Months into the COVID-19 pandemic, hackers had taken control of data belonging to a University of California San Francisco research team testing a possible coronavirus vaccine. They were demanding $3 million in exchange for returning control of the data.
A university negotiator sent them a plea.
"The sense is that it's not looking good," the anonymous negotiator wrote, according to a chat transcript first reported by Bloomberg. "The more I ask around, the more I hear that all departments are hurting for money. I ask you to keep an open mind."
The highly publicized ransomware attack in June 2020 was claimed by Netwalker, a group with a history of targeting healthcare entities. UCSF, like many colleges and universities at the time, was dealing with budget cuts of up to 10% to offset revenue losses related to suspending in-person operations. But the hackers weren't buying the plea of poverty from a university system that collects billions in annual revenue.
"You need to take us seriously," a Netwalker representative warned. "If we'll release on our blog student records/data, I'm 100% sure you will lose more than our price what we ask."
Major research institutions, especially those with ties to hospitals, carry incredibly sensitive data and are increasingly becoming targets for ransomware attacks. UCSF ultimately paid $1.1 million to regain control of its hijacked servers — likely a fraction of the amount it would have spent recovering the data otherwise.
"The FBI always advises against paying the ransom," said Adam Hardi, a higher education senior analyst at Moody's Investors Service. "But we have seen a fair number doing it anyway because it is more economically feasible to spend $1 million than potentially $10 million to retrieve the data."
Cyberattacks on colleges and universities have been increasing over the years, but the pandemic ushered in a new era of urgency. The attacks pose not just financial risks but also operational risk, as was the case when the University of Massachusetts Lowell canceled classes for nearly a week in June after a security breach. Some institutions, like Wichita State University, have been sued over cybersecurity incidents.
"It is more economically feasible to spend $1 million than potentially $10 million to retrieve the data."
Higher education senior analyst at Moody's Investors Service
Now, as higher education institutions adjust to the new normal of hybrid learning and remote work, many are also making improvements to data security. But competition — whether with the private sector for talent or with other university departments for funding — is creating major headwinds that some fear will always keep higher education institutions one step behind.
"I'm a glass-half-empty kind of person. That's the nature of being in security," said Helen Patton, a former chief information security officer, or CISO, for Ohio State University. "But I'm very worried about it."
Spending trails the pace of change
Even before the pandemic, U.S. colleges and universities were under enormous financial pressure in the face of declining enrollment, criticism over the high cost of education and constrained state funding. Resources were becoming increasingly focused on revenue generators like academics and research over investment in staff and technological infrastructure.
Cybersecurity doesn't generate revenue, and cybersecurity improvements that money can buy are typically invisible — so spending on it often takes a back seat. In fact, the education sector ranked the lowest-performing of all industries on implementing cybersecurity measures to protect data in a 2018 report from SecurityScorecard.
"You have to think about risk and how much you're willing to spend to mitigate it."
Tambellini Group CEO and founder
Cybercriminals have noticed. During the first quarter of 2021, the education sector accounted for nearly 10% of globally reported cyberattacks, compared with 7.5% during the first quarter of 2020, according to data compiled by the cyberattack tracker Hackmageddon. Ransomware continues to be a favorite tactic. At least 26 ransomware attacks involved colleges and universities in 2020, according to an analysis by Emsisoft. In March 2021, the FBI issued a warning to education institutions about a rise in ransomware.
Part of the problem is that the shift to remote learning and remote work opened up thousands of access points via laptops, tablets and smartphones on networks not controlled by universities. That makes it harder to protect against a mistake. Moreover, the pivot further decentralized higher education's data management environment, in which individual departments already retained much control.
Federal relief legislation provided billions of dollars in aid for colleges and universities, but it often wasn't directed toward security. Much of it has so far gone toward student aid, revenue replacement and technology to enable remote operations.
One area of investment has received a lot of attention, however. The last two years saw a rapid acceleration in higher ed institutions adopting cloud-based systems, which has the effect of centralizing data management and giving IT departments more control over system security. The cost of moving to the cloud ranges from about $5 million for a small college over the first five years of investment to as much as $100 million for a large research university over the same time period.
Last year, nine out of 10 institutions investing in new finance and human resources systems opted for the cloud instead of updating their aging on-premise legacy systems, according to a report by the Tambellini Group, a research and advisory firm. A recent survey by Moody's found 30% of U.S. higher education institutions were using cloud technology in 2021, compared with only 2% in 2020. Much of that increase has been driven by public universities affiliated with healthcare systems.
Washington State University, for example, migrated 100 data management systems to the cloud in just six months. The key to swift adoption was to make it easy for staff and faculty, said Sasi Pillay, vice president of information technology services and chief information officer.
"By creating a streamlined system that's easy for faculty members to use, we are essentially able to monitor that ourselves," he said.
Despite the investments in cloud-based systems, overall cybersecurity spending has remained relatively flat at colleges and universities. In 2020, even with the focus on remote technology, average college and university spending growth on IT merely kept pace with inflation, the Moody's survey found. Moreover, that spending has been uneven. Actual budget increases over the last two years have been almost entirely driven by private institutions and universities with a healthcare component.
The definition of cybersecurity spending tends to differ from one university to the next, but as a percentage of IT budgets it ranges between 3% and 12%, according to Von Welch, Indiana University's associate vice president for information security, who has studied the topic.
Hiring challenges loom
Drilling down, the Moody's report notes that the growth in private university spending on cybersecurity has not resulted in staff increases, "which indicates potential underinvestment in appropriate infrastructure in previous years." The increased investment by public universities, on the other hand, has included increasing staff size.
Hiring talented IT personnel may be more challenging for universities in the years to come. Skilled people, tired of the stagnant pay and slow-to-change world of academia, are leaving for better pay and benefits, said Patton, the former Ohio State information security officer, who is now an adviser to Cisco. In addition, scores of those in leadership and management positions are reaching retirement age.
"We figured out a way we could make it work, and frankly it's what's needed to be competitive in hiring these days."
Associate vice president for information security at Indiana University
Institutions will have to find ways to fill the pipeline gap. Experts predict more will share services and personnel to cut down on labor costs.
One example of this is OmniSOC, which was launched in 2018 by several Big Ten schools, including Indiana University. It's a subscription-service cybersecurity operations center that helps members avoid cyberattacks through threat detection and data sharing. The service has since expanded to include other, smaller schools across the country.
Remote work can also help release some pressure on IT salaries because it means universities can tap a larger hiring pool and potentially recruit professionals in low cost-of-living areas. In fact, IU is seeking a new CISO and has made the position eligible for 100% remote work.
"This isn't something we would have considered two to three years ago," said Welch. "But we figured out a way we could make it work, and frankly it's what's needed to be competitive in hiring these days."
Which risks are unacceptable?
Ultimately, prioritizing cybersecurity requires effort at all levels of the academic food chain.
That's happening in terms of governance and a general awareness that educational institutions are vulnerable. Many CISOs at public institutions now report directly to the president, for example, and a number of schools are intensifying cybersecurity training for students and employees.
These are low-cost efforts that can yield powerful results — important, given that experts believe cybersecurity spending in higher education will always be behind the actual need.
"In any situation it would be impossible to overspend," said Vicki Tambellini, CEO and founder of the Tambellini Group, "so instead you have to think about risk and how much you're willing to spend to mitigate it."
Welch said institutions should at least know how much of their IT budgets go toward security. And if it's outside the average range, leaders should know why.
Departments can start with the knowledge that 3% to 12% of IT budgets go to cybersecurity as a guideline and then decide which risk-mitigation efforts to prioritize, he said. A data breach might be some institutions' biggest fear, while ransomware could be most devastating at others.
"I think there needs to be a conversation between leadership and IT that can be difficult to have," Welch said. "How much is their risk tolerance?"