Arctic Wolf Chief Product Officer Dan Schiappa said that as the COVID-19 pandemic necessitated a rapid shift to virtual learning, and institutions found themselves working with limited IT resources, many of them don't have wiggle room to lose. According to IBM’s Cost of a Data Breach Report 2021 cited by Arctic Wolf, the average cost of a data breach sits at about $3.86 million, making proactive IT investments a smarter financial decision than reactively reallocating resources.
“In many respects, many universities were so far behind the curve on having modern security infrastructure, and had budget limitations that preclude them from catching up at the speed they would like,” he said. “Budgets always have an impact, particularly with state universities, and I think this got exacerbated when they had to shift dramatically to remote learning and probably weren’t initially set up to do that at scale.”
The Arctic Wolf report noted that 65 percent of higher-ed leaders believe the rapid adoption of new ed-tech tools during the pandemic has created new IT vulnerabilities. Schiappa said securing new devices on growing networks will be a major challenge for schools moving forward.
“That [rapid adoption] can reduce the security hygiene and capabilities,” he warned.
Adam Scott Wandt, an assistant professor of public policy at the John Jay College of Criminal Justice in New York, said institutions should take more care to update their security protocols and regularly update their data to protect it from ransomware incidents like the one that led to this week’s closure of Lincoln College in Illinois — the first to close in part due to a cyber attack.
Solutions, he said, might include requiring two-factor authentication for login credentials. In addition, he noted John Jay’s use of banners in emails to note which ones are from outside the organization’s networks to better identify phishing scams.
“The answer is simple, but the implementation is not ... They need to better educate their community to help them not fall victim to phishing attacks. A huge portion of ransomware, hacking and unauthorized access [to networks] are due to the amazing increase we’ve seen in phishing. Unless you help the human element get better at avoiding phishing attacks, you’re not going to be able to address this,” he said of the need for a multi-pronged IT security approach. “The second, or engineering solution, is to make sure that access to college or universitywide emails and systems goes through two-factor authentication, and also the implementation of safeguards that help people understand that they might be a victim of phishing.”
Wandt said universities should never cave to the demands of cyber criminals holding data for hostage.
“Universities should never pay the ransom under any circumstances. I think it’s highly problematic,” he said. “The people conducting these attacks are very often organized crime, foreign state actors, terrorist organizations. For a university to pay the ransom to a foreign state [adversary] or a terrorist organization because the university didn’t have the proper protocol in place to protect them and have their information backed up in the first place is a very serious thing.”
While there is a lot to consider in the fight against cyber attacks targeting colleges and universities, Schiappa said one thing is certain — cyber criminals are not letting up any time soon, following a string of successful attacks against the education sector.
“They’re not going to stop trying. There are lots of opportunities to attack universities, and you have to be on your toes,” he said. “People take security seriously when it’s on the front-page news or it happens to somebody they know. Now, it’s everywhere, and it’s on everyone’s minds.”
