Prevention

Prepare

Reduce attack surface, raise the cost of a successful intrusion, and rehearse the response.

• Enforce MFA — phishing-resistant where you can.
• Maintain immutable, tested backups for tier-1 systems.
• Segment networks and harden remote access.
• Patch on a defined cadence; track third-party SaaS exposure.
• Run regular phishing simulations and security training.
• Hold annual tabletop exercises across roles.

Detect

Catch ransomware activity early — before encryption, ideally during initial access.

• Deploy EDR on all endpoints with tuned alerting.
• Centralize identity provider logs and hunt continuously.
• Monitor for impossible travel, MFA fatigue, OAuth grants, and rogue mailbox rules.
• Empower users to report suspicious activity in one click and reward reports.
• Watch for early indicators: mass file renames, shadow-copy deletion, unexpected admin tool use.

Early-warning signals to watch

Most ransomware intrusions show identity, endpoint, and human-reported signals before encryption begins. Watch for combinations rather than single events.

Top prevention controls for higher ed

1. Phishing-resistant MFA on privileged accounts; MFA campus-wide. Per CISA, only FIDO/WebAuthn and PKI reliably resist phishing.
2. Immutable, tested backups for tier-1 systems, restored end-to-end at least quarterly.
3. Network segmentation separating research, administrative, student, and IoT/lab environments.
4. Hardened remote access: disable internet-exposed RDP; place VPNs behind MFA and conditional access.
5. Asset and SaaS inventory with monitored exposure to high-impact CVEs — recent higher-ed breaches have been driven heavily by exploited third-party software.
6. EDR everywhere with documented response playbooks.
7. Continuous identity hunting: impossible travel, MFA fatigue, OAuth grants, mailbox rules.
8. Phishing simulations and short, frequent training; reward reporting.
9. Annual tabletop exercises across IT, leadership, communications, and legal.