Cyberattacks Pose ‘Existential Risk’ To Colleges—And Sealed One Small College’s Fate – Forbes

cyberattacks-pose-‘existential-risk’-to-colleges—and-sealed-one-small-college’s-fate-–-forbes

Firstly as we jump in, can I just say that camDown !

It costs colleges and universities $2.7 million on average to recover from cybersecurity attacks.

picture alliance via Getty Images

On the Sunday before last Christmas, a ransom note suddenly appeared in computer printer trays at Lincoln College in Illinois. While the note was written in broken English, the cyber criminals’ destructive message was clear: they had encrypted many of the rural college’s files and the institution no longer had access to critical enrollment, admissions and fundraising information.

The college paid the ransom—which was not insignificant but far less than $100,000—via its cyber insurance policy, said David Gerlach, president of Lincoln. Still, it took months for employees to regain access to all of their systems, at which point college officials realized that enrollment projections for the next academic year were disastrously low. In late March, Lincoln’s Board of Trustees voted to close the school after the current spring semester.

“The cyberattack was just another kick in the shin,” for the struggling college, said Gerlach. Before the Covid-19 pandemic, Lincoln celebrated its highest-ever student headcount—986 undergraduates enrolled full-time during the 2019-20 academic year, according to data from the National Center for Education Statistics. But the college’s already shaky finances were upended by steep enrollment and fundraising declines during the pandemic. While the school was heading toward closure anyway, the cyberattack both added to the downward momentum and delayed access to information showing how bad the numbers for the 2022-2023 academic year were going to be.

Cyberattacks like the one Lincoln experienced are extremely costly for institutions, and they are becoming more frequent. Higher education institutions have historically underfunded cybersecurity efforts, and the environment of information sharing and different computer systems across departments combine to make colleges and universities prime targets for cyber criminals, said Austin Berglas, global head of professional services and founding member at BlueVoyant, a cybersecurity company.

“We saw an incredible increase in ransomware attacks over the past two years, 2020 and 2021,” Berglas said. “Covid-19 pushing everybody remote really made the attack surface grow.”

Henry Stoever, president and CEO of the Association of Governing Boards of Universities and Colleges, says more boards of trustees are now realizing the cyberattacks pose a serious risk to their institutions.

“It can pose existential threats to any organization—large or small, public or private,” Stoever said. “If you cannot operate your business, if you can’t operate your college, then you may not be able to exist.”

So far in 2022, a handful of U.S. higher education institutions have publicly disclosed cyberattacks, according to Hackmageddon, a website that tracks security breaches. North Carolina A&T State University reported a ransomware attack in March while the university was on spring break. North Orange County Community College District suffered a data breach in January that exposed student and employee personal information. Ohlone Community College District in California and Midland University in Nebraska also reported ransomware attacks this year.

But reported cyber incidents represent only a fraction of total attacks, Berglas said. Many institutions are unwilling to disclose that they suffered cyberattacks unless they are required to by law, in part because they could be subject to lawsuits if the attack jeopardized the security of student or employee personal information.

Ransomware attacks, the most frequent types of cyberattacks in the higher education sector, cost institutions an average of $112,000 in ransom payments, said Chester Wisniewski, principal research scientist at Sophos, a security software and hardware company. But that ransom payment is just a drop in the bucket compared to the total cost of resolving the attack, which averages about $2.7 million per incident, Wisniewski said, citing a Sophos survey from 2020.

“The average cost to an organization in the private sector was $1.8 million U.S. dollars after a ransom attack,” Wisniewski said, “so it was almost a million dollars higher cost for educational institutions to recover versus a normal private sector organization.”

Why so high? Colleges and universities notoriously fail to backup their systems, he said, which adds to the cost of recovery. Because academic departments are often siloed, comprehensive security protocols are difficult for college IT departments to implement. “Each department has its own little fiefdom. They may have their own file servers and their own things, and they don’t want other people interfering with their stuff,” he said.

Even more public school districts have suffered attacks and are vulnerable to a particularly unnerving risk: cyber criminals who look to steal children’s personal information. “How valuable is personally identifiable information for a child—you could use their PII for many years and go under the radar because no one’s pulling credit reports for children,” Berglas said. “If you can get social security numbers, dates of birth, and all kinds of other PII on a student you can open up accounts, make purchases, open up mortgages.”

In addition to ransomware attacks, colleges and universities are also targets for more sophisticated cyber criminals that are after intellectual property and research, Wisniewski said. Some of these actors turn around and sell the stolen data or information to nation-states like China or Russia.

“There’s a very hefty amount of people in certain places like China that know the government will pay them for [the information],” Wisniewski said. “They don’t know what they’re stealing, they’re just like ‘Hey, this company makes windmills, and we’re competing with the Americans to build windmills, let’s steal their software and maybe there’s something that we can then sell to the government.’”

During the pandemic, institutions with affiliated hospitals and those that conduct medical research have been particularly attractive to cyber criminals. In June 2020, the University of California, San Francisco shelled out a $1.14 million ransom payment after hackers attacked its School of Medicine.

While cyberattacks pose a significant threat to institutions, thwarting many of them is relatively simple, experts say. A majority of ransomware attacks could have been prevented using multi-factor authentication (MFA), which requires users to provide at least two verification factors in order to access a device or account, Berglas said. “We’ve seen threat actors try to compromise organizations that have MFA, and they actually just move on to the next target looking for an organization that doesn’t have it,” he said.

Cyber insurance is also a must, experts say. In 2020, 84 percent of higher education institutions had cyber insurance, but only 64 percent had a policy that covered ransomware attacks, according to the Sophos survey.

Even if they have insurance, struggling institutions like Lincoln can be particularly hard hit by an intrusion—just as they’ve been hard hit by Covid-19. Nearly two thirds of Lincoln’s students come from Chicago and the surrounding cities and nearly half its students are African American. College-going rates for low and middle-income Black students tumbled during the pandemic, meaning Lincoln’s enrollment tumbled too. After 2019’s banner enrollment of 986, only 630 students arrived on campus in the fall of 2020 and enrollment didn’t budge in the 2021-22 academic year. Enrollment projections for the fall of 2022—available once the school recovered its data—showed student headcounts around 630 once again, 300 full-time students short of the college’s goal, Gerlach said.

For a small, private college like Lincoln, without a big endowment or other resources, a 30 percent decline in students tolls the death knell. Its budget is built on student tuition and fees. Lincoln discounts its tuition by 50 percent on average, meaning that the average student pays only half of the $19,300 sticker price and the rest is covered by institutional and federal financial aid. The discount rate has increased by about 3 percentage points in recent years, Gerlach said, resulting in less income per student for the college.

At this point, a transformational gift is the only thing that could keep the college’s doors open.

“If somebody called and offered me $100 million, I would do all I can, because this is a really special place,” Gerlach said. But every day since the college announced its imminent closure last month, it’s become harder to stop the institution from winding down.

As we move on to the next post, may I add that camDown helps make you invisible to hackers and guard your personal data and that's no lie.