High-profile ransomware attacks are dominating the news. From healthcare organizations to critical infrastructure, no sector is immune to cyberattacks seeking a huge payout with malicious ransomware.
This is especially true in higher education, which is the second most common target for ransomware attacks and security breaches. In 2020, 1,681 schools, colleges, and universities reported security incidents, and in 2021, 58 percent of educational institutions that had been hit by a cyberattack said the bad actors were successful in encrypting their data.
Why are educational institutions so vulnerable? Part of the issue is institutions often have the financial resources to pay high ransoms. They also don’t want to lose vast amounts of research data – or the personal information of their student and employee populations, which could damage their reputation and affect future recruitment. The result is schools are more willing to quickly pay high ransoms just to get back online.
The growth in remote learning has also provided a great opportunity for bad actors. Legacy VPN and firewalls increase attack surface with seemingly endless entry points to the network and a constant stream of new code vulnerabilities. Add the ever-widening variety of user personas in higher ed – students, researchers, administrators, etc. – that need varying levels of access, and institutions’ legacy security can’t keep up.
Schools do not remain unscathed by just paying the perpetrators. Ransomware can also result in an extinction event for higher education. Lincoln College, founded in 1865, had weathered numerous crises over the course of its history including a campus fire in 1912, the Great Depression, and the 2008 global financial crisis. When a ransomware attack in December 2021 disabled access to institutional data, fundraising and admissions, it took four months for services to finally be restored. Unfortunately, this was too late, and the college was forced to shutter its doors.
The Danger of Lateral Movement
Higher education networks are especially attractive to attackers because the data center is the center of gravity – “the hub” containing all apps and services, and users connect to the hub/network from “spokes” like virtual private networks. Their underlying security architectures assume east-west traffic behind the security perimeter is trustworthy. Once attackers breach the network firewall, they are free to move around laterally, compromising additional systems without being visible to technology teams.
A network where the primary line of defense is a perimeter firewall is an open invitation for savvy cyber attackers. In a ransomware attack, the breach often starts with a single compromise – a clicked link from a phishing email, a vulnerability in a trusted cloud-based app that compromises files, or leaked credentials – think old user IDs and passwords – that are stolen or bought from the dark web.
Once that compromise occurs, malware is released inside the network perimeter, and with no barriers to stop lateral movement, it can enumerate the network and infrastructure at will – and fast.
That lateral movement is what maximizes the cyberattack devastation. Once the malware breaches the firewall perimeter, it compromises additional systems and steals information. The domain controller, or identity infrastructure, allows the threat actor to gain access to nearly all internal network systems. Reconnaissance is then performed to identify sensitive data to steal, locate backup systems to prevent file recovery, and search through finance and human resources systems to identify important documents. Then, ransomware is deployed across the organization, encrypting as many files as possible. The malware leaves behind a ransom note notifying the victim how to contact the threat actor to negotiate and pay a ransom.
The price tag for slow security modernization can be significant. The University of California shelled out $1.14 million to ransomware attackers to take back control of COVID research data. The University of Utah paid $457,000 to stop cyber attackers from leaking the data they had stolen.
And the actual ransom isn’t the only cost. Cyberattacks lead to downtime, loss of productivity, and other operational expenses, making the true cost of a breach much higher.
Stop Threats with Zero Trust
The best way to contain a threat is to never let it on the network. To accomplish this goal, the federal government and private sector organizations are turning to a zero trust architecture, which restricts access and minimizes the attack surface, thus reducing exposure to threats. It also prevents lateral movement in case of a breach.
In a zero trust architecture, no network segment is assumed trustworthy. Instead, all connections must be authenticated regardless of where or how they originate. Furthermore, granular authorization ensures access is limited to a specific resource (such as an app or a database). If the user attempts to access another resource, authentication and authorization are evaluated again.
When properly implemented, a zero trust architecture empowers administrators with simplified, granular access and an improved user experience with no steep learning curve. Simply, access is Identity-centric connecting authorized users to sanctioned applications.
Zero trust is not simply about a single technology like identity management or network segmentation; it’s a foundation for a security ecosystem. The heart of this ecosystem is the zero trust technology platform. Using a platform-based approach, users can get to any application or data they need (and are permitted to access) without ever getting on “the network”.
To guard against modern security threats including malware, hackers, criminal or state-sponsored organizations, and ransomware, higher education institutions should focus on consolidating to a unified security platform, choosing one that is expressly designed for zero trust security and high performance. Under one unified platform, institutions can operate under any conditions, at any scale, anywhere in the world, regardless of user device or location – all while guarding against costly cyberattacks.
Bryan is a distinguished cybersecurity leader with 24 years of experience securing critical national infrastructure and Fortune 100 enterprises. With a foundation in network engineering and architecture, Bryan has depth and breadth proficiency across all cybersecurity domains combined with the business acumen to translate security risk into business outcomes for executive audiences.
Prior to joining Zscaler, Bryan was a Business Information Security Officer (BISO) at Salesforce. In this capacity, Bryan led the global IT Security program in partnership with the CISO and CIO. Bryan developed the Enterprise cybersecurity vision, led strategic planning, and execution of the portfolio. As a subject matter expert, Bryan consulted on Security Risk Management processes, provided guidance on Security policy and standards, while driving the adoption of core security services.
- Using real-world tools to prepare students for the workforce - April 18, 2024
- 8 top trends in higher education to watch in 2024 - April 16, 2024
- Defining a path to equitable AI in higher education - April 12, 2024