The UK’s education sector continues to be hit by spiraling ransomware attacks, which can cost affected organizations in excess of £2m per incident, according to a new Jisc report.
The non-profit provides the UK’s higher and further education sector with IT services, including the superfast Janet network and incident response.
Head of Janet policy and strategy, John Chapman, warned that ransomware and malware were now the top threats for the sector, with phishing and social engineering coming second.
A cyber impact report published by Jisc in 2020 was updated this month to contain more anonymous case studies of organizations compromised by ransomware.
“Since Jisc’s first cyber impact report, the main development has been the sustained increase in ransomware attacks: 15 further education (FE) and higher education (HE) organisations were impacted by ransomware in 2020, a further 18 in 2021, and at least three so far in 2022,” Chapman explained.
“More than 100 UK schools have also been affected.”
Part of the challenge for colleges and universities is that remote working has continued even as campuses reopen following COVID lockdowns.
“Personal data and information are now increasingly held on devices outside campuses,” said Chapman. “Protecting that information, wherever it exists, has extended existing security challenges and inadvertently led to some major security incidents.”
While some universities are responding by enhancing security, such as the deployment of multi-factor authentication, others are more at risk and could be exposing themselves to multimillion-pound breaches.
“It appears many institutions are not systematically tracking and therefore do not fully understand all costs associated with a cybersecurity incident,” said Chapman.
“From the experience of Jisc’s computer security and incident response team (CSIRT) – in helping HE and FE providers recover from ransomware incidents, we are aware of impact costs exceeding £2m. These huge numbers may seem unrealistic, but as this report shows, there are many ways an incident can affect an institution, not all of which are recorded.”