at risk
When it comes to extortion, everybody's a possible victim. Attackers will look for assets that organisations can't operate without.
For a university, that means it’s not just research data that's at risk, although it's certainly of interest; it's also general digital assets – the data used to administer the organisation.
If an attacker can capture, and perhaps remove, data so educators can't teach, mark, examine or award degrees, that’s going to cause a major problem in terms of the ability to operate. So, anything that would stop an organisation from operating is potentially of interest.
2. Understand the anatomy of a ransomware attack
It's incredibly important that senior leaders have thought through exactly what to do if faced with different kinds of ransomware scenarios. To do that, they must understand how this kind of threat operates, what it feels like as the victim organisation and what are the options in each of the different attack phases.
In a single ransom attack, there's a period where criminals access a system and then look for the assets to hold to ransom. Those assets are then removed so that nobody can interact with it. At that point, the ransom demand is made.
It’s common to think that having a backup is enough to make an organisation resilient. But that doesn’t allow for double extortion, where the attacker will put more pressure on the victim by suggesting that, if they don't pay, the asset will be shared or sold on the open market.
While a backup won’t help in the case of that kind of potential loss of privacy or confidentiality, payment is discouraged.
Organisations known to pay ransoms can become targets for further attacks and, in the case of education providers, paying could be a breach of funding agreements.
Following the attack, the next step is recovery. If someone's been in your system, it’s important to understand what they may have done.
A certain amount of forensic investigation is required before determining whether the threat has been removed from the systems. If the malware is still there, attacks could begin again and could move around other systems, so the process of cleaning up can be complicated.
3. Prepare, prepare, prepare
Organisations that suffer least from ransomware attacks are those that have planned and prepared.
Think through all the possible outcomes: a ransomware attack is not one single scenario, it’s a series of scenarios dependent on the actions the attacker and the victim take. Organisations need to think about their response as a process of managing all the risks as well as the initial risk.
Senior leaders in sectors that are highly regulated or are considered critical infrastructure practise attack responses by undergoing simulated attack exercises.
These work through the process to help them understand the stress involved and any weaknesses or failings in the decision-making processes, or preparations, so that the gaps can be plugged.
Preparation will also include what and how you would communicate the attack to stakeholders – from staff and students to suppliers and research sponsors – especially if personal data could be leaked as a result of refusing to pay a ransom.
4. Stay alert to future threats
Cyber attacks evolve. When exercising scenarios, think ahead - what kinds of attacks might be round the corner?
If the first stage of a ransomware attack is blocking access to data and systems, and the second is extortion via the threat of leaking data, a third step could be the threat to sabotage those systems and data. Call it triple extortion. How should organisations respond to that?
5. Act now to avoid panic later
The reality is that, right now, the education sector is experiencing a sustained increase in ransomware attacks. All senior leaders should have planned for this.
Those that haven't prepared may well panic when it happens and people in a state of panic don't necessarily make the best decisions. In contrast, those who have thought through what an attack might feel like and what the process to deal with it should be are in a good place to create the best outcome.
All organisations will fall victim to cyber attacks at some point. In the security industry, we don't believe in 100% protection, or 100% prevention.
What we're really doing is working with insecurity - recognising that attacks happen and trying to limit the damage as much as possible. In essence, it’s about being resilient.