Education sees the highest ransomware recovery cost compared to other sectors

John Shier is a senior security advisor at Sophos with more than two decades of cybersecurity experience. He is passionate about protecting consumers and organizations from advanced threats and has researched everything from costly ransomware to illicit dark web activity, uncovering insights needed to strengthen proactive cybersecurity defenses.

Since the beginning of 2020, the education sector as a whole rushed to support remote learning and IT modernization initiatives to meet student needs. However, these rapid shifts piled workloads onto IT teams, who sometimes favored convenience and speed over security. Threat actors turned their attention to these weaknesses, and as a result the sector witnessed the highest level of ransomware attacks than any other industry in 2020, based on our latest research.

John Shier, Senior Security Advisor, Sophos

Among respondents we surveyed in the education sector, 44% reported getting attacked by ransomware last year, compared to the global average of respondents across all sectors, at 37%. 

Additionally, the education sector not only tended to get attacked more often, but also experienced the highest ransomware recovery costs compared to all other sectors surveyed. On average, it cost education institutions $2.73 million to remediate the impact of a ransomware attack, including the cost of downtime, data recovery, device and network repairs, security updates, lost opportunity as well as ransom payments. That was 48% higher than the global average across all sectors. 

The findings, detailed in a new report, The State of Ransomware in Education 2021, are based on a survey of 499 IT decision makers in more than 30 countries in the education sector. Though responses vary by country, they are indicative of the challenges still facing the education sector. 

Education institutions lack resources

Malicious actors look for easy targets and education institutions often struggle to find enough skilled workers to defend their growing IT needs. For K-12 schools particularly, a lack of adequate funding additionally limits their ability to properly defend themselves against threats. 

But the mounting disruption and cost of ransomware attacks should make it clear why education leaders need to prioritize strategies to prevent future attacks and work with security partners who can help them address these challenges.

In the past, organizations were much more reliant on software and programmatic ways of defending their businesses. Those strategies were largely driven by the fact that cybercriminals were also using programmatic ways of attacking organizations. 

However, the ransomware attacks we are seeing today — especially with respect to how criminal groups operate — use a blend of human tactics and automated technology elements. And increasingly, threat actors play the volume game where they throw a lot at organizations’ defenses until something sticks. Organizations need to factor those elements more strategically into their defenses. 

The good news is, we see education IT leaders shifting their focus to embrace more modern defense strategies. However, gaps remain that continue to leave schools and institutions prey to ransomware exploits, including: 

• Using security products that aren’t up to the task of defending against modern exploits. 
• Remaining reliant on older systems that no longer have vendor support.
• Using outdated policies and methods of deploying technology, operating under the model that everything inside the network is good and everything outside the network is bad.
• A challenging environment that seeks to balance the needs of the users with those of the security team 

Protection, not just prevention

From a priority standpoint, it is important that leadership understand the degree to which security plays a direct role in protecting the continuity of operations. 

Surprisingly, the survey found that 15% of people in the education sector still don’t expect to be a target for ransomware. However, the evidence suggests that every organization needs to assume it will get hit by a ransomware attack. 

When we look at how cyber criminals are getting into organizations, they are often leveraging user credentials that have been taken from another breach and re-used to gain access within a targeted organization.

Even if organizations try to acquire the latest technology, if they fail to correct foundational security mistakes, their operations will continue to be at risk. That includes things like: 

• Ensuring routine patching of known vulnerabilities
• Implementing multi-factor authentication
• Improving identity management
• Integrating an endpoint security management solution
• Maintaining and testing data backup systems
• Creating, updating and testing disaster recovery plans

Leaders need to focus on reducing risk and preventing threats, followed by products and services that augment and enhance protection. This includes technology designed to help their IT teams make contextual decisions across all the different pieces of technology they have in their environment and tools that allow them to respond quickly and decisively. 

Finding a focus for security improvements

Making those strategic decisions starts with understanding where your organization can make the greatest improvements in fortifying its security posture.

For example, turning on multi-factor authentication — while it may pose a short-term pain point with users —will reduce long-term risks and the costs of remediating attacks.  Implementing zero trust and secure access service edge (SASE) security models can help organizations protect against human and automated threats, with better protection at the endpoint and security that is wrapped around a user, as opposed to the organization.

At the end of the day, it takes layers of protections, with multiple capabilities that can respond to a variety of threats. Part of those protections requires combining human elements with artificial intelligence-enabled technologies to help IT teams see what is critical for them to look at.

But increasingly, it requires specialized skills and know-how. Working with dedicated partners, like Sophos, that also provide added analytical and response capabilities in the form of managed threat response services. It also helps organizations build more cohesive security and protection defenses as threat actors continue to evolve their tactics.  

Read more from the survey “The State of Ransomware in Education 2021” to learn about ransomware threats facing the education sector today.