30
January 2023
Education a target for ransomware in 2023
Andy Harris
Educational establishments, especially higher education, face considerable complexity when it comes to IT infrastructure. Multiple locations, dozens of suppliers, partners, thousands of staff, tens of thousands of students make security a huge challenge for their IT teams.
But it’s not just the large universities that are face the big challenges. There’s an increasing push for schools to join multi-academy trusts which could make them a prime target for ransomware attacks this year, with the whole education sector remaining vulnerable.
That’s my concern. Why? In terms of schools, those joining these often newly-extended ‘hyper-networks’ are becoming more connected, increasing the attack surface and making them significantly more vulnerable.
Ransomware will always go where the maximum reward and minimum risk is. Attackers will target organisations that have the lowest defences, or the least resources to defend against or recover from an attack, as they’re most likely to pay a ransom.
So, educational organisations need to have the resilience or capabilities to protect against attacks. They may have no choice but to re-allocate their stretched budgets to pay ransom demands which, in turn, will affect their teaching.
It appears that the drive towards multi-academy trusts could accelerate soon, with the national schools commissioner recently saying: “every school ideally should be part of a multi-academy trust in due course.” So, it’s one to keep an eye on.
Education is already the sector most likely to be targeted by a malware, cryptojacking or encrypted attack, according to SonicWall’s 2022 Cyber Threat Report.
The National Cyber Security Centre (NCSC) launched an investigation in 2021 after an “increased number of ransomware attacks” against UK schools, colleges and universities.
And I believe the education sector may be hit hard again this year. It would fit part of a trend I’m expecting towards smaller scale attacks, for lower amounts of money, but which target a much broader base.
There are many mid-size organisations, like some education providers, who have less to invest in protection, limited technical skills, and find cyber insurance expensive. This unfortunate mix makes them easy targets.
Over the years we’ve come across exceptional people in education and health, dedicated to their organisations, who can clearly see the vulnerabilities and issues of genuinely huge networks with the ethos of unfettered access and minimal policing of policies. This is the environment that drives both learning and innovation.
The principles or Zero Trust are in play here, effectively the local network must be treated as if it were directed plugged into the dark web. Each system should protect itself. And in particular, IT teams need to protect the privileged accounts they need to administer services.
The non-student laptop estate needs to have the kind of endpoint management that allows freedom of software installation and development – but without the standing local administrator rights that are oxygen to Ransomware.
Universities can be hard to protect, compared to some organisations, and are susceptible to attack. That’s because they try to balance openness and a culture of sharing information with security. Back-office systems have often evolved over decades.
A member of the Russell Group of universities came to us for support last year over concerns with its Active Directory (AD) infrastructure. Too many users with Domain Admin role (the ideal target for attackers), coupled with poor controls over admin credentials had created risk. In fact, before it had managed to get a solution in place the university was attacked. This “woke up” management to the dangers, according to its cyber security manager, who told us: “Looking back, we should have just enforced PAM in the first place.”
A likely problem for all organisations, including the education sector, is the rising cost of cyber insurance. And, on top of that, increasingly heavy requirements from insurers will make it harder to obtain a policy only.
We already support numerous higher education providers and other organisations in the sector with our Privileged Access Security solutions. Want to find out more? Contact us here.
How Privileged Access Security Addresses Cyber Insurance Requirements