A good back-to-school shopping list includes fresh pencils, a shiny new notebook or two, and (checks notes)…cash for a ransom note?

Every college and university that had encrypted its data was able to regain control of it after an attack last year, according to an international survey of IT leaders conducted by Sophos. But these institutions were also more likely to pay a ransom to do so than organizations in other sectors.

The UK-based cybersecurity firm’s annual report, which publishes data on the impacts of ransomware, said 100% of higher-education and 99% of lower-education organizations surveyed restored their encrypted data after bad actors hijacked it. The report is based on responses from 3,000 IT and cybersecurity stakeholders from 14 countries, and included 400 education respondents.

But before we give IT administrators an honorary degree in crisis management, consider that the survey also found colleges and universities more likely than organizations in other industries to pay a ransom: 56% of over-18 institutions coughed up the funds to recover their data, compared to 46% of ransomware victims across all sectors.

These costs add up: The average ransom price tag this year is $1.54 million, almost twice the mean amount from 2022, Sophos said.

Higher ed underperforms when it comes to maintaining data backup systems, according to the survey, which found that less than two-thirds (63%) of colleges and universities used backup systems to restore their data, compared with 70% of organizations across sectors and 73% of lower-ed institutions.

Read more here.—KG

Not all passwords are created equal. In fact, based on NordPass research, 32% of employee work passwords contain a direct reference to the company. And poor password management = one of the main culprits of cybersecurity breaches.

NordPass can help you combat this risk. Their intuitive, easy-to-use password manager helps IT professionals safeguard corporate accounts and sensitive data. Everything is managed in one place, and adoption is easy for IT and non-IT teams alike.

With NordPass Authenticator, team members with shared access can generate their own two-factor codes. It easily adds an additional layer of security on shared corporate accounts and eliminates the need to download/manage additional apps for two-factor authentication.

Plus, their tech-savvy customer support is available 24/7.

Get free NordVPN accounts for your team when you purchase NordPass Business.

When Tigran Sloyan was at MIT, it was an embarrassment of riches when it came to recruiters. “Every single tech company [and] non-tech-company showed up two times a year, right to our doorstep,” Sloyan told IT Brew. While he acknowledges that he has math and programming skills, he understands that having MIT on his résumé fast-tracked him to jobs at Google and Oracle.

That’s why Sloyan created CodeSignal, a tool that helps companies identify the right person with the right skills, no matter what their résumé looks like. Today, CodeSignal announced Cosmo, a new chatbot that uses AI to help companies find the right candidate for their technical jobs, partly by determining if the applicant has used generative AI to cheat on their coding tests.

Why CodeSignal? “At the high-level view, we think of ourselves as a skills platform,” says Sloyan. “Skills are going to become more and more central to everything we do. Technology has always created [the need for] new skills and displaced existing ones. We used to ride horses and then all of a sudden, cars came along, and then we didn’t need to learn how to ride horses.”

Companies like Meta, Instacart, and Zoom use CodeSignal with the intention of making the process of hiring technical employees more efficient, effective, and fair, assessing candidates’ coding skills through a structured and standardized process. But skills needed for technical jobs are constantly evolving.

Read more here.—MM

API keys—the credentials that allow an individual to access an application’s resources—have a way of being left out on the welcome mat if a developer’s not careful.

In June, for example, Motherboard reported that stolen API tokens for OpenAI have been scraped from code-collaboration sites.

As API keys become an enticing target for hackers looking for application data, developers must be careful as they share them, even with trusted partners. Secure trading practices include technologies like secrets-management platforms, as well as a thorough vetting process.

“There are well-known standards now in terms of how APIs are exchanged between trusted partners,” Kris Lahiri, co-founder and CSO of the enterprise file-sharing service Egnyte, told IT Brew. “That needs to be embedded in a process of diligence around how your partners are even verified.”

Key points. A company like Egnyte may need to integrate with a separate service, like Salesforce, Lahiri said. Or perhaps a defense contractor requires a rocket manufacturer’s data. Both situations potentially involve a key exchange.

That means an API key—a long string of characters, basically—may be sent along to provide the access. An attacker with that credential can potentially see all the information provided by the API.

“You’re free to steal anything in the application; you are free to just pummel the application for anything it will tell you and now it’s all yours,” said Michael Hamilton, CISO at the cybersecurity company Critical Insight.

Keep reading here.—BH

Today’s top IT reads.

Stat: 95 degrees Fahrenheit. That’s the highest ambient operating temperature recommended by Apple and Samsung before your smartphone’s battery suffers permanent damage. (the Wall Street Journal)

Quote: “The operators were trained to find some confidential documents, but we’re not sure exactly what they were looking for.”—ESET researcher Matthieu Faou on a Belarus-tied hacking group that targeted embassies in the country (TechCrunch)

Read: Zoom needs to be clearer about how it uses your data, argues UNC Charlotte professor Damien Patrick Williams. (Wired)