Higher ed isn’t ready for AI-scale cyberattacks
Higher education institutions have long understood the theoretical risks of cyberattacks. What many leaders are only now beginning to confront is the operational scale of disruption that modern attacks can create.
The recent ransomware attack affecting Canvas forced colleges and universities across the country to delay exams, pause coursework, and communicate with students through backup channels during finals week. And Canvas is hardly alone. Institutions continue to face ransomware attacks, data breaches, and third-party vendor compromises that disrupt instruction, research, payroll, housing, and other core operations.
At the same time, cyberattacks are becoming faster and more sophisticated. AI-enabled phishing campaigns, automated vulnerability scanning, and increasingly coordinated ransomware operations are lowering the barrier for attackers while increasing the pressure on institutions. Higher education’s decentralized operating models and complex technology ecosystems make colleges and universities particularly vulnerable.
Cyber incidents are not simply IT events; they can quickly become enterprise-wide crises.
-
The cost of data recovery: Ransom and beyond
Instructure, the company that owns Canvas, confirmed that it agreed to pay a ransom to regain access to data. Instructure is not alone in this decision. In a 2025 Sophos survey, 69% of institutions reported they paid a ransom to restore data. The median payment was $463,000, and total recovery costs were $900,000.
Cyber crisis response requires cabinet-level coordination
Whether leaders ultimately decide to pay a ransom or refuse, the larger issue is that institutions often underestimate how complex those decisions become in real time.
A serious cyberattack immediately becomes a leadership coordination challenge. While IT teams work to assess system damage and restore operations, senior leaders must simultaneously manage institutional continuity, communications, legal exposure, governance, and public trust.
In practice, that means rapid coordination across three critical areas:
1. Executive decision-making and governance
The president, cabinet, and governing board must align on authority, risk tolerance, and major decisions.
Sample considerations:
Risk threshold
- What level of operational disruption, financial loss, or data exposure is acceptable before escalating decisions?
Rapid decision making
- Do we engage with the threat actor?
- Do we consider paying the ransom?
- When do we escalate to the board?
2. Legal, risk, and security response
General counsel, the CIO, and risk leaders assess exposure, compliance obligations, and recovery options.
Sample considerations:
Liability and exposure
- What is the scope of the breach?
- What data was impacted?
Regulatory disclosure requirements
- What do FERPA and/or HIPAA require?
- What do our contractual obligations to partners entail?
3. Communications and operational continuity
Communications, academic leadership, and administrative units coordinate messaging while sustaining core functions.
Sample considerations:
Communication plan
- Can we quickly communicate need-to-know information?
- Do key leaders know their role in keeping the campus community up to date?
Continuity plan
- Do we have alternate methods for instruction?
- Can core administrative functions (e.g., payroll) continue?
Putting emergency response plans into practice
Many colleges and universities have incident response plans on paper. Far fewer have practiced making these decisions collaboratively under realistic conditions. Institutions often struggle not because leaders disagree on goals, but because decentralized structures and unclear decision-making processes slow coordinated action during moments of stress. And cyber crises quickly expose those vulnerabilities.
Tabletop exercises help colleges and universities move beyond theoretical planning and pressure-test how leaders would actually coordinate during a major disruption. They also reveal operational dependencies that leaders did not fully appreciate beforehand.
EAB supports institutions in preparing leadership teams for enterprise-level crisis response in two ways:
1. Resource center for security incident preparedness
EAB’s IT Strategy Advisory Services partners can access our Security Incident Response Tabletop Exercise Resource Center to prepare for security threats. The resource center provides tools, templates, and facilitation guidance institutions can use to practice coordinated emergency and cyber response planning across campus leadership teams.
2. Live tabletop exercises for IT and cabinet leaders
EAB also facilitates live tabletop exercises tailored to college and university leadership teams.
Depending on institutional needs, exercises can focus on:
- IT and information security response teams
- Cabinet and executive leadership teams managing enterprise-wide crisis decisions
These facilitated sessions simulate the operational, reputational, and governance pressures institutions face during a significant cyberattack. Participants work through realistic scenarios in real time, helping institutions identify gaps in communication, escalation protocols, and decision-making before a real incident occurs.
Availability for live tabletop exercises is limited. To schedule a facilitated tabletop exercise for your team, reach out to [email protected] or your Strategic Leader today.
Get expert guidance on emergency preparedness
If you are not an IT Strategy Advisory Services partner, fill out the form to learn more about how EAB can support cybersecurity and crisis response on campus.
More Blogs
What we’re learning about AI governance in higher education
Inside our Presidential Experience Lab at OpenAI
