Add a New Dimension to Ransomware Defenses in Education

This article originally appeared in Campus Security and Life Safety magazine.

It’s clear that ransomware attacks are on the rise, and education provides an attractive landscape for cyber thieves. 

According to a recent study tracking ransomware in K-12 and higher ed, ransomware cost US schools and colleges over $6.6B in 2020. An estimated 1.36 million students were impacted, including students and staff at the University of California (ransom paid: $1.14M), the University of Utah (ransom paid: $457,000), and Imperial Valley College (ransom paid: $55,068). The twin threats of downtime (affected institutions suffered an average of 7 days out of commission) and data loss (the Clark County School District revealed over 44,000 student records were affected) have consequences. Our students stand to miss out on millions of instructional hours while also confronting the long-term concerns of personal information in the hands of cybercriminals.

It is, therefore, no surprise that ransomware has risen to the top of the list for most education information security professionals. Defense-in-depth is a time-tested cybersecurity tenet, and, fortunately, ransomware defenders now have a robust new defensive layer in the form of AI-powered data governance tools. By improving content awareness, these tools help educational institutions harden data against loss and better understand the extent of a potential attack.

Today’s most effective ransomware strategies focus on two defensive “layers”: first, reduce the entry points cyber criminals can find into the environment. Monitoring for suspicious activity, checking emails for malware, and training users on good internet hygiene minimize risk by reducing weak entry points. Second, insulate against loss by backing up critical data. The best backup strategies are pervasive, professionally managed, and can quickly bring mission-critical data back on line.

Content awareness – knowing what data you have, where it’s located, and how it’s shared – adds a third layer of resiliency against ransomware. With content awareness, you can tighten access, relocate data, and make informed decisions in the heat (or aftermath) of an attack. To better understand how this works, consider how a cyber thief might plan, execute, and monetize an attack.

Cybercriminals need to control an account before they can do any damage. But malicious email campaigns and social engineering efforts don’t always yield high-value victims. Nabbing a “juicy” account requires more than a bit of luck. Sometimes an account has access to a wide array of files and data. Sometimes it doesn’t. The goal of every school is to keep accounts safe, but if an attacker manages entry, imagine how important it would be to minimize what exactly they can access.

Most of today’s campus ransomware mitigation strategies focus on keeping accounts safe, and that’s a great start. But these defenses are only one part of the big picture. All too often, access to sensitive data is far too broad. Least-privileges access frameworks, which bound access to only necessary data, is an effective way to limit exposure in the likely event of a compromise. Least privileges is a damage-limiting strategy – not a prevention or recovery strategy – that augments and adds depth to other strategies focused on keeping malware out or recovering lost data.

With most education organizations containing a daunting number of files with a wide range of private content, it’s understandably extremely hard for even skilled campus IT teams to evaluate, understand, and protect data. That means end-users often control who can and can’t see their content. And sometimes, that sensitive university document or the spreadsheet with embedded private student information is shared far more broadly than necessary. Oversharing puts about 12 percent of all critical documents at unnecessary risk of becoming a ransomware target. 

Tightening access controls is where new AI-based data access governance solutions can help on campus. They work by scanning a school’s millions of documents using natural language processing algorithms to categorize content and evaluate oversharing. They have proven decisive in helping limit unnecessary access – and the ransomware risks that come with it.

Content awareness also helps when responding to attacks in progress. Ransomware can do substantial damage to data in place, which means compromised data doesn’t have to move to be lost. Therefore, campus network perimeter protections are of limited use when it comes to spotting or stopping in-progress attacks. That introduces a new level of complexity when planning for ransomware. Education security teams need to shift focus from a few perimeter control points to think about how to secure – at a file-level – the staggering amount of data located across the corpus of campus data. (It’s worth noting the rise of so-called “hybrid” ransomware attacks, where data is both encrypted in place and exfiltrated. Perimeter defenses can protect against exfiltration, but they can’t stop in-place encryption).

Ultimately, content awareness is invaluable when an IT team confronts the heat of unwanted encryption in progress or a subsequent ransom demand. Knowing whether to pay to recover private files and data is difficult under any circumstance. But making that decision with a complete understanding of precisely what data is at risk of loss is far better than having to make it not knowing what might be lost. An attacker often doesn’t know if what they have is valuable or not. Having content awareness can give schools the advantage in this scenario. 

Ransomware is, without a doubt, a key concern for campus IT teams and content awareness is a powerful defense. By augmenting campus anti-malware, anti-phishing, and backup efforts with least-privileges access control, IT teams can reduce the damage if and when an attack occurs. Content and activity awareness establishes a baseline that informs attack responses and ransom negotiations. Security professionals and IT leaders significantly benefit when they have a clear understanding of what data is at risk.

Modern AI-based technologies autonomously scan all campus IT content – whether structured or unstructured, in the cloud or on-premises – so IT teams can benefit from content awareness without adding staff or complicating user workflows. Content awareness adds depth to schools’ existing defenses against account capture and unwanted encryption, helping organizations prepare for and respond to ransomware attacks. It deserves a place high in K-12 and university IT teams’ anti-ransomware strategies.