Latest estimates for 2019 showed that security firms had discovered ransomware in at least 1,039 schools throughout the United States by the end of 2019. Surely some attacks went undiscovered and unreported, so the actual number is higher.
It’s not hard to determine why schools are heavily targeted as they typically have a wealth of valuable personal information on staff and students, yet due to limited budgets are under-protected. Very few have adequate detection and response in place prior to an incident, and their services are public-facing so they often feel they have no choice but to come up with the ransom to bring systems back on line.
This approach is far worse than many of the schools realize. Paying the ransom does not always mean you get your data fully restored. If you pay their ransom, you have confirmed your data is valuable enough for a payout. These hackers may wait a bit and hit your school again for another payout. Even if you successfully restore your data or get your data unencrypted by paying the ransom, you have to also assume your data was breached unless you can forensically prove with certainty it was not viewed or copied for sale on the Dark Web.
What can schools do to prevent being crippled by these types of attacks?
- Train staff. Not just once a year, online training makes it feasible to have staff go through short monthly drills to keep the threats top of mind.
- Test staff and systems. Send phishing emails to your own staff to see how many click the links and/or provide credentials. Make sure they understand what could have happened if that was an actual phish and get them refresher training. Praise the ones who don’t fall for it and stress how important they are to protecting the data. Test controls at least quarterly to scan for known vulnerabilities that can be exploited and try to patch them within 30 days, keep firewalls updated, and run penetration tests not only on external IPs to see if a hacker can get past your protection, but also on internal systems to see what they could access if they did get in.
- Implement web filtering where feasible. There are known malicious sites that can be blocked to prevent staff or students from clicking links that load malware.
- Implement detection on the most critical systems. For example, the servers that store the sensitive data, the firewalls that protect the edge, and the endpoint solution on the workstations as most infections start there. Make sure your detection includes 24/7 monitoring and stays tuned to prevent alert fatigue.
- Be ready to respond. What if an incident is detected? Do you have immediate access to an attorney that is well-versed in cyber law and can advise you on next steps? Do you have a cyber forensic resource to find the source of the problem and contain it, begin remediation to get you back online, and preserve data in case the incident results in legal action? How quickly can you cut a purchase order in a crisis? Do you have adequate cyber insurance?