Sophos has released The State of Ransomware in Education 2023, an insightful report based on a survey of 400 IT/cybersecurity professionals across 14 countries working in education. The findings reveal the real-world ransomware experiences of the sector.
Rate of attack and data encryption
The education sector reported the highest rates of ransomware attacks of all the industries surveyed. 80% of lower education providers and 79% of higher education providers reported that they were hit by ransomware in the 2023 survey, up from 56% and 64%, respectively, in our 2022 survey. The 2023 rates of attack are more than double than reported in our 2021 survey, when 44% of education providers experienced a ransomware attack.
Data encryption in the education sector has continued to rise: the rate in lower education has gone up from 72% to 81% year over year. Higher education reported a 73% rate of data encryption, similar to the 74% reported the year before.
18% of attacks in lower education were stopped before the data was encrypted, down from 22% the year prior. Encouragingly, higher education reported an increase in the rate of attacks stopped before data encryption, up from 22% in the 2022 report to 25% in the 2023 report.
Of the lower education organizations that had data encrypted, 27% said their data was also stolen. This figure reached 35% in higher education, suggesting that this “double dip” method (data encryption and data exfiltration) is becoming commonplace.
Root causes of attacks
Compromised credentials (36%) and exploited vulnerabilities (29%) were the top two most common root causes of the most significant ransomware attacks in lower education. Emails (malicious emails or phishing) were the starting points for nearly one-third of the attacks (30%), suggesting that the sector is highly exposed to email-based threats.
In higher education, exploited vulnerabilities (40%) were the most common root cause of ransomware attacks, followed by compromised credentials at 37%. Together, they account for over three-quarters of ransomware attacks (77%) in higher education. Email-based attacks (malicious email or phishing) are a less common root cause but still drive almost one in five ransomware incidents (19%).
Data recovery and the propensity to pay the ransom
All higher education and 99% of lower education organizations got their encrypted data back, higher than the 97% cross-sector average.
73% in lower education used backups for data recovery, while almost half (47%) paid the ransom. Higher education was among the bottom three sectors globally for backup use, with only two-thirds (63%) reporting the use of backups for data recovery. The sector also reported one of the highest rates of ransom payments for data recovery at 56%.
While the cross-sector recovery costs increased year over year, in lower education, they have remained level ($1.59M in the 2023 report vs. $1.58M the in 2022 report). In higher education, recovery costs have dropped considerably from the $1.42M reported in the 2022 survey to just over $1 million in the 2023 survey, suggesting that as ransomware rates increase, higher education organizations are getting better at recovering from attacks and are able to do so at a lower cost.
Mitigating the ransomware risk
Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:
Strengthen defensive shields, including:
Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
Optimize attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan
Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations
About the survey
Data for the State of Ransomware 2023 report comes from a vendor-agnostic survey of 3,000 cybersecurity/IT leaders conducted between January and March 2023, including 400 in the education sector: 200 from lower education (up to 18 years) and 200 from higher education (above 18 years) and including both public and private sector education providers. Respondents were based in 14 countries across the Americas, EMEA, and Asia Pacific. Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.