Ransomware Attacks Cost the Education Sector Millions

The education sector is often cited as one of the most vulnerable to ransomware, but a new report has revealed just how damaging the threat is.

Jisc’s Cyber Impact Report 2022 found that UK educational institutions spend £2 million on average responding to ransomware attacks.

Jisc is a non-profit organisation that provides the UK’s education sector with IT services.

It first published the Cyber Impact Report in 2020 but updated it this year to include analyses and case studies related to the growing risk of ransomware.

Dr John Chapman, the head of strategy and policy at the Janet network, warned that the UK education sector must pay greater attention to the threat of ransomware.

He noted that ransomware is now the sector’s top cyber security risk, with more than 100 schools falling victim since 2020.

This evidence is supported by an Endsleigh Insurance report, which stated that in the past two years, 41% of primary schools and 70% of secondary schools were the victim of cyber attacks or attacks.

Dr Chapman believes that the rise in attacks against the education sector stems from COVID-19 and the introduction of remote work practices.

“Personal data and information are now increasingly held on devices outside campuses,” he said. “Protecting that information, wherever it exists, has extended existing security challenges and inadvertently led to some major security incidents.”

He adds: “For example, insecure configuration of the remote desktop protocol (RDP) has allowed ransomware attackers to access victims’ devices.

“This underlines the importance of putting in place basic security controls such as insisting upon strong, unique passwords, limiting the number of log-in attempts and implementing multifactor authentication.” 

Is the education sector doing enough?

Dr Chapman’s analysis supports the claim that schools and other institutions are neglecting their cyber security responsibilities. Some have enhanced their defences with tools such as multi-factor authentication, but others have done little and remain at risk.

“It appears many institutions are not systematically tracking and therefore do not fully understand all costs associated with a cyber security incident,” Chapman said.

The research shows that recovery from ransomware incidents costs an average of £2 million.

“These huge numbers may seem unrealistic, but as this report shows, there are many ways an incident can affect an institution, not all of which are recorded,” he notes.

This includes, for example, the resources required to address the initial attack and restore systems. A forensic investigation will probably be required, and the organisation must audit its defences to identify ways to bolster its defences.

Do not pay ransom demands

The education sector is also among the most likely to pay a ransom demand due to the urgency to get systems running again.

However, cyber security experts urge organisations not to negotiate with criminal hackers. This is because there is no guarantee that they will keep their word and restore your systems once they have been paid.

Even if you do get the decryption key, it will take days – if not weeks – to restore your systems, and it doesn’t negate your data breach notification requirements. The information has been compromised even if you get it back, and you must therefore report the incident to your supervisory authority.

To protect against ransomware, organisations would be better off investing in regular backups. By keeping copies of sensitive data off-site, they will be able to restore their systems with clean data without having to negotiate with the attackers.

Protect your schools with GDPR.co.uk

If you’re looking for more advice on how to better protect your organisation’s sensitive data, GDPR.co.uk is here to help.

We provide specific, tailored GDPR (General Data Protection Regulation) compliance support for schools.

With our GDPR for Schools platform, you’ll discover how to perform essential data protection practices, such as data protection impact assessments, staff awareness training and incident reporting.

The GDPR’s compliance requirements give organisations a framework for managing data protection risks, and organisations that meet its rules are in an ideal position to mitigate an array of risks.

Our tool was developed by data protection and cyber security experts with more than 15 years’ data privacy and cyber security experience, and now comes with a free two-week trial.