A new report from the British cybersecurity company Sophos finds that cyberattacks in the education sector decreased in 2023; however, they remain higher than the average across industries. Sophos surveyed 5,000 IT/cybersecurity leaders across 14 countries to collect information and 600 respondents were from the education sector.
The survey found that the percentage of K-12 institutions that experienced cyberattacks decreased from 80 percent in 2022 to 63 percent in 2023, relinquishing its hold on the top spot, which has been ceded to attacks on governmental agencies, followed closely by the healthcare and energy, oil/gas and utilities sectors. The percentage of cyberattacks on higher education also decreased from 79 percent of institutions in 2023 to 66 percent in 2024.
On average, 52 percent of computers in lower education and 50 percent in higher education are impacted by a ransomware attack, slightly above the cross-sector average of 49 percent.
Root causes
Ninety-nine percent of K-12 respondents that experienced a cyberattack were able to identify the root cause of the attack. The most common were an exploited vulnerability (44 percent), malicious email (26 percent), compromised credentials (20 percent), phishing (8 percent), brute force attack (1 percent) and download (1 percent).
The report recognizes that exploited vulnerabilities are the No. 1 root cause globally and “education organizations are particularly exposed to the risks of unpatched vulnerabilities.” Also of note is the growth of bad actors infiltrating systems through malicious email, which increased by 7 percent from 2022 to 2023.
Ninety-five percent of educational organizations reported that cybercriminals attempted to disable their back-up systems during an attack — of those, 71 percent were successful. When this happens, consequences are more severe, including ransom demands that, on average, were more than five times that of those whose backups were not compromised; organizations with their backups compromised were more than three times more likely to pay the ransom to recover encrypted data; and the overall recovery costs were five times higher.
Data theft and ransom
In K-12, 22 percent of ransomware attacks where data was encrypted (85 percent of attacks in 2023) resulted in data theft, a decrease of 5 percent from 2022. “Across sectors, the education sector is least likely to report data theft in an attack,” according to the report.
Of those that experienced a cyberattack, 98 percent of K-12 institutions that had data encrypted got their data back. “Of them, 62 percent in lower education paid the ransom to get encrypted data back, while 75 percent restored encrypted data using backups,” states the report.
“Of the 154 lower education organizations that had their data encrypted and were able to share the attackers’ initial ransom demand, the average ask was $3.9M (median) and $5.9M (mean). Fifty-eight percent of ransom demands made to lower education organizations are for $1 million or more, with approximately half of the demands (44 percent) for $5M or more. These huge demands are not exclusive to the education sector, with all named sectors reporting median ransom demands of $1 million or higher. Central/federal government reported the highest median ($7.7M) and mean ($9.9M) demands,” according to the report.
Only 13 percent of K-12 local educational agencies paid the original amount requested for ransom; 32 percent paid less and 55 percent paid more than the original request.
“In the lower education sector, the victim organization made almost half (49 percent) of the transactions. Insurance providers transferred the funds for 43 percent of ransom payments, either directly (30 percent) or through their appointed incident response specialist (13 percent). Six percent were executed by the victim’s legal firm. Only 14 percent of transfers were made by incident response specialists, whether appointed by the insurance provider (13 percent) or another party, typically the victim (1 percent),” according to the report.
Excluding ransom paid, K-12 organizations reported an average cost of $3.76 million to recover from a ransomware attack, more than double the $1.59 million reported in the 2022 survey.
Recommendations
“Ransomware remains a major threat to education organizations of all sizes around the globe. While the attack rate in education has dropped in the last year, two-thirds of education organizations are hit by ransomware attacks, which is a cause for concern,” wrote the report’s author. “Furthermore, the cost of recovering from an attack has more than tripled in the education sector in the last year. As adversaries continue to iterate and evolve their attacks, it’s essential that defenders and their cyber defenses keep pace.”
With more than 40 percent of cyberattacks on the education sector starting with the exploitation of an existing vulnerability, the report recommends deploying “risk-based prioritization of patching.” It is also recommended to use multifactor authentication to limit credential abuse as well and ongoing training for employees using electronic systems. The report also recommends having an incident response plan that is well rehearsed by key players, including the practice of restoring data from backups to ensure speed and fluency should an attack occur.
Read the full report: The State of Ransomware in Education 2024