10 Low-Cost Ways for Colleges and Universities to Prevent Cyberattacks

Recently, I had a Zoom call with an IT analyst at a southern college who was in the process of recovering from a ransomware attack. “I’ve been instructed to rebuild everything from scratch,” she said, having no backups to work from. “I don’t even know where to start.” This was not the first time this year I’d heard that sentiment relayed. Information security and IT staff across the country are experiencing everything from minor malware glitches to major cybercriminal catastrophes. Cybercrimes and ransomware attacks are on the rise in higher education and many schools aren’t prepared.

Perhaps, for these institutions, cybersecurity is not a budget priority because they are not seeing the risk to their campus. This is unfortunate since, given the steep rise in attack rates, the question about attacks on your network are less “If” than “when”. At Jenzabar, we have recently seen customers suffer from compromised mailboxes, ransomware attacks, and even a self-inflicted breach of security when a collection of passwords was inadvertently exposed to the internet on a GitHub repository. We even had a hacker enact “defacement” pranks by exploiting a JICS vulnerability (Note: A patch for the vulnerability was released one year prior).

Many of the ransomware attacks we’ve seen on campuses recently have had devastating consequences. In fact, the recent closure of HBCU Lincoln College was partly attributed to a ransomware attack that halted its recruitment, retention, and fundraising campaigns. As we examine the current cyber crisis in higher education, it becomes clearer that institutions need to get serious about guarding themselves against future attacks. But this is easier said than done.

One of the main reasons institutions remain vulnerable to cyberattacks is not that they’re in denial, but that they don’t possess the budget to purchase things like endpoint detection and response solutions, cloud backup systems, or incident-response retainers—tools that dramatically decrease the likelihood of damage from a cyberattack. But budget issues shouldn’t prevent institutions from safeguarding their campuses. Below, I’ve laid out my top 10 suggestions (some quite economical!) for improving your system security and safeguarding against cybercrime.

1. Set Up Multifactor Authentication

Passwords get cracked, guessed, and stolen. Multifactor authentication greatly reduces the chances of bad actors accessing your systems. I highly recommend adding a secondary authentication factor for all system users, including students. While some solutions are more secure and friendlier than others, any is better than a simple username and password.

2. Update Your Systems

We call this vulnerability and patch management. Your software providers are constantly at work to detect and repair system vulnerabilities. Update your operating systems and applications to address vulnerabilities and help prevent attacks.

3. Make Sure People Are Logged Into Their Computer as Users, Not Administrators

Surfing the web and reading emails as an administrator makes you an easier target to malware writers. Administrators have greater access to reconfigure a computer than users do and accessing someone’s administrative account would allow a cybercriminal to do a great deal of damage.

4. Deploy Microsoft LAPS

Microsoft LAPS protects local administrator account passwords for domain-joined computers by giving them a unique password and changing it automatically. It’s free and it’s soon going to built into Windows 11, so deployment is an easy call.

5. Eliminate Obsolete Operating Systems

Think Windows 2008 and earlier. These systems are no longer being updated and repaired and are incredibly vulnerable.

6. Identify Services on Your Network That Are Exposed to the Internet But Shouldn’t Be

Examples of these types of services: SMB, Telnet, RPC, and SQL.

7. Monitor For Stolen Credentials

You don’t have to pay for good information. You can start with a free service like haveibeenpwned.com.

8. Keep in Touch With Peers to Learn of New Threats and Best Practices

In the spirit of this advice, I recommend that your information security staff get familiar with and become members of The Research and Education Networks Information Sharing and Analysis Center (REN-ISAC), which focuses on cybersecurity in the research and higher education community. I also recommend joining the Jenzabar Security listserv, the EDUCAUSE listservs, or even forming a private group with your peers from other similar institutions. You’ll get alerts, reports, threat news, and advice for mitigating those threats.

9. Block Email Attachment Types Common to Malware, But Not Common to Your Network

Yes, this advice is old news, but it’s a best practice. If you need help identifying attachment types, look at some of the files that Gmail and Microsoft regularly flag.

10. Do a Tabletop Exercise With Key Institutional Stakeholders

Anticipate that an incident will most likely occur and identify key players: IT staff, legal representation, leadership, etc. In this exercise, you’re looking for answers and consensus to important security questions. How do you plan on communicating if campus email and phone systems go down? Is your institution willing to pay a ransom? If you are going to pay a ransom, how will you go about doing that? Who is your incident response leader: You, your insurance provider, a third-party incident response service, or someone else?

Don’t Underestimate the Importance of an Experienced Systems Provider

Even without an unlimited budget there are ways to protect your institution from the devastating impact of a cyberattack. While the aforementioned ten tips will certainly help, the benefits of working with an experienced, knowledgeable technology provider—one who is serious about its customer service and system security—cannot be overstated. A provider who is dedicated to security will ensure its experts remain up to speed on the latest threats and that its systems are updated with the latest security measures.

This blog was written by Bill Kyrouz, Jenzabar’s Director of Information Security.