Ransomware has become a huge global problem during the pandemic, including for the education sector.
In the UK, tertiary providers have experienced an unprecedented spike in this type of cyber attack since August 2020 – and the timing was not coincidental.
For the first time, attacks caused maximum disruption during the critical period around exam results, clearing and student enrolment. We are braced for similar activity during August and September this year.
Impact of attacks
The number of ransomware attacks on colleges and universities during the first six months of 2021 has already exceeded the total recorded for the whole of 2020.
Eleven of those hit this year have featured in media, requiring considerable resource to manage external communications on top of the enormous internal communications effort to staff and students.
The aggregated impact has been devastating; entire organisations have been taken offline for weeks, their systems and services crippled, their data irrecoverable.
In some cases, however, the damage has been contained and campuses have been able to continue to operate, all be it at a reduced level of service.
Recovery is challenging, time consuming and expensive. What’s required is an often lengthy rebuild of the digital estate, which could easily stretch over many months or more and consume several million pounds.
Our conversative financial estimate is an average of £2m of direct impact costs per education organisation, but the full cost is likely to be a lot more.
Let’s not forget that, while cyber attacks are a technical problem, there is significant human impact, too. IT and security teams have already been under sustained pressure for more than a year because of the enforced shift to remote working, with all the associated security challenges.
And the ripples from an attack spread across campus to communications staff and finance teams, to teachers and students who’ve lost classroom resources and vital course work, and, ultimately, executive leaders who must shoulder the responsibility.
One college principal describes his experience of an attack as ‘brutal’. He talks frankly about how emotional it was having to tell his staff that all their files had been lost, the students’ work, too.
A strategic solution
At Jisc, we have been working hard to galvanise members to improve their defences, with a series of briefings for technical teams, senior leaders and finance directors, and through cooperation with the National Cyber Security Centre (NCSC), which has issued three ransomware alerts for the sector in the past year.
Jisc has also been collating and sharing intelligence, so that the sector can continually learn and adapt. To that end, Jisc has instigated a global threat intelligence partnership for the education sector and is planning to launch a UK version very soon.
Partner organisations, such as ucisa, have also helped disseminate threat information and we encourage affected institutions to continue to share key facts with peers via the NCSC’s cyber security information sharing platform (CiSP).
Meanwhile, we are supporting impacted members to deal with the immediate and long-term aftermath of attacks, and we are investing to upgrade our defensive capability for the UK education and research sector.
Ultimately, though, individual colleges and universities are responsible for the security of their digital estate. The best way to do this is through a security strategy that’s embedded across the whole organisation.
Buy-in from senior leaders is key. It’s particularly frustrating to hear from some members that investment for cyber security is more likely only after an attack. Our report on the impact of cyber attacks might help with those conversations.
To help protect the Janet Network on which our members rely, we have central protections included in the Jisc subscription, such as foundation DDoS mitigation. Members can also join the free Janet Network resolver service to mitigate web requests directed to compromised or dangerous websites.
It is equally important that colleges and universities check that they have taken all possible steps to protect themselves. This includes:
- Acting on Janet CSIRT alerts - especially those marked ‘critical’, such as recent notifications about vulnerabilities in Microsoft Exchange servers
- Implementing two-factor authentication - while not something that can be implemented overnight, we strongly recommend it as a means of protecting against threat actors which are targeting accounts with stolen or phished credentials, or password stuffing
- Effective and timely vulnerability management and patching procedures –essential for all systems and services. Prioritise critical and externally accessible services first. Where systems cannot be patched, ensure they are appropriately segmented
- Segmenting and isolating all critical service infrastructure – this will help prevent attackers moving around inside systems
- Implementing segregated central logging and monitoring of critical systems for early warning and to assist in incident investigations.
- Maintaining operational resilience of the DNS service.
- Ensure backups are segmented, secured and tested regularly – backup processes should operate independently of any centralised authentication platforms
- Frequently rehearse incident response plans and procedures – critical for effective response
Any college or university that needs help to implement technical advice only has to ask - and time is of the essence because it’s a case of ‘when’, not ‘if’.