The cyberattack that crippled Regis University’s systems last year couldn’t have come at a worse time: The attack, which encrypted files and demanded a ransom in exchange for restoring them, occurred in the early-morning hours of freshman move-in day last August.
The university, which is in Denver, paid an undisclosed ransom in order to regain access to the systems, but the recovery process dragged on for months. Students were issued paper schedules for the first day of class, and faculty members had to work around the lack of system access in class.
The university’s technology office “had to recover and rebuild a lot of systems as a result,” said Shari Plantz-Masters, the academic dean of the College of Computer and Information Sciences. “We had to figure out how to get the school year started without our usual tools.”
Signs posted around the campus encouraged people to “enjoy a break from the connected life,” the Denver Post reported.
Colleges, with their rich array of data and sometimes-soft internet security, have increasingly become targets for cyberattackers. But even institutions with comparatively thin resources can take steps to protect themselves. In addition to Regis, a Jesuit institution with just over 10,000 students, Monroe College, in New York, was subjected to a demand for $2 million in Bitcoin in July. Another ransomware attack hit Baton Rouge Community College in December.
Some attacks can land when people click on a suspicious link or give up their own information, but others can stem from weak spots in technology, experts say. Overall cyberattacks are occurring more often and becoming more costly, reports the Ponemon Institute, a research organization. In the United States, they’ve cost companies $246 per encrypted file, on average.
While all colleges face that growing cybersecurity threat, they have unequal access to the resources needed to keep valuable data secure. Large flagship universities often have more money and staff dedicated to protecting their networks, while smaller institutions, like Regis, can be more vulnerable to attacks.
Troves of Data
Higher education is a lucrative target of cyberattacks because of the huge amount of data colleges collect, said Donald J. Welch, chief information-security officer at Pennsylvania State University.
Welch said most industries have only one type of data on hand, whether it’s logistics, Social Security and financial information, or health records. Colleges, by contrast, have it all. He describes universities as “small cities” with troves of information. On top of abundant student data, colleges might also be protecting intellectual property like research findings.
“We are a good source of that information,” Welch said, “so that’s why attackers will go after universities.”
Hackers tend to be a step ahead when it comes to data and cybersecurity, said Ken Goldstein, a cybersecurity expert and clinical instructor at the University of Hartford. They have the time and resources to exploit technology, and find a way to view sensitive information.
The best way for colleges to protect themselves, Goldstein said, is to invest resources in information technology. The combination of colleges insufficiently focused on cybersecurity, the wealth of data available on their campuses, and the ability of hackers to profit from that information is “a perfect storm,” he said.
While a large university might be able to employ staff members dedicated to information security, that’s not the case at smaller colleges. Information-technology employees at smaller institutions must be generalists with a wider focus, Welch said.
“They have to be strategic with regard to their limited resources,” Goldstein said of small colleges.
Broad Responsibility
Regis has chosen to embrace the cyberattack rather than shy away from it. In January the university held a cybersecurity summit to examine the incident.
Plantz-Masters, the academic dean, said education is key to assuring cybersecurity, noting that many attacks start with a single user who made a mistake and opened a university’s vulnerability. She said everyone should be up to date and informed about cybersecurity.
“In the past, cybersecurity was the responsibility in the conversation of the IT organization,” Plantz-Masters said. “Now it’s part of the business conversation.”
Despite limited resources, colleges ultimately have to invest in cybersecurity and keep their software current to protect their students, faculty, and staff, said Regis’s vice president and chief financial officer, Salvador D. Aceves.
The cyberattack changed how many people at Regis look at both security and software. The university, which has a robust cybersecurity program, has taken steps to make sure a similar attack doesn’t happen again, though it declined to go into detail.
Those changes can be something as simple as making sure all the vital data aren’t stored in one place. A college can also expand cybersecurity training outside of computing programs. It’s not difficult to identify areas where security could improve, Plantz-Masters said. The challenge is getting people to accept that security is their responsibility, too.
The ransomware attack pushed cybersecurity to the forefront of everyone’s mind at Regis, but other colleges haven’t had that wake-up call. Plantz-Masters said many institutions are unaware of looming cyberthreats.
“A lot of organizations who have not suffered don’t understand the importance of prioritizing the investments in cybersecurity,” she said, “and they don’t necessarily all understand how that investment needs to be broader than just your technical team.”
Aceves said cyberattacks and similar threats challenge higher education’s ethos of collaboration and learning. He said the threats and attacks mean colleges must exert more control over what their faculty and staff members are sharing.
Investment and training in cybersecurity, he said, could help to preserve academic freedom. “Academic institutions fundamentally have been successful because they are places of inquiry,” he said, “but we also have to do it under this umbrella of training, awareness, and a certain degree of skepticism and caution.”
Institutions should encourage faculty and staff members to be vigilant, said Aceves, while making sure not to “paralyze them or suspend that academic curiosity.”