Colleges a ‘Juicy Target’ for Cyberextortion

Below is an excerpt from Inside Higher Ed article.

A spate of recent cyberattacks on colleges, universities, seminaries and K-12 schools prompted a warning from the FBI’s Cyber Division this week.

The advisory notice, published Tuesday, warned that criminals using malicious software called PYSA ransomware are increasingly targeting education institutions and attempting to extort them.

In a double-pronged extortion tactic that has become increasingly common in recent years, hackers are not only demanding payment to restore access to encrypted information. They are also taking sensitive data and threatening to sell or publish it on the dark web if their demands are not met.

Universities and colleges are particularly vulnerable to cyberextortion, said Gilman Louie, CEO of LookingGlass, a cybersecurity company.

“They’re juicy targets because they have student data, they have research information and they have critical operations that need to operate on a very strict timeline,” Louie said. “They can be exploited on many fronts.”

Colleges can use encryption to make it difficult for hackers to decipher any information they gain access to, said Louie. They can also ensure that access to critical operations such as payrolls and student records is tightly controlled. 

These steps are not fail-safes. Humans make mistakes and encryption techniques can quickly become outdated and easy to crack. But they are useful deterrents, said Louie. 

“It’s like in the old days when people put a club on their steering wheel so people couldn’t steal their car,” said Louie. “Criminals know that all you have to do is cut the steering wheel and pull off the club. But maybe it’s just easier to break into the next car that doesn’t have one.” 

While the threat of well-resourced foreign agencies trying to get their hands on research information and intellectual property is very real, many cyberattacks are carried out by much less sophisticated and less well-financed actors, Louie said.

As colleges face an increasing threat, security experts agree that extra care needs to be taken to button down everything. Multifactor authentication, keeping software updated and training employees to spot phishing attempts are important, but colleges and universities also need more funding to support information sharing on cyberthreats, Louie said.

“We need to do more to support our higher education institutions, because they are prime targets,” Louie said. “The threat is increasing, not decreasing.”

Read the full article at Inside Higher Ed.