A Guide to Business Continuity Planning in Education
In the age of ransomware, maintaining business continuity planning in education has never been so important.
Consider the mindset of today’s cyber-criminals …
How much money would an elite university be willing to pay to restore all its data—accounting systems, student records, payroll, financial aid data—after an infection?
We already know small local governments are willing to pay hundreds of thousands of dollars in ransom payments. There’s even more at stake for large colleges that have even bigger budgets than those municipalities—and more sensitive data. A successful attack won’t just cost these schools a ransom payment. It could shut down the college.
The threats are numerous
Ransomware is only one part of the picture.
At a time when everything is stored digitally, data in higher education has become incredibly valuable. As such, the risks have become incredibly dangerous.
Colleges of all sizes need to be prepared for a wide variety of adverse situations:
- Malware attacks and viruses
- Accidental file deletion
- Phishing attacks
- Misconfigured data migrations / overwrites
- Hardware failure
- Application crashes
Additionally, there’s the risk of physical damage to infrastructure, like fire, flooding, and severe weather—not to mention the threat of human harm to students, staff and visitors.
All of this needs to be factored into an institution’s business continuity planning. Weaknesses in any one area could spell disaster for an ill-prepared university.
Hackers demand $2 million from NYC college
Monroe College was one of the latest American colleges to feel the pain of a ransomware attack.
In July 2019, the NYC-based school was sidelined by an infection that knocked down its email systems, website and several information systems.
Hackers demanded a staggering $2 million to restore the college’s data. While it’s not known whether Monroe paid up, the attack itself was enough to disrupt the college at the worst possible time: just prior to the start of a new school year.
Experts warn that college ransomware attacks are on the rise as hackers deploy more targeted attacks in hopes of securing larger ransom payments. Other schools attacked this year include Oberlin, Grinnell, Hamilton, Regis and Stevens Institute of Technology.
Colleges and universities must have detailed plans for preventing, responding to and recovering from a multitude of disaster scenarios. The foundation of this planning is a business continuity plan (BCP).
A business continuity plan for colleges is much like a BCP for any other organization. It’s a comprehensive document that should outline all the systems and protocols for mitigating the impact of a disruption.
At a college, some departments may require their own specific continuity planning. For example, Alabama Crimson Tide’s $56 million football program may have completely different continuity objectives than its admissions department. But even when department-specific plans are in place, there should still be a single college-wide BCP that provides a continuity framework for all other units to follow.
Sample business continuity plan outline for colleges
While every BCP should be developed according to the specific needs of the institution, these are some of the core categories that should be in every plan:
- Plan objectives: What the plan aims to achieve and what its areas of focus are, i.e. all disaster planning or IT-specific concerns.
- Key contacts: Who wrote the plan, who maintains it, which stakeholders “need to know first” when recovery plans need to be activated.
- Risks: An assessment of all likely disaster situations that pose a risk to a university’s operations, systems or people.
- Impact: An analysis of how each risk will negatively impact the organization.
- Prevention: Implemented systems and protocols for preventing disruptions from occurring.
- Response: Immediate steps for mitigating a disaster situation, assessing the damage and/or getting people to safety.
- Recovery: Procedures for fully restoring systems and operations.
- Contingencies: A list of secondary resources, equipment or locations to be utilized if primary means are destroyed or inaccessible.
- Communication: How recovery personnel will remain in contact and communicate important status updates to all affected parties (students, staff, parents, etc.).
- Recommendations: Suggested improvements and solutions for weaknesses that are identified in the existing continuity planning.
- Plan review schedule: Timeline for reviewing the plan and making updates on a regular basis throughout the year.
The risk assessment and impact analysis are arguably the most important components of a business continuity plan. Without them, you’ll never truly know which disaster scenarios to prepare for or how they would disrupt the school.
Aren’t the risks the same for every college? Not necessarily. While many institutions share the same types of risks, some schools will be naturally more prone to certain disruptions than others.
For example, schools located along the southeastern U.S. coastline will be more at risk of hurricanes. Universities in southern California will be more at risk of earthquakes.
And what about large-scale political demonstrations and student sit-ins? How about cyberattacks? Utility outages? River flooding?
Each school will have its own unique risks, which is why it’s important to assess them all individually.
Understanding the impact
An impact analysis helps a higher education institution understand exactly how each threat would negatively affect operations.
Examples of impact:
- Anticipated length of outage / interruption
- Cost of downtime, idle staff, wages
- Cost of recovery and repairs
- Effects on classes, enrollment and other operations
- Long-term effects on school funding and reputation
A thorough impact analysis will consider all these factors and how they translate into actual monetary costs.
It does not matter whether the university is public, private, for-profit or non-profit. Like any organization, schools must be focused on continuity and the bottom line. A failure to understand the impact of a major disaster could spell doom for an already struggling college.
A risk of closure
Since 2016, more than 120 for-profit and non-profit colleges have closed down permanently, due to shrinking enrollment and other factors.
A 2016 report by Ernst & Young found 800 schools to be vulnerable to closure, due to “critical strategic challenges.” These schools, which tend to enroll fewer than 1,000 students, are the most at risk of being shuttered by an unexpected disaster.
Even a single ransomware attack could be enough to force a small college to permanently close its doors. This is why every school, regardless of size, needs to take continuity planning seriously.
The role of data backup
Data backup plays a vital role in business continuity for higher education. Without it, institutions leave themselves open to the risk of prolonged downtime when data loss inevitably happens.
That downtime can be costly.
Consider the impact of a ransomware attack that blocks access to all student applications and records within an admissions department. Or the loss of financial aid applications and award statuses. Even a single accounting spreadsheet that somebody accidentally deletes can derail an entire department for days.
Depending on the size of the school, each hour of downtime can cost anywhere from $10,000 to $5 million, according to an analysis by Datto.
Schools need to be backing up their data at least once a day, at minimum, across every department.
- Tip: Today’s best disaster recovery solutions enable universities to back up their data as often as every 5 minutes, minimizing the risk of data loss.
Preparing for natural disaster
Natural disasters pose a risk to both people and IT systems.
In preparation for Hurricane Dorian, several universities along the southern coastline announced they would close down for the storm. And while this itself is an operational disruption, it’s also smart planning. Closing the campuses ensured the safety of staff and students by allowing them to stay home or evacuate.
But behind the scenes, schools took other precautions too. With the risk of severe flooding and the potential for damage to IT infrastructure, Florida universities needed to be sure their critical data would be secure, as well.
For well-prepared colleges, this meant storing backups off-site, away from the threat of disaster.
- Tip: Schools should strongly consider hybrid cloud backups, which keep backups in two locations: on campus for the fastest-possible recovery speeds, and in the cloud for added protection against on-site disasters.
The moments immediately following a disaster will almost always dictate the speed and success of the recovery.
If steps aren’t taken immediately to assess the situation and mitigate the damage, then recovery efforts will take much longer. On the flipside, if disaster-response protocols are activated right away, then the odds of a full recovery will be far greater.
Effectively responding to various types of disasters is challenging without a detailed emergency response plan in place. Designated recovery teams should know exactly what to do after a disruption—whether it’s people-focused (i.e. seeking safety for students) or IT-related (i.e. restoring a backup after data loss).
Degraded service vs. full recovery
Keep in mind that no school will be able to instantly recover from a major disaster. So your continuity planning needs to outline how critical functions should continue at a degraded service level.
First, identify which operations are most vital (the functions that cannot be disrupted no matter what). Determine what’s needed to keep those operations running at a minimum level – i.e. technology, equipment, personnel, electricity, etc.
Each operation, and indeed each unit of the college, will have its own requirements. But in order for a full recovery to be possible, proper planning must be in place to keep these essential functions running.
Stronger data protection for colleges and universities
Get more guidance on implementing stronger continuity planning and systems for your school. Request a free demo of advanced data backup solutions that can protect against data loss, ransomware and downtime. Or for more information, contact our business continuity experts at Invenio IT: call (646) 395-1170 or email success@invenioIT.com.