CISO Update #56
State of Ransomware in Higher Education
Ransomware continues to be a significant challenge for colleges and universities across the country, according to a new report. Emsisoft, a New Zealand–based anti-virus software company, has published “The State of Ransomware in the US: Report and Statistics 2022,” and the results are in: At least 44 universities or colleges and 45 U.S. school districts were hit by ransomware attacks in 2022. Read the full report here.
So why are educational institutions such a target?
Lack of two-factor authentication (2FA) and lack of phishing awareness continue to be the two main vulnerabilities that make universities fall victim to attacks. In May 2022, the FBI released an advisory that over 36,000 American university usernames and password combinations had been leaked back in 2021. Read the full advisory here. Hackers can easily gain access to this information at a relatively low cost on the dark web, and if these accounts do not have multi-factor authentication or other detection and response capabilities, the impacts can be tremendous for both the employee and the institution—financially and reputationally.
The insurance industry increasingly pressures colleges and universities toward improving their ransomware defenses. Nearly all colleges and universities surveyed upgraded their cybersecurity program to obtain cyber insurance coverage. However, to qualify for coverage, colleges and universities must meet a minimum set of controls, and that bar has been getting higher and more complex every year.
What can you do?
You did it! This month we completed our 2FA campaign for all FIT employee and student Google accounts. We are happy to report that all employee and student accounts have 2FA enforced and have a greater level of credential protection. We thank you for your continued cooperation in these efforts to protect the college from cybercrime.
Next week we will be launching our annual Cybersafe training. Look out for an email from email@example.com asking you to log in and take this self-paced training from KnowBe4. Each year there is fresh training material with malicious tactics to watch out for that will not only keep you protected at work but in your personal life too. This training is referred to in Section V of FIT’s Information Security Policy.