$3 million. That was the asking price from cyber criminals to provide a decryption key to release the University of California, San Francisco’s data in 2020. The university paid $1.14 million. Since then, the problem has only gotten worse.
In a survey commissioned at the start of 2022 by Sophos, a global cybersecurity leader, 75% of ransomware attacks on higher education institutions succeed. Recovery from an attack is slow, with 9% of higher ed institutions indicating it took 3 to 6 months; 31% took 1 to 3 months; and 40% took a month. It cost $1.42 million more for remediation than in other sectors.
Two-thirds of higher ed institutions that responded to the Sophos survey indicated they had been the target of an attack. Half paid ransoms to get their data back – 61% got some of their encrypted data back; only 2% got all of it back. 97% said the attack impacted their ability to operate and 96% indicated the attack caused a loss of revenue/business. Some were victims multiple times.
Cyber criminals have a higher success rate attacking higher ed than business, financial institutions, and healthcare. As reported in Forbes, the average ransom paid is around $112,000; but the total cost of recovery actually reaches around $2.7 million.
The barrage of successful attacks on higher education institutions have impacted cybersecurity insurance. Insurance companies have raised the bar on what is required to secure coverage. There are fewer insurers offering coverage. The time to secure a policy is longer; policies are more complex; and coverage is more expensive. While insurance provides some peace of mind, higher education still falls behind most other industries in shoring up their defenses.
In May, the FBI issued a warning to higher education institutions. As reported by SecurityWeek.com, on the dark web there was an increase in in offers to sell VPN login credentials, usernames and passwords, and more. Not only did this put higher ed institutions at risk, but also the individuals who use their systems could find their bank accounts drained or credit cards stolen.
In September, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued another alert targeting education (with a special emphasis on K-12 schools): “The FBI and CISA recommend organizations, particularly the education sector, establish and maintain strong liaison relationships with the FBI Field Office in their region and their regional CISA Cybersecurity Advisor. The location and contact information for FBI Field Offices and CISA Regional Offices can be located at www.fbi.gov/contact-us/field-offices and www.cisa.gov/cisa-regions, respectively. Through these partnerships, the FBI and CISA can assist with identifying vulnerabilities to academia and mitigating potential threat activity. The FBI and CISA further recommend that academic entities review and, if needed, update incident response and communication plans that list actions an organization will take if impacted by a cyber incident.”
While higher education institutions may be competing for students, the war on cybercrime has brought them together in cyberspace. As reported in GovernmentTechnology.com, over 50 higher education institutions have come together “with the goal of creating a forum for educators, experts and IT security advocates to network with and share cybersecurity insights with each other.”
To free up your resources to focus on cybersecurity and other priorities for higher education, why not entrust RBT CPAs to handle all your accounting, audit, and tax requirements? We’re the largest CPA firm serving the Hudson Valley and beyond for over 50 years. We believe we succeed when we help our clients succeed. So, give us a call and let’s see what we can do for you.