What schools must do to tackle ransomware crisis

Cyber criminals are increasingly using ransomware to attack the education sector. The trend is most noticeable in the US, with criminals locking up school’s systems and demanding a payment to release the data, but attackers have turned their attention to schools across the globe throughout the past year.

You might think that schools are a strange target. With the average ransom payment being more than £120,000 last year, schools don’t have the funds to pay up even if they wanted to.

That’s not something we should bemoan. Refusing to negotiate with attackers is ultimately a good thing, because experts warn that criminals will use the funds for further attacks.

More to the point, there is increasing evidence that attackers leak stolen data whether victims pay or not, which means there’s little point in submitting to their demands.

Despite this, there are enough schools making the wrong choices to justify continued attacks.

Consider that the education sector was the third-worst hit by data breaches in 2020, with ransomware being the leading cause.

Those incidents accounted for more than 884 million leaked records worldwide, with Newcastle University, Northumbria University and Leeds City College among the victims.

The education administrator Blackbaud was another notable casualty, with the damage to its systems compromising more than a dozen universities in the UK, as well as countless other organisations across the globe.

More recently, a multi-academy trust in Nottinghamshire was hit by a ‘sophisticated’ cyber attack that led to all systems in their 15 schools being taken offline as staff worked to control the attack.

Why schools are being targeted

Although cyber criminals have found success attacking schools, you may be thinking they would be better off targeting private-sector organisations that are more likely to have the resources to meet their ransom demand.

But that would be to misunderstand the way attackers operate. In most cases, they aren’t targeting specific organisations but looking for vulnerabilities that may appear in myriad places.

With hacking tools available for only a few pounds, cyber criminals can afford to launch automated attacks against hundreds or even thousands of organisations, knowing that it only takes one or two to pay up for them to make a profit.

Schools are therefore an attractive target only in as much as they are more likely to have network vulnerabilities that can be exploited.

In most cases, the ransom demand is a dead end, because schools simply don’t have that kind of money. All isn’t lost for the attacker, though, as they can sell the stolen information on the dark web.

But in some cases – particularly when ongoing disruption leads to severe logistical issues – educational institutions decide that it would cost less to pay off the attackers than it would to endure the recovery process.

However, as the past year has demonstrated, this has created a vicious cycle in which other schools feel justified in avoiding expert advice and giving in to attackers’ demands.

A similar thing occurred in the US local government sector in 2019. Over a few months, 22 city and state authorities were struck by ransomware, resulting in more than $1 million in losses.

The US Conference of Mayors was eventually forced to intervene, with the group signing a resolution not to pay ransoms to criminal hackers. This has proven effective, with attacks falling sharply in the months since.

Schools could soon be forced to take similar action, although that must be accompanied by addressing the root cause of the problem – which is that education providers neglect basic cyber security defences.

How can schools protect themselves from ransomware?

One of the most cost-effective ways for schools and colleges to protect themselves from ransomware is by certifying to Cyber Essentials.

The UK government-backed scheme outlines the basic steps that organisations can take to secure their systems.

Its five controls, when implemented correctly, prevent 80% of common cyber attacks and protect you from ransomware specifically.

Schools and other education providers that receive ESFA (Education and Skills Funding Agency) support are required to achieve Cyber Essentials certification – but if you don’t fall into that category, you can still certify for as little as £500.

Doing so raises awareness of cyber security in your organisation, and helps demonstrate to pupils, parents and authorities that you take the threat of cyber attacks and ransomware seriously.

The five controls of Cyber Essentials

  1. Firewalls

Firewalls are designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software is essential for them to be fully effective.

  1. Secure configuration

Web server and application server configurations play a crucial role in cyber security. Failure to properly configure your servers can lead to a wide variety of security problems.

  1. User access control

User accounts, particularly those with special access privileges, should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers and networks.

  1. Malware protection

Organisations must implement systems that protect you from malware and detect when an infection has occurred.

This will protect you from a range of attacks, including ransomware, spyware and other viruses, which can compromise your data and users’ privacy.

  1. Patch management

Criminal hackers take advantage of known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated.

Updating software and operating systems will help to fix these known weaknesses. It is crucial to do this as quickly as possible to close any opportunities that could be used to gain access.

Download our cyber security guide for schools

You can find out more about how to secure your organisation by reading Cyber Security 101 – A guide for schools.

This free green paper provides an overview of the threat landscape and explains what schools can do to bolster their security defences.

You’ll learn why things such as risk assessments, staff training and access controls are essential, and discover the first steps towards bolstering your security defences.