Invenio-IT

Business Continuity in Education & Acing Your School’s Disaster Response

Picture of Tracy Rock

Tracy Rock

Director of Marketing @ Invenio IT

Published

academy-celebration

Imagine that you’re a school administrator finishing up a busy day of meetings with board members, reviewing curriculum changes, and approving facilities plans. As you start to shut down your computer, a message appears. Your systems have been hacked, exposing the data of thousands of students, faculty, and staff, and the attackers are demanding a staggering ransom. While this scenario might seem farfetched, it’s become reality for many school leaders around the world, and it’s the reason why business continuity in education has never been more important.

To establish a solid system of business continuity, academic institutions must first understand why it’s needed. In this article, we’ll explore the types of threats schools face and explain why a business continuity plan is one of the strongest tools you can employ against them.

Why Education Is a Target for Cyberattacks

Let’s begin with ransomware, which is one of the most dominant threats to every school. Modern cyber-criminals have good reasons for setting their sights on the education sector. Schools have not only a moral obligation but also a legal responsibility to protect student data. With accounting systems, student records, payroll, and financial data all at risk, hackers are willing to bet that schools will be willing to put up a substantial payment to restore their data.

Recent history has shown that schools will indeed pay when they feel it’s necessary. In 2021, a school district in San Antonio, Texas, paid more than half a million dollars to prevent hackers from releasing sensitive data. The district has since faced significant criticism, but it’s far from the first academic institution to make a desperate choice, and it’s unlikely to be the last.

Types of Threats in Education

Ransomware is only one part of the picture.

At a time when everything is stored digitally, data in higher education has become incredibly valuable, and the risks have grown in kind. From community colleges to elite private universities, all schools need to be prepared for a wide variety of adverse situations, including:

  • Malware attacks and viruses
  • Human errors like accidental file deletion
  • Phishing attacks
  • Misconfigured data migrations or overwrites
  • Hardware failures
  • Application crashes

Additionally, there’s the risk of physical damage to infrastructure through events like fires, floods, and tornadoes, which pose a hazard not only to your data but also to students, staff, and visitors.

All of these concerns should inform your institution’s business continuity planning. Weaknesses in any one area could spell disaster for an ill-prepared university.

Why Business Continuity in Education Is Essential

Whether a school experiences a cyber-attack or a natural disaster, the consequences can be far-reaching. Business continuity planning helps protect academic institutions from significant hardships in an increasingly more threatening landscape.

Ransom Attacks

Colleges and schools across the country have experienced a surge in ransomware attacks in recent years. While not every school has agreed to meet the attackers’ demands, many find themselves feeling pressured to pay in order to protect and restore their data.

Consider these alarming statistics from a recent study conducted by Sophos:

  • 66% of higher education institutions experienced a ransomware attack in 2021 compared to 44% in 2020.
  • 50% of higher education organizations paid ransom demands to restore their data, but only 2% recovered all their data after paying.
  • Recovery rates for education are slow, with 9% of organizations saying that their recovery periods ranged between 3 and 6 months.

These statistics represent the real-life experiences of schools throughout the United States that have suffered as a result of ransomware. For instance, in the summer of 2022, the Cedar Rapids school district paid an undisclosed ransom to prevent hackers from releasing stolen data. Public school districts are notoriously underfunded, and ransomware attacks can put a significant burden on their budgets and on local taxpayers.

Ransomware attacks on colleges often operate on a larger scale. In 2021, a massive cyberattack affected hundreds of organizations, including California State University, Stanford University’s School of Medicine, and Yeshiva University in New York City. The hackers in this case stole private information from students, faculty, and staff, and in some cases shared screenshots of private data online. These hacks can cause schools long-lasting reputational damage and put them at risk of regulatory penalties.

Experts warn that college ransomware attacks are on the rise as hackers deploy more targeted attacks in hopes of securing larger ransom payments. In 2022, 44 universities and colleges reported experiencing ransomware attacks, and this number likely only represents a fraction of the actual incidents. Many organizations never report cyber-attacks and attempt to resolve them quietly without the public’s knowledge to avoid damage to their reputation.

Closure Risks

In late 2021, Lincoln College in Illinois received a ransom note stating that school administrators no longer had access to student enrollment, admissions, and fundraising data. The college paid a ransom through its cyber insurance policy, but doing so didn’t grant staff immediate access to their files. Instead, they struggled for months to fully recover. Ultimately, as a result of the attack, they permanently closed their doors in May 2022.

Lincoln College isn’t alone. A total of 48 colleges closed in 2022, a notable uptick from 35 colleges in 2021. The closures are a result of a combination of factors, including the COVID-19 pandemic, cyber-attacks, reduced enrollment, and lost funding. Experts anticipate that closures will continue to rise, particularly among small schools that serve specific student populations. These schools, which tend to enroll fewer than 1,000 students, are the most at risk of being shuttered by an unexpected disaster.

A 2020 study by U3 Advisors found that the majority of colleges have increasing debt levels and decreasing revenues, which places them in an especially vulnerable position. The study also revealed that approximately 560 schools in higher education are at serious risk of closure or consolidation within the next several years even without taking into account the impact of COVID-19.

Even a single ransomware attack or extended period of downtime could be enough to force a small college to permanently close its doors, which is why schools of every size need to take continuity planning seriously.

How to Create a Business Continuity Plan for Colleges

Colleges and universities must have detailed plans for preventing, responding to, and recovering from a multitude of disaster scenarios. The foundation of this planning is a business continuity plan (BCP). A BCP for colleges is much like the kind you would create for any other organization. It’s a comprehensive document that outlines all the systems and protocols for mitigating the impact of a disruption.

Consider Departmental Specifics

At a college, some departments may require their own specific continuity planning. For example, Alabama Crimson Tide’s multimillion-dollar football program may have completely different continuity objectives than its admissions department. However, even when department-specific plans are in place, there should still be a single college-wide BCP that provides a continuity framework for all other units to follow.

Incorporate Key Categories

A BCP is often a lengthy document that encompasses every aspect of disaster prevention and response. While every BCP should be developed according to the specific needs of the institution, these are some of the core categories that should be included in every plan:

  • Plan objectives: Identify what the plan aims to achieve and what its areas of focus are. You may need separate plans for disaster planning and IT-specific concerns.
  • Key contacts: Establish who wrote the plan, who maintains it, and which stakeholders to inform first when it’s time to activate your recovery plans.
  • Risks: Conduct an assessment of all likely disaster situations that pose a threat to a university’s operations, systems, or people.
  • Impact: Analyze how each risk will negatively impact the organization.
  • Prevention: Describe implemented systems and protocols for preventing disruptions from occurring.
  • Response: Detail immediate steps for mitigating a disaster situation, assessing the damage, and getting people to safety.
  • Recovery: List the procedures for fully restoring systems and operations.
  • Contingencies: Compile a list of secondary resources, equipment, or locations that staff can utilize if primary means are destroyed or inaccessible.
  • Communication: Outline how recovery personnel will remain in contact and communicate important status updates to all affected parties, including students, staff, parents, and visitors.
  • Recommendations: Suggest improvements and solutions for weaknesses that your team has identified in the existing continuity planning.
  • Plan review schedule: Create a timeline for reviewing the plan and making updates on a regular basis throughout the year.

Each of these categories serves a unique purpose within your BCP and allows you to develop the best possible system for protection and recovery. The risk assessment and impact analysis are arguably the most important components of a business continuity plan. Without them, you’ll never truly know which disaster scenarios to prepare for or how they would disrupt the school. Let’s dig a little deeper into these two categories.

Assess the Risks

It might seem logical to assume that all colleges face the same risks, but it’s critical for each institution to conduct an individual, specific assessment. While many institutions share the same common risk types, such as cyberattacks and power outages, some schools are naturally more prone to experience certain disruptions than others.

For example, schools located along the southeastern U.S. coastline will be more at risk of hurricanes, while universities in southern California will be more at risk of earthquakes. Other types of threats may seem more benign, but they can still cause significant disruptions. Consider large-scale political demonstrations and student sit-ins and how they might affect your school’s ability to operate. Each school will have its own unique risks, which is why it’s important to assess them all individually.

Understand the Impact

An impact analysis helps a higher education institution understand exactly how each threat would negatively affect operations. Negative outcomes can manifest in some ways that are obvious and others that are more unexpected. These are some of the most common impacts that your BCP should address:

  • Anticipated length of the outage or interruption
  • Cost of downtime, idle staff, and wages
  • Cost of recovery and repairs
  • Effects on classes, enrollment, and other operations
  • Long-term effects on school funding and reputation

A thorough impact analysis will consider all these factors and how they translate into actual monetary costs.

Regardless of whether a university is public, private, for-profit, or non-profit, continuity planning is a matter of survival. Like any organization, schools must focus on continuity and the bottom line. A failure to understand the impact of a major disaster could spell doom, especially for an already struggling college.

How to Reduce Damage from Disasters

Schools may be facing unprecedented threats on multiple fronts, but there are ways to minimize the risks at your institution. Taking some fundamental steps will lower the chance that the effects will be insurmountable when a disaster arrives.

Perform Frequent Data Backups

When it comes to protecting your school’s data, backups have a vital role to play. Without them, institutions leave themselves open to the risk of prolonged downtime when data loss inevitably happens. Data loss and downtime are costly, often to the tune of millions of dollars, and higher education organizations have a lot at stake.

Consider the impact of a ransomware attack that blocks access to all student applications and records within an admissions department or the loss of financial aid applications and award statuses. Even a single accounting spreadsheet that somebody accidentally deletes can derail an entire department for days.

A recent study found that education institutions lost $3.56 billion to downtime caused by ransomware in 2021. The longer this downtime lasts, the more expensive it becomes. Using a reliable data backup solution helps ensure that you can restore your data and get systems back up and running as quickly as possible. With high-quality data backup services, schools can also back up their files every few minutes to prevent gaps in their data restoration.

Prepare for Natural Disasters

Natural disasters pose a risk to both people and IT systems.

In preparation for a hurricane or blizzard, schools often cancel classes and close administrative offices. While this itself is an operational disruption, it’s also smart planning. Closing campuses leading up to a weather event ensures the safety of staff and students by allowing them to stay home or evacuate.

Behind the scenes, schools also take other precautions. In the event of a hurricane, for example, colleges face the risk of severe flooding and the potential for damage to IT infrastructure. They can keep their critical data secure by storing backups off-site, away from the physical threat of the storm, and using hybrid cloud backups. These backups store data in two locations: on campus for the fastest possible recovery speeds and in the cloud for added protection against on-site events.

Plan for Degraded Service in Addition to Full Recovery

Keep in mind that instant recovery from a major disaster is an unrealistic goal for any school, no matter how prepared. Your continuity planning needs to outline how critical functions should continue at a degraded service level.

First, identify which operations are most vital. In other words, determine which functions cannot be disrupted under any circumstances. Then identify what’s needed to keep those operations running at a minimum level, such as technology, equipment, personnel, and electricity.

Each operation, and indeed each unit of the college, will have its own requirements. To make full recovery a reality, you must have proper planning to keep these essential functions active while your systems are impaired.

Quickly Initiate Emergency Responses

The moments immediately following a disaster will almost always dictate the speed and success of the recovery. If steps aren’t taken quickly to assess the situation and mitigate the damage, then recovery efforts will stretch out longer. Schools with solid business continuity planning can activate disaster-response protocols right away, which substantially increases the odds of a full recovery.

Effectively responding to various types of disasters is challenging without a detailed emergency response plan. Designated recovery teams should know exactly what to do after a disruption, whether it’s people-focused (i.e. seeking safety for students) or IT-related (i.e. restoring a backup after data loss).

Take Advantage of Business Continuity Resources and Tools

Schools play a central role in students’ academic and social development, and business continuity is just one piece of a complex puzzle that ensures students receive the best possible experience in a safe environment free of disruptions or delays. If your school needs to implement strong continuity planning and systems, the experts at Invenio IT are happy to help.

Looking for a better data backup solution to protect student and staff information? Request a free demo of advanced data backup solutions that can protect against data loss, ransomware, and downtime. Or reach out to our business continuity team to learn more about disaster recovery and creating a BCP that works best for your school.

Get The Ultimate Business Continuity Resource for IT Leaders
invenio-logo

Join 23,000+ readers in the Data Protection Forum