Officials from the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) announced earlier this month that a number of state agencies, including colleges and universities, had been victimized by Chinese hacking campaigns. From CNN:
The revelation shows how difficult it can be to keep state-backed hackers from accessing US networks — even when US officials are sounding the alarm about a potential threat. And it’s a reminder that as many analysts are watching for Russian cyber threats during the Ukraine war, other foreign governments aren’t letting up in targeting US networks.
The looming threats from China and Russia are likely to increase against the United States as the impact of economic sanctions tied to the invasion of Ukraine is more deeply felt in the coming weeks. Higher education, which has long been an industry of choice for bad actors hacking and network intrusion, may face steep challenges and costs in bracing for increased attacks.
Costs of Protection
Insurance is a growing method of intrusion recovery for some institutions, but it comes with a heavier price for the industry at large. From Ed Scoop:
Additionally, the education sector not only tended to get attacked more often, but also experienced the highest ransomware recovery costs compared to all other sectors surveyed. On average, it cost education institutions $2.73 million to remediate the impact of a ransomware attack, including the cost of downtime, data recovery, device and network repairs, security updates, lost opportunity as well as ransom payments. That was 48% higher than the global average across all sectors.
While hiring IT and cybersecurity personnel or contractors could be included with costs, there is also the challenge of determining who makes the final decisions in tech infrastructure strategy or insurance coverage. From Ed Tech:
Insurance is all about risk transfer: A breach may or may not happen, but if it does, it will be expensive, so you’ll pay an insurance company to take that risk off your shoulders. This means that it’s the CFO who is responsible for buying insurance of all types. Insurance doesn’t solve any problem other than a financial one, so the CFO is the person most interested in reducing the risk to the institution.
However, CIOs and their teams are the ones with the expertise and knowledge in this area. The CIO and CISO will be able to read policies and understand the specific terms of art used in a way that the CFO can’t. The security team will be able to understand what is and isn’t excluded and put it into context for the CFO. That’s a critical step, because if the important risks are not covered properly, then the insurance isn’t meeting the goals of the institution or the CFO.
Students are typically the most vulnerable stakeholder group on campus regarding network protection. It is even more of a threat to students’ college choice and retention efforts. From Inside Higher Ed:
Attackers can steal sensitive information, block access to essential systems and demand payment before they return access. They have also been known to threaten to publish stolen sensitive information if institutions do not meet their demands.