Latest cyber impact report underlines ransomware as a huge threat, but financial cost of attacks is still unclear
Cyber security is never ‘done’. It’s a continuous process of checking and scanning, patching and updating, upskilling and investing.
To do it well, technical managers need the support of vice chancellors, principals and their board members, who ought to have oversight and take responsibility for cyber security as a strategic priority.
To help education and research sector leaders understand their strategic responsibilities around data protection, risk management and cyber security leadership, Jisc published a cyber impact report in November 2020 (pdf).
For April 2022, the report has been revised (pdf) and updated to include anonymised case studies of more recent incidents that underline the increased threat of ransomware attacks.
Ransomware
Since Jisc's first cyber impact report, the main development has been the sustained increase in ransomware attacks: 15 further education (FE) and higher education (HE) organisations were impacted by ransomware in 2020, a further 18 in 2021, and at least three so far in 2022. More than 100 UK schools have also been affected.
Ransomware attacks have evolved with more threat actors applying ‘double extortion’ methods, demanding a ransom to provide a decryption key and threatening to make sensitive data public if the ransom isn’t paid. There have also been instances where attackers have sought out backups in order to hamper recovery and apply further pressure.
Given the unprecedented number of ransomware attacks in the past two years, it's no surprise that Jisc's 2021 cyber security posture survey (pdf) shows ransomware and malware as the top threat for HE and FE, with phishing and social engineering at number two.
Ransomware became such a serious problem that the National Cyber Security Centre (NCSC) twice updated its September 2020 warning to our sector - in March and June 2021 - and issued a joint international warning about ransomware to all organisations in February 2022.
Impact of the pandemic
In the first version of the report, we noted that Covid-19 was challenging all aspects of the education ecosystem as providers migrated en masse to remote working.
Personal data and information are now increasingly held on devices outside campuses. Protecting that information, wherever it exists, has extended existing security challenges and inadvertently led to some major security incidents.
For example, insecure configuration of the remote desktop protocol (RDP) has allowed ransomware attackers to access victims’ devices. This underlines the importance of putting in place basic security controls such as insisting upon strong, unique passwords, limiting the number of log-in attempts and implementing multifactor authentication (MFA).
A sharp rise in the number of institutions with MFA in place was also recorded in the 2021 posture survey. While this is good news, the speedy roll out of MFA and other security projects brought forward because of remote working has put security and IT staff under pressure.
In the report, one FE provider said:
“We are doing our best, but all areas of IT support seem to be growing and requiring more attention, and it’s one part of a larger role (where its importance should be far greater). The pandemic has only stretched us further.”
Through the 2021 posture survey, we know the sector in general is becoming more prepared for cyber attacks, but the picture is not uniform and some organisations are more at risk than others.
Of the 5,000 to 6,000 security incidents affecting the sector annually, examples in the updated report highlight the breadth of breaches and the subsequent disruption to IT and institutional projects and to teaching, learning and research, not to mention the financial and human impact.
Financial cost
It appears many institutions are not systematically tracking and therefore do not fully understand all costs associated with a cyber security incident. Our cyber impact checklist (included in the impact report) is designed to help with those records.
The 2021 IBM and Ponemon Institute Cost of a Data Breach Report puts the average cost of an education sector data breach at $3.79m (a very slight decrease from the 2020 figure of $3.9m). Healthcare continues to have the highest global industry average of $9.23m.
From the experience of Jisc’s computer security and incident response team (CSIRT) –in helping HE and FE providers recover from ransomware incidents, we are aware of impact costs exceeding £2m.
These huge numbers may seem unrealistic, but as this report shows, there are many ways an incident can affect an institution, not all of which are recorded.
New cyber attack case studies in the report include:
- Ransomware attacks: In March 2022, one FES (further education and skills) provider and two universities were impacted by separate ransomware attacks. Each incident caused significant impact to parts of the organisations as systems were taken down to prevent further spread of the malware and to safely recover and restore data. In one case, third-party data recovery services were required.
- Data breach: An FE provider suffered a data breach early in 2022 because of a cyber attack. College systems were accessed and data stolen, but because of the security controls in place, the attack was quickly recognised. However, to mitigate further data exfiltration, access to systems was restricted, which caused disruption for staff and students for a number of days while the incident was investigated and remediated.
Prevention is better than cure
The updated report (pdf) also shows that, for some organisations, meaningful investment in cyber security can be leveraged only after some form of breach or incident – underlining our plea for all senior leaders to engage with cyber security. It’s also worth pointing out that prevention is always better than – and cheaper than – a cure.
To help leaders, we have included fresh guidance in the updated report, including this document - 16 questions you need to ask to assess your cyber security posture, designed for senior leaders.
About the author
I have oversight and responsibility for policy and governance related to information security, data and advice and guidance concerning wider regulatory issues that are relevant for Jisc, the Janet network and our members.