Dive Brief:

• The worldwide K-12 and higher education sector outperformed most other industries, including technology, transportation and healthcare, in simulations for cybersecurity readiness, according to a report released today from Immersive Labs, a U.K.-based company that works with clients globally on cyberthreat preparedness.
• The simulations performed over 18 months also showed the education sector was the most likely to pay ransoms in hypothetical situations, with 25% of teams relenting to ransom demands. Only 13% of teams in financial services and 0% in infrastructure paid the hypothetical ransoms. 
• School systems in the U.S. had a record breaking year for cyberattacks in 2020 and are likely to become more susceptible to cyberattacks this year. The education sector's strong demonstration of collaboration in crisis preparation could help with both prevention and reaction, said Kev Breen, director of cyber threat research at Immersive Labs. "Having more people engaged is key," he said.

Dive Insight:

The education sector had the highest average number of participants, at 21, in crisis exercises. The average participation across industries was six people, according to the report, which draws from 2,100 international organizations, 500,000 individual exercises and 1,500 separate simulated threats and incidents.

Spreading the workload of cyberthreat preparedness and response among technical and nontechnical executives and staff leads to a wider pool of knowledge, skills and judgment for finding and identifying solutions, the report said.

"Having that diversity means that they've not had tunnel vision on one specific area, which gives them a broader effectiveness," Breen said.

But having more people ready to react to threats is only part of cyber readiness. Immersive Labs also analyzed the frequency of cyberthreat readiness exercises per year and found education placed near the bottom of the list with an average of two. The technology industry topped the list with an average of nine exercises a year. 

Overplanning, however, can lead to fatigue and potential biases, Breen said. The report recommends teams conduct cyberthreat exercises at least once a month. Doing them once a day would be overload, said Breen, adding time frames for exercises can depend on the technology vulnerabilities of each company or team.

Regarding the education industry's high average for paying ransom during simulated threats, the potential jeopardy to students' education may be a factor in the sector's willingness to comply with demands, Breen said. 

According to the findings from a survey of 499 IT decision makers worldwide conducted last year by Sophos, a British-based cybersecurity company, the education sector has the third-highest rate of ransom payment (35%), behind energy, oil/gas and utilities (43%) and local government (42%). 

The Immersive Labs report highlighted the lack of confidence across industries in responding to ransom demands and the uncertainty of the outcome of not paying the ransom. Developing "cognitive agility" from a cross section of decision-makers can remove some levels of fear and uncertainty in those scenarios, the report said.

When there was a simulated threat, schools and colleges took an average of 100 days to develop the capacity to equip cybersecurity teams with skills needed to defeat attackers. The fastest responding industry was leisure and entertainment with 65 days, and the slowest was transport at 145 days.