Frequently asked questions

Yes. Recent reporting documents over a hundred attacks on colleges and schools in just the first half of 2025, and a small number of breaches via exploited third-party software exposed millions of higher-ed records. Open networks, decentralized procurement, and valuable data make universities high-value targets.

Treat the ransom decision as a strategic, legal, and ethical one — not a technical one. Many incidents are resolved without payment. Coordinate with counsel, your cyber-insurance carrier, and law enforcement (in the U.S., FBI and CISA). Payment does not guarantee recovery and can expose the institution to legal risk.

An Incident Commander, named in advance, directs the response regardless of normal seniority. Senior leadership owns business decisions (which services to suspend, what to communicate, ransom posture). Communications and legal coordinate external messaging and notifications.

Stop using the device, change the affected password from a different device, and contact the IT help desk immediately. Don’t delete the email or any artifacts — IT may need them. Speed matters more than embarrassment.

At least quarterly for tier-1 systems, with documented restoration tests. Untested backups are not backups.

Yes. They reveal gaps in decision authority, communication channels, and assumptions before an incident, when fixes are still cheap. NIST and CISA both recommend them as a standard practice.

Your campus should have a 24/7 escalation path documented. If you don’t know it, ask now — not during a crisis.

No. This playbook gives general, evidence-based guidance for higher education. Specific obligations under FERPA, HIPAA, GLBA, GDPR, state breach laws, and contracts depend on your institution and jurisdiction; coordinate with legal counsel.