We're in the midst of a ransomware crisis, with schools being one of the hardest hit victim groups. 

New research finds that a whopping 44% of schools experienced a ransomware attack in the last year, with more than half of these victims saying their data had been encrypted in the most significant attacks. Another one-third of schools say that they haven't yet been attacked by ransomware but expect to be in the near future. 

Schools are already facing immense pandemic-related pressures in keeping doors open for in-person learning while keeping students safe. But they also have to contend with the looming threat of costly ransomware attacks. 

We've seen the impact of these attacks on K-12 schools all over the country, from Connecticut and Massachusetts, to Florida and Texas, in just the past year. The most recent guidance from the FBI indicates that K-12 schools actually made up a majority of all ransomware attacks (57%) during last year's back to school season. All of this is exactly why school boards need to prioritize cybersecurity in tandem with their COVID-19 health protocols. 

The inevitability of a ransomware attack is a chilling reality that organizations across all industries are facing today, but it is especially pronounced for the education sector, which ties retail as the top industry experiencing the highest levels of ransomware attacks globally. That surpasses business, government, IT, utilities and healthcare – what you'd assume to be the "usual suspects" of ransomware targets. 

Schools are an attractive target for ransomware attackers because they often lack the resilient IT infrastructures, with heavily-resourced staff and budgets, of other organizations. This makes it even harder for them to stand up against ransomware groups like REvil, Ryuk and DarkSide – which are already able to infiltrate organizations with more robustly secure networks than the average school.

Complicating matters is that schools' IT hygiene may be compromised by the very people they're servicing – students, who often engage in risky behavior like online piracy and can inadvertently increase a school's exposure to an attack.

Paying the ransom doesn't pay off for victims

Ransomware will end when the attacks are no longer profitable, and the attacks stop being profitable when organizations stop paying them. That's, of course, far easier said than done. When you're in the heat of the moment, the temporary financial cost of paying a ransom may be a bitter pill to swallow, but it can feel like the lesser of two evils when the alternative is shutting school doors or losing staff, faculty and student data. 

But even putting aside how paying ransoms incentivizes ransomware groups to launch more attacks, the fact is, paying the ransom rarely pays off for the victim. Thirty-five percent of schools pay a ransom after an attack, making education one of the most likely industries to pay. Yet, among the schools that pay a ransom, only 11% have all of their data returned to them. 

The ransom isn't the only cost that schools will incur. Between downtime, device and network costs, and other expenses for getting back up and running, the total average bill for a ransomware attack in education is $2.73 million. That is the highest total recovery cost of any industry – no doubt a result of education having more outdated and fragmented IT infrastructures, with understaffed IT teams, compared to other industries. At the end of the day, a school attacked by ransomware has to effectively rebuild their entire IT infrastructure from the ground up afterward, at major cost. 

5 recommendations to bolster your ransomware defenses

Ninety percent of schools have a malware incident recovery plan in place, which is a good start, but that alone is not enough. In order to reduce the overall cost and impact of an attack, education leaders need to prioritize their schools' defenses against ransomware by investing in a modernized IT infrastructure, cybersecurity technologies and expert, human-led threat hunting teams that can stay a step ahead. 

Here are five key measures to take that will get you there: 

1. Acknowledge that a ransomware attack is inevitable. Ransomware is highly prevalent, and no school, organization, industry or country is immune from a ransomware attack. Assume you will be hit and plan ahead accordingly.
    
2. Adopt a "3-2-1" method to backing up your data. Backups are the #1 method that organizations use to successfully restore their data, far more so than paying a ransom. In the aforementioned survey, more than half of schools attacked by ransomware did not pay the ransom and instead restored their data through backups. Follow the 3-2-1 method of backups: three different copies of data, using at least two different backup systems, with at least one copy stored offline and off-site.
    
3. Complement anti-ransomware technology with human experts. Anti-ransomware software provides the scale and automation needed to thwart attackers, but it can't do the job alone. Shore up the technology side of your ransomware defense with human-led threat hunting teams, who have the expertise to catch the red flags of an attack that your technology might miss. If you don't have those skills in-house, look into an outside security operations center you can partner with.
    
4. Protect your network with layered protection. With ransomware attackers ramping up extortion-style attacks, it's more important than ever for business and IT leaders of any industry to ensure their teams are deploying layered protection at as many entry points into their network as possible, in order to keep adversaries out of their environment.

5. Don't pay the ransom. Paying the ransom encourages more ransomware attacks, and offers zero guarantee you will get all of your data back (most likely you will not). And if you've made the right preparations ahead of time – like data backups and malware recovery plans – you won't need to pay a ransom to restore your data, anyway.

About Dan Schiappa

Dan Schiappa is the chief product officer at next-generation cybersecurity leader Sophos. He's a transformational and strategic leader who orchestrates the company's technical strategy, playing an instrumental role in architecting technologies; overseeing product management and research and development; and ensuring product quality. With a passion for education and inspiring the next generation of cyber talent, Dan also serves as chair of the University of Central Florida's Dean's Advisory Board, where he oversees various aspects of the school's elite cybersecurity program.