This is a red-alert crisis for all of us: students, faculty, staff and institutions as a whole. The rising extortion of money from government and business entities should put all of us on guard. Colleges and universities are all the more vulnerable in these uncertain fiscal times. Too often, this is further compounded by a natural inclination to cover up incidents to protect public confidence and institutional reputation.
The crisis is not just one for the IT department. It is one that must be met by every student, faculty member, staff member, college and department. We must be vigilant to any potential intrusions and instantly inform our experts -- day or night, weekday or weekend. And we must implement backup systems, prepare for contingencies and create serious restoration plans.
Ransomware, in which a ransom is demanded to recover stolen digital data, has been around for decades. One of the first documented cases came at the World Health Organization’s 1989 international AIDS conference. Biologist Joseph L. Popp sent out 20,000 diskettes to attendees: “But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s computer. To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama.” With the advent of the World Wide Web in 1992, cybercriminals took the stage by deploying an array of malware that included ever-increasing instances of ransomware. Instances of ransomware attacks are on the steep increase, especially with the emerging new target of remote employees who may have computer and network vulnerabilities in their homes.
Over all, damage, prevention, detection and other costs related to cyberattacks are predicted to reach $6 trillion this year -- fully double the costs of just half a dozen years ago. Attacks against universities were up 100 percent in 2020 over 2019, with an average ransom demand of nearly $450,000. In fact, attacks have been so prevalent this year that the FBI issued an advisory that cyberextortionists were using type of malware called PYSA to not only demand a ransom to restore data, but also threatening to publish stolen data on the dark web. "The FBI does not encourage paying ransoms," the advisory said. "Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities."
So, what are we to do to respond? First and foremost, universities need to step up their game to protect data and individuals. Most universities have taken steps in this direction, but this is not a once-and-done task. Constant monitoring of attacks around the world as well as on campus must lead to daily updates and improvements in security. Some universities have created cabinet-level administrative positions and entire units dedicated to ensuring cybersecurity.
It is important that we all support efforts to enhance security and that we all be responsive to our IT departments. If they are rolling out extra security for email, for example, multifactor authentication, make sure you comply as quickly as possible. Be first in line to sign up for protections and migrate your data to designated secure spots.
Educause has released a Ransomware Higher Ed Playbook, sponsored by Rapid7. It is worth your time to read.
We can go the extra step to maintain good personal data hygiene. Delete files that are no longer needed. Don’t let your data hang around when and where they are not essential. Create your own personal data backup system. Brian Posey posted an article in 2019 on four best practices to protect personal data:
- Keep an off-line backup
- Use immutable storage
- Tap anti-malware apps
- Up the frequency
For many of us, our homes are still our offices. That means that institutional digital hygiene extends to your home computer, your home network and all of those in your household who use it. McKinsey provides this advice to businesses that is equally applicable to higher ed institutions: “They will also need to anticipate the next normal -- how their workforce, customers, supply chain, channel partners, and sector peers will work together -- so that they may appropriately engage and embed security by design. The new context of changing customer and employee behavior and a constantly shifting threat landscape must also be considered.”
We must be vigilant. The consequences are towering. What you do on your personal computer that is occasionally used for work is consequential. What the other members of your household do on that computer impacts the security of your university. Vulnerabilities in your home Wi-Fi network become university vulnerabilities.
Urge your colleagues and students to follow university guidelines and scrupulously follow safe practices. Ideally, dedicate a single computer only to work use. Use a VPN. Think twice about saving and storing anything online.
Are you vocally supporting your IT and digital security offices? They can use all the support you can give in gaining full compliance with safe digital practices. The security of your students and your institution depends upon you.