Jim Shreve talks cybersecurity and higher education with University Business

Chair of Thompson Coburn's Cybersecurity group, Jim Shreve, was interviewed by University Business in a series of articles on ransomware attacks, cybersecurity and the impacts on higher education.

Jim has helped advise institutions on their potential risks to cyberattacks and has worked with clients on privacy matters and incident response for over 20 years. The articles highlight how having proper firm representation during an incident can be an enormous help in a crisis moment, when leaders may not be thinking as clearly about demands or the loss of data. 

The first article, “Held for Ransom: Why colleges must be proactive to prevent cyberattacks,” explains how institutions are huge targets for hackers because of their openness and what they possess. Since the beginning of the COVID-19 pandemic, cyberattacks on colleges are on the rise and valued by hackers worldwide. That’s not necessarily because of the extreme payouts they might receive, but because of the breadth of information institutions possess in their portfolios.

The second article, “Ransomware risk: 6 steps colleges can take to help prevent cyberattacks,” is a conversation with Jim on the prevalence of ransomware, responses that can make a difference and proactive measures institutions can take to protect data:

Tell us about the clients you serve; who they are across higher education. 
It varies greatly from very large research institutions to smaller specialty schools, nursing schools, some that are their traditional brick and mortar and some that are exclusively online. The challenges and risks vary among those institutions. That’s one of the things that makes it hard in working with the Department of Education is finding something that works for a nursing school of 50 students, as well as a university that has 70,000 students. 

How prevalent is ransomware in higher education? 
Ransomware is enormous, and it’s continuing to get bigger. Higher education is maybe not the most prevalent target, but certainly among the more prevalent ones. I would say that because you can view higher education institutions as being a bit of one-stop shopping. If you’re a hacker, you may find financial information, healthcare information, valuable IP and other data there. Higher education has an infrastructure with a lot of users that are often distributed and with different access rights. 

What are the hackers looking for? 
The most common kind of hacker is simply looking to make money. They get into ransomware because it’s profitable. If you steal a large amount of personal information and then you want to repackage it, sell it on dark websites, it may take you quite a while to get paid. Ransomware allows you to do something and be paid potentially within hours or days. There is also potentially a high reward for sensitive IP, including a lot of research work. In those attacks, you can get nation-state attackers that are much more sophisticated and much harder to detect and repel. If you have a nation-state attacking you, they can bring a lot of resources to bear, more than a small criminal organization. 

What is different about the cyberattacks on higher education compared with other entities? 
Higher education is not so different from other industries, but we’ve seen an evolution of ransomware attacks. A few years ago, most ransomware attacks would exploit a known vulnerability, try it on a lot of different entities and demand a ransom amount that was pretty low. They would bank on the fact that the target might say, ‘Maybe we could recover from backups, but it’ll be just cheaper and easier to pay to get the decryption key.’ Now, the attacks are much more targeted. They know more about who they’re attacking and are demanding larger ransom amounts. Whereas before, where we were looking at a few thousand dollars, now it’s very common to see ransom amounts that are over a million dollars. 

What are the potential outcomes if colleges and universities decide not to comply with demands? 
There are risks if you pay and risks if you don’t. If you do not pay, there may be a business interruption. You may not be able to get back the systems or the data that was encrypted as part of the ransom demand. You may lose some functionality or be down for a while. One of the best ways is to defend against ransomware attacks is to have really good backups for your systems and have those backups not be vulnerable. If you can restore from those backups, you don’t need to pay the ransom for the most part. But the hackers recognize that. So oftentimes they’re taking data as well. Before launching the encryption, they’ll take data off the system to use it as further leverage. They’re saying, we have this data. We will release it or sell it on the dark web unless you pay. Another potential risk in paying is that if you facilitate payments to a known terrorist or organized crime organization, you can be brought up on criminal charges. If you do pay the ransom, you also can hurt your relationship with law enforcement. particularly in a situation where you didn’t really need to pay. 

What are some of those strategies that institutions can utilize to be proactive in trying to prevent ransomware attacks?

1. Tabletop exercises of incidents. A tabletop is a practice cyber security incident, whether it’s on ransomware or hacking or another type of attack. The exercise is helpful to test your systems and your people. It is being done by the information security people regularly, but it oftentimes doesn’t involve some of the senior executives that need to make the important decisions. You can point out news items, and say, What if something like that happened here? How do you deal with it? That will provide invaluable knowledge about your systems, your preparation, and then you can adapt it.
2. Cybersecurity insurance. But it’s important to know what is covered and what is not covered in policies. Pepper your insurer or broker with questions: ‘If this kind of thing happened here and we had to pay the ransom, is the ransom amount covered, or are we covered for business interruption? Are we covered for any number of outside people we need to bring in to address this?’
3. Good backups. They are key to recovering from ransomware attacks. That more than anything lessens your need to pay the ransom.
4. Greater use of encryption. If you encrypt the data that’s sitting on your system and the hackers can’t access it, it’s not valuable for them to steal. They can’t extort from you as easily.
5. Consider limiting access rights. Do users have access only to what they need? Does everyone with administrator privileges really need them?
6. Improving user authentication, as in multifactor authentication, and where possible using longer passwords (or passphrases) or passwords that are hard to crack.

Why is protecting against ransomware so important? 
This is an area where you want to be proactive. You want to be known as somebody who takes this seriously. Part of your image as an institution is you want to make that brand strong.