Higher ed's sprawling systems mean cybersecurity doesn't come easy — or cheap. But smart strategies and thinking through risk can go a long way.

By Liz Farmer | Nov. 29, 2021

This story was originally published in Higher Ed Dive

Months into the COVID-19 pandemic, hackers had taken control of data belonging to a University of California San Francisco research team testing a possible coronavirus vaccine. They were demanding $3 million in exchange for returning control of the data.

A university negotiator sent them a plea.

"The sense is that it's not looking good," the anonymous negotiator wrote, according to a chat transcript first reported by Bloomberg. "The more I ask around, the more I hear that all departments are hurting for money. I ask you to keep an open mind."

The highly publicized ransomware attack in June 2020 was claimed by Netwalker, a group with a history of targeting healthcare entities. UCSF, like many colleges and universities at the time, was dealing with budget cuts of up to 10% to offset revenue losses related to suspending in-person operations. But the hackers weren't buying the plea of poverty from a university system that collects billions in annual revenue.

"You need to take us seriously," a Netwalker representative warned. "If we'll release on our blog student records/data, I'm 100% sure you will lose more than our price what we ask."

Major research institutions, especially those with ties to hospitals, carry incredibly sensitive data and are increasingly becoming targets for ransomware attacks. UCSF ultimately paid $1.1 million to regain control of its hijacked servers — likely a fraction of the amount it would have spent recovering the data otherwise.

"The FBI always advises against paying the ransom," said Adam Hardi, a higher education senior analyst at Moody's Investors Service. "But we have seen a fair number doing it anyway because it is more economically feasible to spend $1 million than potentially $10 million to retrieve the data."

Cyberattacks on colleges and universities have been increasing over the years, but the pandemic ushered in a new era of urgency. The attacks pose not just financial risks but also operational risk, as was the case when the University of Massachusetts Lowell canceled classes for nearly a week in June after a security breach. Some institutions, like Wichita State University, have been sued over cybersecurity incidents.

"It is more economically feasible to spend $1 million than potentially $10 million to retrieve the data."

Adam Hardi

Higher education senior analyst at Moody's Investors Service

Now, as higher education institutions adjust to the new normal of hybrid learning and remote work, many are also making improvements to data security. But competition — whether with the private sector for talent or with other university departments for funding — is creating major headwinds that some fear will always keep higher education institutions one step behind.

"I'm a glass-half-empty kind of person. That's the nature of being in security," said Helen Patton, a former chief information security officer, or CISO, for Ohio State University. "But I'm very worried about it."

Spending trails the pace of change

Even before the pandemic, U.S. colleges and universities were under enormous financial pressure in the face of declining enrollment, criticism over the high cost of education and constrained state funding. Resources were becoming increasingly focused on revenue generators like academics and research over investment in staff and technological infrastructure.

Cybersecurity doesn't generate revenue, and cybersecurity improvements that money can buy are typically invisible — so spending on it often takes a back seat. In fact, the education sector ranked the lowest-performing of all industries on implementing cybersecurity measures to protect data in a 2018 report from SecurityScorecard.

"You have to think about risk and how much you're willing to spend to mitigate it."

Vicki Tambellini

Tambellini Group CEO and founder

Cybercriminals have noticed. During the first quarter of 2021, the education sector accounted for nearly 10% of globally reported cyberattacks, compared with 7.5% during the first quarter of 2020, according to data compiled by the cyberattack tracker Hackmageddon. Ransomware continues to be a favorite tactic. At least 26 ransomware attacks involved colleges and universities in 2020, according to an analysis by Emsisoft. In March 2021, the FBI issued a warning to education institutions about a rise in ransomware.

Part of the problem is that the shift to remote learning and remote work opened up thousands of access points via laptops, tablets and smartphones on networks not controlled by universities. That makes it harder to protect against a mistake. Moreover, the pivot further decentralized higher education's data management environment, in which individual departments already retained much control.

Federal relief legislation provided billions of dollars in aid for colleges and universities, but it often wasn't directed toward security. Much of it has so far gone toward student aid, revenue replacement and technology to enable remote operations.