In July 2020, hackers successfully attacked the University of Utah’s College of Social and Behavioral Sciences with ransomware that halted all work. Although the university had backups of the data, the school still paid $457,059.24 for the hackers not to leak the data. This amount does not represent the true cost of the compromise which likely will run beyond $1 million and take months to fully resolve. It is a black eye to the university that helped create the internet back in 1969.
The scary part is, all of Utah’s K-12 and higher education institutions are in the same precarious position as the U., perhaps even more so with the rush to online learning. Schools collect sensitive information about students, including personal identifiable information, academic performance, family financial information and medical data. We also live in an age of organized cybercrime and foreign government-sponsored hackers successfully breaching computer systems of all sizes. Parents should ask themselves if their school district can protect their child’s data. Unfortunately, the answer is no. Here are two reasons why:
There are not enough security professionals to protect the current information systems.
Of 35 Utah school districts surveyed, only two have dedicated cybersecurity staff. The student-to-cybersecurity staff ratio at the University of Utah is 1,930 to 1. In Utah K-12, it is 73,722 to 1, even after including the security team of the Utah Education Network. To bring the district networks up to the same proportion as the University of Utah (which was inadequate), school districts would have to hire an additional 297 more cybersecurity professionals, costing an annual $29.7 million in compensation alone if hired at the average salary in Utah education.
Unfortunately, the cybersecurity field is plagued with a talent shortage of a whopping 561,000 unfilled cybersecurity jobs in North America. Even if Utah school districts wanted to hire hundreds more qualified professionals, they would be hard pressed to find enough of them.
There is not enough funding to protect current education information systems.
In reality, most education organizations face tight budgets and scrutinized funding. Surely if any Utah education institution could afford high quality cybersecurity, it would be the state’s flagship school with a $4.73 billion overall budget and an information technology budget of $103.3 million. In contrast, Utah’s K-12 school districts have much smaller budgets, especially the smallest districts. If the University of Utah cannot spend its way to securing disparate networks, neither can Utah’s schools and colleges.
If spending and hiring our way out of the problem is not the answer, then what can be done? Utah education can take a cue from the same institution that got hit. The University of Utah acknowledged it “has vulnerabilities because of its decentralized nature and complex computing needs.” Given the constraints, the U.’s security team might not be able to adequately protect 18 of its colleges’ networks, but it can build a fortress around one or two networks. After the breach, the school began to consolidate IT resources and eliminate redundant services so that a central, lean security team can efficiently defend them. By taking similar action and pooling resources in K-12 school districts and higher education, it would not only help secure student data and computer systems but also save money and provide high-quality services to underserved districts.
Several states are already pursuing this course. Texas built a security operations center servicing higher education and various state agencies. Last year, North Dakota created a security operations center dedicated to all government offices, including education, with invitations to other states to participate in a multi-state cybersecurity program.
Utah government and education leaders must follow these examples or risk facing more cybersecurity crises like the University of Utah attack. It is a big paradigm shift, but it is the best approach to defend against future attacks. Let’s not wait for another student data breach or ransomware attack before addressing this problem.
Dallin Warne is a cybersecurity engineer defending the data and information systems of Brigham Young University, Brigham Young University—Hawaii and Brigham Young University—Idaho.