Chair of Thompson Coburn's Cybersecurity group, Jim Shreve, was interviewed by University Business in a series of articles on ransomware attacks, cybersecurity and the impacts on higher education.
Jim has helped advise institutions on their potential risks to cyberattacks and has worked with clients on privacy matters and incident response for over 20 years. The articles highlight how having proper firm representation during an incident can be an enormous help in a crisis moment, when leaders may not be thinking as clearly about demands or the loss of data.
The first article, “Held for Ransom: Why colleges must be proactive to prevent cyberattacks,” explains how institutions are huge targets for hackers because of their openness and what they possess. Since the beginning of the COVID-19 pandemic, cyberattacks on colleges are on the rise and valued by hackers worldwide. That's not necessarily because of the extreme payouts they might receive, but because of the breadth of information institutions possess in their portfolios.
The second article, “Ransomware risk: 6 steps colleges can take to help prevent cyberattacks,” is a conversation with Jim on the prevalence of ransomware, responses that can make a difference and proactive measures institutions can take to protect data:
Tell us about the clients you serve; who they are across
higher education.
It varies greatly from very large research institutions
to smaller specialty schools, nursing schools, some that are their
traditional brick and mortar and some that are exclusively online.
The challenges and risks vary among those institutions.
That's one of the things that makes it hard in working with
the Department of Education is finding something that works for a
nursing school of 50 students, as well as a university that has
70,000 students.
How prevalent is ransomware in higher
education?
Ransomware is enormous, and it's continuing to get
bigger. Higher education is maybe not the most prevalent target,
but certainly among the more prevalent ones. I would say that
because you can view higher education institutions as being a bit
of one-stop shopping. If you're a hacker, you may find
financial information, healthcare information, valuable IP and
other data there. Higher education has an infrastructure with a lot
of users that are often distributed and with different access
rights.
What are the hackers looking for?
The most common kind of hacker is simply looking to make
money. They get into ransomware because it's profitable. If
you steal a large amount of personal information and then you want
to repackage it, sell it on dark websites, it may take you quite a
while to get paid. Ransomware allows you to do something and be
paid potentially within hours or days. There is also potentially a
high reward for sensitive IP, including a lot of research work. In
those attacks, you can get nation-state attackers that are much
more sophisticated and much harder to detect and repel. If you have
a nation-state attacking you, they can bring a lot of resources to
bear, more than a small criminal organization.
What is different about the cyberattacks on higher
education compared with other entities?
Higher education is not so different from other industries, but
we've seen an evolution of ransomware attacks. A few years
ago, most ransomware attacks would exploit a known vulnerability,
try it on a lot of different entities and demand a ransom amount
that was pretty low. They would bank on the fact that the target
might say, ‘Maybe we could recover from backups, but
it'll be just cheaper and easier to pay to get the decryption
key.' Now, the attacks are much more targeted. They know more
about who they're attacking and are demanding larger ransom
amounts. Whereas before, where we were looking at a few thousand
dollars, now it's very common to see ransom amounts that are
over a million dollars.
What are the potential outcomes if colleges and
universities decide not to comply with demands?
There are risks if you pay and risks if you don't.
If you do not pay, there may be a business interruption. You may
not be able to get back the systems or the data that was encrypted
as part of the ransom demand. You may lose some functionality or be
down for a while. One of the best ways is to defend against
ransomware attacks is to have really good backups for your systems
and have those backups not be vulnerable. If you can restore from
those backups, you don't need to pay the ransom for the most
part. But the hackers recognize that. So oftentimes they're
taking data as well. Before launching the encryption, they'll
take data off the system to use it as further leverage.
They're saying, we have this data. We will release it or sell
it on the dark web unless you pay. Another potential risk in paying
is that if you facilitate payments to a known terrorist or
organized crime organization, you can be brought up on criminal
charges. If you do pay the ransom, you also can hurt your
relationship with law enforcement. particularly in a situation
where you didn't really need to pay.
What are some of those strategies that institutions can utilize to be proactive in trying to prevent ransomware attacks?
- Tabletop exercises of incidents. A tabletop is a practice cyber security incident, whether it's on ransomware or hacking or another type of attack. The exercise is helpful to test your systems and your people. It is being done by the information security people regularly, but it oftentimes doesn't involve some of the senior executives that need to make the important decisions. You can point out news items, and say, What if something like that happened here? How do you deal with it? That will provide invaluable knowledge about your systems, your preparation, and then you can adapt it.
- Cybersecurity insurance. But it's important to know what is covered and what is not covered in policies. Pepper your insurer or broker with questions: ‘If this kind of thing happened here and we had to pay the ransom, is the ransom amount covered, or are we covered for business interruption? Are we covered for any number of outside people we need to bring in to address this?'
- Good backups. They are key to recovering from ransomware attacks. That more than anything lessens your need to pay the ransom.
- Greater use of encryption. If you encrypt the data that's sitting on your system and the hackers can't access it, it's not valuable for them to steal. They can't extort from you as easily.
- Consider limiting access rights. Do users have access only to what they need? Does everyone with administrator privileges really need them?
- Improving user authentication, as in multifactor authentication, and where possible using longer passwords (or passphrases) or passwords that are hard to crack.
Why is protecting against ransomware so
important?
This is an area where you want to be proactive. You want
to be known as somebody who takes this seriously. Part of your
image as an institution is you want to make that brand strong.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.