Education is the industry most likely to be hit by ransomware attacks, according to a new report from security ratings provider BitSight.

The report analyzed the cybersecurity performance of nearly 20,000 companies across government, healthcare, finance, retail, education, and energy/utilities.

Some 13% of education industry organizations were attacked by ransomware in the past year, compared to about 6% of government agencies and 3.5% of healthcare organizations. The lowest risk was in the financial sector, with only 1.5% of companies affected.

“Ransomware is a legitimate threat, with estimates from the U.S. Justice Department showing that over 4,000 of these attacks have occurred every day since the beginning of 2016,” said Stephen Boyer, co-founder and CTO of BitSight, in a press release. “While several ransomware attacks on healthcare companies have made headlines this year, the issue is more widespread.”

According to the report, ransomware attacks have grown tremendously over the past year–doubling or tripling in some cases. This is due, in part, to the number of different sophisticated trains of the malware now available to cybercriminals, including the Nymaim Trojan and Locky.

Between July 2015 and July 2016, the average security rating in the education industry fell by almost 15%. Each other industry remained relatively steady, the report found.

“This finding is not surprising,” said Engin Kirda, professor of computer science at Northeastern University. “The reason being that these are the organizations that typically have low budgets for deploying state-of-the-art security solutions.”

K-12 schools and universities do tend to have smaller IT teams and budgets, the report stated. Combined with the high rate of activities like file sharing, this leads to trouble. A BitSight report released earlier this year found that about 58% of academic institutions allowed file sharing on their networks.

Going after academic institutions that are often in the news for their budgetary problems seems counterintuitive. However, since schools hold a plethora of student and staff data, including social security numbers, medical records, financial information, and research, they hold interest for cybercriminals, the report stated. And schools may be more likely to pay for the information to avoid HIPAA concerns and other regulatory violations.

In June, the University of Calgary paid a $20,000 CDN ransom after an attack encrypted its email system. “The expertise of our IT department allowed the university to isolate the effects of the attack and make significant progress towards restoration of the affected portions of our systems,” said Linda Dalgetty, the university’s vice-president of finance and services, in a press release. There was no indication that any personal or other university data was released to the public, she added.

Between 2005 and 2013, 551 data breaches occurred at US universities, according to a 2014 study from Educause. Symantec’s 2016 Internet Security Threat Report ranked education third overall among the top 10 most-breached sectors, after health and business. Some five million identities in the education sector were exposed due to these attacks, the report found.

BitSight offers the following tips for protecting your organization against ransomware:

  • Establish email security protocols, including educating employees about phishing attacks and ways to stay safe on company networks.
  • Identify commonly used vendors and monitor them for malware.
  • Continuously check security systems and networks to determine possible areas of weakness or signs of infection.
  • Avoid peer-to-peer file sharing on your network, and inform employees of this policy.

The 3 big takeaways for TechRepublic readers

  1. The education industry was the most likely to be affected by ransomware in the past year, followed by government and healthcare, according to a new BitSights report.
  2. New, sophisticated strains of ransomware including Nymaim Trojan and Locky have led these attacks to double and even triple in some industries.
  3. IT leaders should establish email security protocols, monitor vendors and your own security protocols, and avoid allowing peer-to-peer file sharing on your network.