During the pandemic, ransomware has become a huge worldwide problem, crippling national infrastructure, such as the Irish health service and a US oil pipeline and causing mass disruption for all sectors, including education.
The situation is serious enough to warrant the creation of a global task force, including the UK’s National Cyber Security Centre (NCSC) - one of the security agencies we have worked closely with to help deal with an unprecedented spike of ransomware attacks on tertiary providers.
The spike in ransomware activity against our sector started during August 2020 - and the timing wasn’t a coincidence. These attacks caused maximum disruption during the critical period around exam results, clearing and student enrolment.
Cyber security: Colleges urged to beware of attacks
Background: Not had a cyberattack? It’s a case of when, not if
FE cybersecurity: Drop in DDoS attacks during lockdown
For the first time, cyber attacks were able to disrupt these important processes - and we are braced for similar activity during August and September this year.
The impact of cyber attacks on colleges
The number of attacks on colleges and universities during the first six months of 2021 has already exceeded the total recorded for the whole of 2020. Eleven of those hit this year have featured in the media, requiring considerable resources to manage external communications on top of the enormous internal communications effort to staff and students.
The aggregated impact has been devastating. Entire organisations have been taken offline for weeks, their systems and services crippled, their data irrecoverable.
In some cases, however, the damage has been contained and campuses have been able to continue to operate, albeit at a reduced level of service.
Recovery is challenging, time-consuming and expensive. What’s required is an often lengthy rebuild of the digital estate, which could easily stretch over many months or more and consume several million pounds.
Our conservative financial estimate is an average of £2 million of direct impact costs per education organisation, but the full cost is likely to be a lot more. Redcar and Cleveland Council’s recent ransomware attack, for example, reportedly cost £10.4 million.
The human cost
Let’s not forget that, while cyber attacks are a technical problem, there is significant human impact, too. IT and security teams have already been under sustained pressure for more than a year because of the enforced shift to remote working, with all the associated security challenges.
And the ripples spread across campus to communications staff and finance teams, to teachers and students who’ve lost classroom resources and vital coursework, and, ultimately, executive leaders who must shoulder the responsibility.
One college principal describes his experience of an attack as “brutal”. He talks frankly about how emotional it was having to tell his staff that all their files had been lost, the students’ work, too.
A strategic solution
At Jisc, we have been working hard to galvanise members to improve their defences, with a series of ransomware briefings to technical teams, senior leaders and finance directors, and through cooperation with the NCSC, which has issued three ransomware alerts for the sector in the past year.
Any college or university that needs help to implement technical advice only has to ask - and time is of the essence because it’s a case of when, not if.
Jisc has also been collating and sharing intelligence, so that the sector can continually learn and adapt. To that end, Jisc has instigated a global threat intelligence partnership for the education sector and is planning to launch a UK version very soon.
Partner organisations, such as Ucisa, have also helped to disseminate threat information and we would also encourage affected institutions to continue to share key facts with peers via the NCSC’s cyber-security information sharing platform (CiSP).
Meanwhile, we continue to support impacted members in dealing with the immediate and long-term aftermath of attacks and we are also investing to upgrade our defensive capability for the UK education and research sector.
Ultimately, though, individual colleges and universities are responsible for the security of their digital estate. The best way to do this is to through a security strategy that’s embedded across the whole organisation.
Buy-in from senior leaders is key. It’s particularly frustrating to hear from some members that investment for cyber security is more likely only after an attack. Our report on the impact of cyber attacks might help with those conversations.
Cyber security in all sectors will need sustained and focused investment to allow the UK’s digital economy to operate effectively without fear of attacks causing disruption.
