Chair of Thompson Coburn's Cybersecurity group, Jim Shreve, was interviewed by University Business in a series of articles on ransomware attacks, cybersecurity and the impacts on higher education.
Jim has helped advise institutions on their potential risks to cyberattacks and has worked with clients on privacy matters and incident response for over 20 years. The articles highlight how having proper firm representation during an incident can be an enormous help in a crisis moment, when leaders may not be thinking as clearly about demands or the loss of data.
The first article, “Held for Ransom: Why colleges must be proactive to prevent cyberattacks,” explains how institutions are huge targets for hackers because of their openness and what they possess. Since the beginning of the COVID-19 pandemic, cyberattacks on colleges are on the rise and valued by hackers worldwide. That’s not necessarily because of the extreme payouts they might receive, but because of the breadth of information institutions possess in their portfolios.
The second article, “Ransomware risk: 6 steps colleges can take to help prevent cyberattacks,” is a conversation with Jim on the prevalence of ransomware, responses that can make a difference and proactive measures institutions can take to protect data:
Tell us about the clients you serve; who they are across higher education.
It varies greatly from very large research institutions to smaller specialty schools, nursing schools, some that are their traditional brick and mortar and some that are exclusively online. The challenges and risks vary among those institutions. That’s one of the things that makes it hard in working with the Department of Education is finding something that works for a nursing school of 50 students, as well as a university that has 70,000 students.
How prevalent is ransomware in higher education?
Ransomware is enormous, and it’s continuing to get bigger. Higher education is maybe not the most prevalent target, but certainly among the more prevalent ones. I would say that because you can view higher education institutions as being a bit of one-stop shopping. If you’re a hacker, you may find financial information, healthcare information, valuable IP and other data there. Higher education has an infrastructure with a lot of users that are often distributed and with different access rights.
What are the hackers looking for?
The most common kind of hacker is simply looking to make money. They get into ransomware because it’s profitable. If you steal a large amount of personal information and then you want to repackage it, sell it on dark websites, it may take you quite a while to get paid. Ransomware allows you to do something and be paid potentially within hours or days. There is also potentially a high reward for sensitive IP, including a lot of research work. In those attacks, you can get nation-state attackers that are much more sophisticated and much harder to detect and repel. If you have a nation-state attacking you, they can bring a lot of resources to bear, more than a small criminal organization.
What is different about the cyberattacks on higher education compared with other entities?
Higher education is not so different from other industries, but we’ve seen an evolution of ransomware attacks. A few years ago, most ransomware attacks would exploit a known vulnerability, try it on a lot of different entities and demand a ransom amount that was pretty low. They would bank on the fact that the target might say, ‘Maybe we could recover from backups, but it’ll be just cheaper and easier to pay to get the decryption key.’ Now, the attacks are much more targeted. They know more about who they’re attacking and are demanding larger ransom amounts. Whereas before, where we were looking at a few thousand dollars, now it’s very common to see ransom amounts that are over a million dollars.
What are the potential outcomes if colleges and universities decide not to comply with demands?
There are risks if you pay and risks if you don’t. If you do not pay, there may be a business interruption. You may not be able to get back the systems or the data that was encrypted as part of the ransom demand. You may lose some functionality or be down for a while. One of the best ways is to defend against ransomware attacks is to have really good backups for your systems and have those backups not be vulnerable. If you can restore from those backups, you don’t need to pay the ransom for the most part. But the hackers recognize that. So oftentimes they’re taking data as well. Before launching the encryption, they’ll take data off the system to use it as further leverage. They’re saying, we have this data. We will release it or sell it on the dark web unless you pay. Another potential risk in paying is that if you facilitate payments to a known terrorist or organized crime organization, you can be brought up on criminal charges. If you do pay the ransom, you also can hurt your relationship with law enforcement. particularly in a situation where you didn’t really need to pay.
What are some of those strategies that institutions can utilize to be proactive in trying to prevent ransomware attacks?
Why is protecting against ransomware so important?
This is an area where you want to be proactive. You want to be known as somebody who takes this seriously. Part of your image as an institution is you want to make that brand strong.
Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you (an ‘engagement letter’).
By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and, further, even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you. Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.