Institution leaders and their technology departments still strive to comply with data security laws such as the Gramm-Leach-Bliley Act. A new report on ransomware and how it is affecting higher education suggests that battle may need to be intensified.
According to a July 2022 Sophos report that surveyed 5,600 IT professionals spanning 31 countries, ransomware attacks are on the rise. How much? The prior year report stated that 37% of those surveyed were affected by a ransomware attack in 2020. In 2021, that rate jumped to 66%. The latest report finds that 64% of those surveyed in higher education experienced a ransomware attack at some point in the prior year.
While being attacked does not always end in tragedy, as not all events result in successful encryption, higher education has the highest data encryption success rate of any other industry at 74%. The question institution leadership should ask themselves is “Why?” The answer is painfully simple: lack of preparation. This preparation should address layered defensive controls, frequent penetration testing and ransomware assessments to identify weaknesses, and strong security policies to enforce these and many other security requirements.
Every industry report related to breach data indicates higher volumes of cyberattacks over the past 12 to 18 months. This alone should drive security topics to the boardroom table, but more frightening may be what is not taking place after a ransom is paid. Once a ransom is paid, IT leaders and management would reasonably assume that 100% of the data will be returned and usable, but the reality is far from that. While 98% of those surveyed in higher education did get some data back, it was far short of 100%. Currently, the percentage of data restored in higher education after paying a ransom is 61%. Only 2% of those who paid the ransom in education got all their data back. This should put more pressure on the controls, policies, and procedures around sound backup practices.
Now that the ransom has been paid, leaders will begin to see the real financial impact. Of those affected in higher education, 97% confirmed the attack affected their operations at varying degrees, up to and including permanent school closures. As it relates to real costs, many things must be factored in. These factors include the ransom itself, contract assistance for recovery, forensics, legal consultation, breach notification requirements, credit monitoring services, and many other aspects. But probably the most damaging is the impact on the institution’s reputation.
As for the overall cost of a ransomware attack, the 2022 IBM Security Cost of a Data Breach Report shows the average ransomware-based data breach costs just over $4.5 million. Much of this cost can be attributed to the time it takes to recover. According to Sophos data, institutions of higher learning were shown to be the slowest to recover, with nearly half of those affected taking a month to recover, while 9% of those affected took three to six months. This data shows the importance of incident response plans and well-trained incident response teams. These plans are vital playbooks that should be managed by a trained incident response team completing frequent response testing through tabletop and other exercises.
A good incident response plan will likely address at what point the cybersecurity insurance company should be called on for assistance. According to the Sophos report, cyber insurance almost always pays out some costs. The total amount of that payout is where the concern would be. Per the report, those suffering ransomware attacks in higher education receive only about 36% of the ransom but may receive 87% of the cleanup costs. This varies greatly based on other industry reports, level of controls in place, and many other factors. Management should work closely with cybersecurity insurance companies to validate coverage, as well as take advantage of the help insurance companies can offer.
The bottom line is that an organization’s data should be evaluated and protected based on the risk of that data as it relates to the day-to-day success of the organization’s mission. Many times, the data that has been encrypted and stolen may have little to no value on the dark web but may be vital to an institution’s existence. That leaves us with the rule all leaders need to remember: “It is not the value of the data to a hacker, it is the value of the data to you.”
If you need more information or help in evaluating your institution’s readiness to address a ransomware attack, reach out to a professional at FORVIS or submit the Contact Us form below.