Ransomware Attacks a Growing Risk for K-12 Schools, Colleges, and Universities

One of the biggest stories of the summer for both K-12 schools and colleges and universities was ransomware. Unlike the weather, there is no sign that such risks will cool off any time soon. What can your institution do to prevent and prepare to respond to a ransomware attack? 

Ransomware is a type of malicious software, or “malware,” through which cyber criminals take remote control of computer systems and threaten to destroy, share, or retain information and data unless the owner of the system pays a ransom. As the Federal Trade Commission explains, attackers can employ a ransomware attack in a number of different ways, including through phishing emails, exploiting server vulnerabilities, infected websites that download malware onto a system, or online ads—even on trusted websites. In addition to the steps the FTC suggests all businesses take, including having a plan for surviving a ransomware attack, backing up data, keeping security up to date, and alerting and training staff, there are a number of steps schools can take to protect against and limit the impact of such attacks. 

Schools can be easy targets for ransomware attacks. By their nature, schools usually have large computing systems that must be open to large numbers and wide ranges of people, leaving many potential routes of entry for malicious actors. Those systems also tend to contain a significant amount of data regarding those people, making them an enticing target. Schools also often have less market incentive to have state-of-the-art IT teams and other technology protections than commercial companies and governmental entities. Couple that with the relative sophistication of cyber criminals who engage in these types of attacks, and it makes sense why schools are at greater risk. 

As with most security threats, an ounce of prevention is worth a pound of cure. What steps should schools be taking now?

• Back It Up. Although perhaps the most obvious, the most important suggestion from the FTC list above is having information backed up. Even if you can pay the ransom after an attack, there is no guarantee that you will regain full access to your data. And with sufficient backups, the ransom may never even need to be paid.
• Find Your Weaknesses. Security audits are nearly an essential for schools today. Contractors provide audits for schools, but even an informal audit by your technology team is a better approach than doing nothing.
• Prepare for the Worst. Schools should consider coming up with a plan for how to respond if there is a ransomware attack, and even conducting drills with key administrators to ensure they can act quickly if an attack occurs. Many commentators liken ransomware attacks to natural disasters, and so schools should prepare for them like they would a tornado. Cyber-insurance is also key to ensuring that you can get back up and running if you have a ransomware attack.
• Train the Brain. Most ransomware attacks occur when an employee opens a phishing email, allowing malware access to the school’s entire system. Schools need effective training to create a culture of prevention carried out by every individual who could be a weak link.

Although nothing can guarantee prevention of ransomware attacks, taking reasonable steps to protect against them can help avoid complaints that a school’s lax security contributed to an attack.

What if despite all your efforts, your institution is still the target of a ransomware attack? Ransomware attacks are data breaches, and so schools must be ready to quickly comply with legal requirements for responding to such a breach. Our recent alert on preparing for and responding to data breaches is a must-read summary of relevant responsibilities.