Can getting rid of passwords stop ransomware in higher education?

Liza Kurtz | April 10, 2023

Nearly all reliable data breach reports show the education sector ranks among the top 10 industries hit hardest by cyberattacks. Colleges and universities report more than their fair share of ransomware and denial of service (DoS) attacks:

In today’s blog, we’ll see how taking user passwords out of the authentication mix shuts down phishing that causes credentials to get compromised leading to malware, ransomware in particular, and a host of other costly attacks. And, how you can get MFA right the first time.

Ransomware is the attack of choice

Research also suggests an uptick. In the UK alone, 92% of higher education institutions identified breaches or attacks during 2022. Higher education facilities also remain a favorite target – number 1 in fact – for ransomware attacks in particular. And sad to say, higher ed institutions have a well-publicized history of paying high ransoms even though the FBI and other authorities advise against it. 

The same consequences and more

The repercussions of attack are the same for higher ed as in other sectors:

  • Downtime
  • Damaged brand reputation
  • Delivering a poor faculty and student user experience (UX)
  • Incurring costs from all of the above plus any breach recovery efforts
  • Risk of falling out of compliance with industry mandates

But keeping up with and responding to new threats poses a bigger problem for these IT leaders than most. Higher education IT teams are notoriously understaffed and more budget- and resource-constrained than their counterparts in finance, healthcare, government, and other Top 10 targets.

Higher Ed IT leaders face unique security challenges

For one thing, the motivations behind cyberattacks may be more diverse. Along with the usual profit-driven campaigns, schools, like governments, may be targeted for political reasons, or by discontented students or alumni who just happen to know or become skilled hackers.

  • Identity base in constant flux: IT deals with highly elastic user populations that fluctuate by more than 25% every year. Every semester brings a fresh batch of students and often new professors that need to be outfitted for access and authentication, and an equal volume of graduates whose accounts need to be closed and devices that must get recycled.
  • BYOD: Students in particular change devices often so securing access from personal laptops and smartphones adds to the overall IT and Help Desk workload.
  • Shared computing model: IT supports, and secures, shared computers in libraries, common areas, and science, research, or technology labs.
  • Remote learning: Considered a novelty not too long ago, online learning and hybrid models are here to stay.
  • Teachers have rights, too: Colleges and universities need to support teachers’ academic freedom as they connect from devices of choice to resources of their choice, sanctioned by IT or not.
  • Federal mandates: Higher educational facilities face growing regulatory pressure to protect students’ applications and personal data. Many imply or specifically call out MFA:
    • NIST-800-171 requirements to receive government and defense funding grants
    • Family Education Rights and Privacy Act (FERPA)  
    • Gramm Leach Bliley Act (GLBA)  
    • The Federal Information Security Management Act (FISMA) for institutions receiving federal grants
    • HIPAA for protecting medical information
  • Reputation is everything: This is not unique to higher ed, but reports of schools paying ransoms and compromising users’ personal information stand to impact enrollment — and patronage — more than in other industries like retail where memories are shorter.

Of these, brand reputation probably ranks highest on most CISOs’ priority lists since maintaining an “ivy league” reputation for delivering a safe, all-around rewarding experience attracts premier teachers and students who become premier alumni. Reputation factors into the school’s ability to secure research grants or philanthropic donations, and every college needs to meet NIST-800-171 MFA mandates to qualify for Federal Student Aid (FSA) programs.

The CISO’s dilemma

Every CISO may be challenged to choose between increased risk of attack and applying security controls perceived as draconian by customers. Fortunately, security controls are ramping up everywhere, and the younger generation in particular tends to pick up new technologies and procedures — like MFA and self-service portals — quickly.

With a high-profile attack surface and volatile user base, world-class Identity and Access Management (IAM) is a must for Higher Ed, along with a foundational shift to a preventive stance on defending data. One that, instead of detecting and responding to threats 24/7, keeps them off the company or campus network in the first place.

Preventing ransomware attacks in higher education

A few things seem obvious:

  • Backup data: There’s no need to pay criminals to unlock data you can download and restore yourself
  • Adopt or migrate toward a Zero Trust security posture: Again, keep bad things from happening by making sure every request is legitimate before it goes through
  • Segment your campus network so no single threat can take the whole system down
  • Implement a passwordless phishing-resistant MFA to strengthen identity verification and keep users from being phished

Eliminating the password from user login in favor of “what you have” and “what you are,” coupled with cryptographic binding presents an area where security can be improved by orders of magnitude very quickly — within hours — without a huge investment or adding massively to IT’s workload. 

What are IT’s options for improving MFA?

Most higher education facilities today use some form of multi-factor authentication (MFA) to make sure users are who they say they are before granting them access to sensitive resources. Most MFA consists of passwords followed by one-time passcodes (OTPs) sent via text or email or by a “push” notification sent to a mobile device app asking the user to approve a request for access.

Stop going down the wrong road

Both options improve on the use of passwords alone, but passwords themselves still bring inherent risk — they can be shared, lost, stolen, or even purchased on the dark web in some cases. The good news is: leaders have multiple options:

  • Continue building upon vulnerable passwords which vendors and cybersecurity analysts agree makes no sense
  • Adopt passwordless MFA solutions that leverage X.509 certificates or FIDO2 keys, both of which pose cost and logistical challenges
  • Roll out passwordless MFA that also works with passwords on the back end behind the scenes 

Keep the phish out of school

These last two options – i.e., simply getting rid of passwords – makes MFA phishing-resistant and in turn more aligned with Zero Trust. Passwordless MFA dramatically increases the odds that whoever logs in is who they say they are, and worthy of trust without jumping through too many more hoops.

Of the two passwordless options, the one that allows IT to continue using passwords on the directory/server-side makes the most sense for higher education facilities. Adoption goes faster and more easily and proves infinitely less disruptive. 

If the solution is adaptive and also works with push notifications that’s even better. Push accommodates the high turnover in higher ed without IT having to outfit new users with physical keys, tokens, smart cards, etc. 

Less risk with less cost and fewer cycles. 

“Less is more”: The benefits of passwordless MFA for higher education

The benefits of passwordless MFA include:     

  • A better UX
    • Users love passwordless MFA once they get used to it and students get used to it fast
    • No need for users to create, remember, type, or reset passwords
    • Works with mobile push and/or FIDO tokens
    • Avoids “MFA Fatigue”
  • Compliance
    • Satisfies regulatory goals for MFA and password rotation 
    • Directories require passwords for fallback even if they’re not used to log in
  • Financial:
    • Password-friendly passwordless MFA pays for itself in the first year 
    • Protects brand reputation – keeps colleges out of the headlines!
  • Security
    • Stops password exploits
    • Resists phishing and modern “man in the middle” attacks   
    • The “secrets” never leave IT
  • IT workload
    • Eliminates password reset Help Desk calls – a huge win!
    • Up and running in an hour 
    • User self-service portal for adding new devices 

Octopus fixes MFA – and shrinks the attack surface by 80%

The Octopus MFA platform provides IT leadership in higher education with a complete solution that improves UX, security and compliance, and cuts IT’s workload by reducing Help Desk calls relating to credentials. 

Stopping the phishing menace

Today’s MFA can’t, Octopus can. SDO’s passwordless MFA platform takes passwords out of the user login process completely. Instead, Octopus uses cryptographic key pair pinning to bind biometrically verified users and their devices to managed applications and services. This ends attackers’ ability to trick users into sharing them with phishing emails and sophisticated browser-based or man-in-the-middle attacks. Stopping phishing keeps attackers from gaining access and moving laterally through your network targeting sensitive data.

This simple change can shrink a college or university’s cyberattack surface by more than 80%

Octopus passwordless MFA lets time-strapped admins do less: less risk, fewer helpdesk calls, less time on-off boarding users, but more secure and in control. And users love passwordless MFA’s simplicity and the time it gives them back.