How schools are fighting ransomware cyberattacks
Targets may have too few ways to protect themselves
Schools aren’t exactly known for their expansive budgets. Many struggle to pay for basic operations.
But this past year, cybercriminals have attacked a growing number of schools across California and the country. A handful of California schools, colleges and universities have experienced ransomware attacks, often with harsh consequences: Sierra College had some systems shut down during finals week, Newhall School District’s 10 elementary schools went a week without online school during the pandemic, and UC San Francisco paid a $1.14 million ransom.
The average ransom paid by midsize organizations across the world in 2021 is about $170,000, according to a survey by London-based software company Sophos. Still, cybercriminals try to make their ransoms affordable. UC Berkeley cybersecurity researcher Nick Merrill said he thinks would-be thieves will charge as much as schools are willing to pay.
Ransomware attacks are increasing against schools not only in California but across the country, according to several experts. How schools respond and what security measures they have in place are evolving rapidly.
When cybercriminals first breach a school’s systems, they sometimes try to find financial documents and insurance policies to figure out how much schools can afford to pay, according to Kevin McDonald, chief information security officer at Alvaka Networks, an Irvine-based cybersecurity company.
U.S. schools pay the ransom
fairly often, too, according to three experts.
It’s unclear how many school districts in California carry cyber insurance. Cyber insurance is so new, in fact, that Mary Nicely, a senior policy adviser at the California Department of Education, said she wasn’t sure how schools would decide whether cyber insurance is necessary.
Cyber insurance is “not widespread” for schools in California, according to Troy Flint, chief information officer for the California School Boards Association, who said cyberattacks are still “relatively rare.”
“Cyber insurance is just sort of a new realm and it would be a leap into the unknown for districts,” he said “With budgets being tight traditionally in school districts, is that an expenditure that you want to make when most districts are not able to provide all the programs and services they want to give their kids?”
Cyber insurance isn’t simple, either. There are several different types — ranging from cybersecurity to cyberterrorism insurance — and each policy affords different coverage.
Robert Fitzgerald, founder of Boston consulting firm Arcas Risk Management, said schools should make sure they understand what kind of cyber insurance they’re buying, and to not use insurance as an excuse to neglect other prevention.
“We cringe, literally cringe, when we hear, ‘Oh, we’re covered,’ ” he said. “More times than not, they’re not covered.”
National security expert Javed Ali, who teaches a class on cybersecurity at the University of Michigan, said cybersecurity isn’t part of the national consciousness yet, but will be once more schools suffer from cyberattacks.
No one knows for sure how many cyberattacks have been carried out against schools in California or the country.
While federal and state reporting laws require schools and universities to report certain crimes, like hate crimes or sex offenses, they don’t require reporting most cybercrimes, including ransomware attacks.
Administrators — unless they’re plugged into cybersecurity circles — can have trouble finding resources on the topic.
Administrators and experts have consistently called lack of funding and staff a major obstacle to better cybersecurity.
Some experts have also called out a communication breakdown in guidance to educators.
Colleges and universities tend to be better staffed and have more resources for cybersecurity than K-12 school districts.
The California State University system, for instance, has a cybersecurity team of half a dozen employees with at least one cybersecurity expert per university, according to Ed Hudson, the system’s chief information security officer.
Almost everyone in the Cal State system is required to have multifactor authentication, considered one of the best measures to stop cyberattacks. The security team also runs cyberattack drills a couple of times each year to see how well their backups work.
Similarly, the California Community Colleges system has over half a dozen employees dedicated to cybersecurity with at least one cybersecurity employee per college, according to Rafael Chavez, public information officer for the system.
These measures still haven’t prevented ransomware attacks, which experts say are almost impossible to protect against entirely.
In May, Sierra College was hit with a ransomware attack, taking several systems offline during their finals week.
In March, cyberattackers struck the University of California. The university repeatedly declined to comment on its cybersecurity resources.
Certain websites, like porn and gambling sites, are known to be frequently infected with malware, but colleges and universities don’t want to filter those sites from their Wi-Fi networks, given how popular they are with students.
“It’s really a fight against the idea that it should be the wild, wild West, and you could do whatever you want and there’s no ramifications for that,” McDonald
said. “It’s just not true. You can’t run a system like that and not expect something to go wrong at some point.”