Cybersecurity: Managing the Surge of SaaS Apps in Education to Avert a Data Apocalypse

Professor Kevin R. Powers, J.D., Boston College, Founder and Director, MS in Cybersecurity Policy & Governance Programs, Boston College, Assistant Professor of the Practice, Boston College Law School and Simon Taylor, Founder & CEO at HYCU, Inc., Cybersecurity Research Fellow, Boston College

Professor Kevin R. Powers, J.D., Boston College, Founder and Director, MS in Cybersecurity Policy & Governance Programs, Boston College, Assistant Professor of the Practice, Boston College Law School and Simon Taylor, Founder & CEO at HYCU, Inc., Cybersecurity Research Fellow, Boston College

Thanks in large part to technology, education is undergoing a profound transformation, with new applications and the Cloud playing a pivotal role in shaping learning and teaching models. However, as this evolution takes root across academic environments, it brings with it unforeseen consequences: the surge in ransomware attacks. To understand why this is happening and to look for ways to be ready in the inevitable event of data corruption, deletion or even something as insidious and pervasive as a ransomware attack, senior executives and administrators in higher education, faculty, staff, and, especially, IT security leaders working for educational institutions need to understand how the rise of software-as-a-service (SaaS) applications impacts their organizations’ data security and disaster recovery programs.  

The State of IT in Education

Education is in the midst of a technological revolution as K-12 schools and higher educational institutions increasingly adopt a wide range of SaaS applications. These include learning management systems, cloud storage solutions, collaboration platforms, and video conferencing tools such as Microsoft Teams, Zoom, WebEx, and Slack. The proliferation of these platforms has empowered flexible and remote learning, improved communication between educators and students, and streamlined administrative tasks. Any data corruption or deletion event can be catastrophic to an institution. In the case of ransomware, attacks are launched every six (6) seconds and projected to occur every two (2) seconds by 2031. Such attacks can wreak havoc on educational institutions by encrypting critical data and demanding ransoms for decryption keys. These disruptions can lead to significant outages that go above and beyond simple things like class cancellations, delayed exams, and loss of teaching materials. 

Educational institutions store vast amounts of personal and sensitive data (e.g., students, faculty, staff, donors, alumni). Deletions due to human administrative error or malice such as a ransomware attack or insider threats can result in data breaches, exposing highly sensitive confidential information. This is not just a public relations problem that can tarnish an institution's reputation, but instead it is a significant privacy concern, which could involve potential legal liability. The cost that downtime creates can run into the hundreds of thousands of dollars, if not millions. And, paying ransoms to cybercriminals, something that is a risky proposition and not favored by law enforcement, can be just as costly for educational institutions. All of this points to the loss of funds that could have been invested in improving educational infrastructure or advancing technology to detect, prevent, and help in the inevitable need to recover – as the saying goes, “it’s not a matter of if, but a matter of when” your institution will be a victim of a cyber-attack. 

"Educational institutions store vast amounts of personal and sensitive data (e.g., students, faculty, staff, donors, alumni). Deletions due to human administrative error or malice such as a ransomware attack or insider threats can result in data breaches, exposing highly sensitive confidential information."

Why Vigilance Is More Crucial Than Ever

The widespread use of collaboration tools and cloud-based SaaS apps has expanded the attack surface for cybercriminals. These platforms store vast amounts of data and facilitate communication between stakeholders, making them attractive targets for ransomware attacks. At educational institutions, where faculty, administrators, staff, and students have varying levels of technical expertise, if any, interact, human error remains a significant threat. Indeed, a recent study has found that eighty-eight percent (88%) of all data breaches are caused by an employee mistake. Moreover, educational institutions are increasingly targeted through phishing campaigns and social engineering attacks, due to the vast amounts of personal and sensitive data they possess. Cybercriminals exploit human psychology to manipulate individuals into revealing sensitive information or downloading malicious files. These tactics are often used to gain initial access to ransomware attacks. As such, inadequate cybersecurity awareness training and lax cyber hygiene practices will expose institutions to varying cyber threats, including ransomware attacks. Educators and students must be well-informed about the risks and best practices, as cybersecurity involves an “all hands on deck” approach that needs to be led from the “top-down,” as cybersecurity is not a technical issue, but instead a business risk issue that needs to be run from the top down, meaning from the Board of Trustees to the senior administrators to the faculty and across the entire institution.

 Protecting Sensitive Data and Preventing the SaaS Data Apocalypse

Educational institutions must establish robust security measures to prevent ransomware attacks. This includes routine security assessments, employee training, network segmentation, strong password policies, and advanced threat detection tools. Early detection is essential for minimizing the impact of any data disruption be it deletion or ransomware. Intrusion detection systems, anomaly detection, and continuous monitoring are integral components of a comprehensive cybersecurity strategy. Timely identification of suspicious activities can help mitigate the damage. In addition to prevention and detection, having a reliable data recovery plan is imperative. The ability to quickly restore vital data is essential for minimizing downtime and maintaining educational continuity; hence, it is imperative for institutions to regularly back up their data to offline or isolated systems to ensure it remains unaffected in the event of a cyber-attack.

The education sector's increasing reliance on SaaS applications, collaboration tools, and cloud-based platforms has made it both a lucrative target for ransomware attacks and susceptible to downtime due to data loss or accidental deletion. To protect the future of learning and teaching models, educational institutions must prioritize cybersecurity. Vigilance, prevention, detection, and data recovery are all vital components of a robust cybersecurity strategy. It’s also crucial for educational institutions to understand the scope of their digital landscape. Knowing how many SaaS applications are in use and being able to visualize the entire data estate is of paramount importance. Without a comprehensive view of their digital assets, institutions may be blindsided by potential vulnerabilities. It’s important to have a clear inventory of digital resources, understand where sensitive data resides, and implement security measures across the board, which are essential steps in mitigating ransomware threats. 

For example, in developing future cybersecurity professionals at Boston College, all students in our Master of Science in Cybersecurity Policy & Governance Program are required to take the course “Cybersecurity Incident Planning, Response, and Management,” where students learn, hands-on, not only how to draft an incident response plan and manage it, but also how to effectively and efficiently design, implement, and test a disaster recovery program. As part of our curriculum, we focus on the issues involving SaaS data back-up, or lack thereof. Specifically, there are over 30,000 SaaS platforms used globally and only 5 such platforms back up your organization’s data, with the average midsize enterprise using 217 SaaS applications and more than 52% of successful ransomware attacks occurring through SaaS applications. This is a key issue impacting not just educational institutions, which, depending on their size, could be using 1,000 SaaS applications, if not more, but all organizations across all industries and governments. To avoid the “SaaS Apocalypse,” now is the time for all organizations to recognize, as noted earlier, that cybersecurity is not a technical issue, but instead a business risk issue that needs to be run from the top down. Thus, senior leaders and administrators at educational institutions need to know what data they have, how it’s stored, how it is backed up, and whether they can access such data to conduct their operations if victimized by a ransomware attack - their students’ education is dependent on as much! 

SaaS

Disaster Recovery

Data Security

inventory

Microsoft

Cyber Threats

Storage

Legal

Learning Management

LAW ENFORCEMENT