On July 11, 2019 Monroe College in New York City fell prey to a ransomware attack. The hackers are asking for payment of $2M (170 bitcoin) to release the network, files, and systems back to the control of the college.
The college has yet to decide whether to pay the ransom or not and is evaluating what the impact would be to their campus sites, online students, and viability of the school overall. A spokesperson for the college released an amusing statement.
“We are, in fact, under cyberattack. A lot of our systems are being held—we do not have access at the moment,” they said.
“We are obviously taking this very seriously… but we’ve rolled up our sleeves,” the spokesperson added. “Monroe was founded in 1933, and what that means is we know how to teach the old-fashioned way.”
I encourage you to think about this critically. There are a few things we can learn from this statement:
- It’s good they’ve recognized they are under attack, but the fact that they have no access to any of their vital operating systems is really concerning. Instructors’ and professors’ materials (possibly a whole year’s worth of work), transcripts, employee records, billing information, and tuition records could all be locked up tighter than a drum. They are not “okay.”
- Whether they take this matter seriously or not is immaterial to the reality that they either must pay, restore from backup, or stop operating in the manner they are currently operating.
- Saying that they’re more than willing to “go old school” seems more like a cheeky deflection than a true plan. Most colleges now have online learners and high school students utilizing dual enrollment online, and they now have no way to get to their course work. It’s not actually feasible for any educational institution to abandon technology in today’s world.
Was this preventable?
No ransomware attack is 100% preventable, but some planning, testing, and coaching can go a long way in ensuring your recovery goes as smooth and complete as possible.
Things you can do:
- Risk Assessment: Get an objective and predictable measurement of your security so that you know where you’re at and how any changes you make will improve your security posture.
- Road Map: Speaking of improving security posture, make sure your score is not just a score. It’ll be easier to make actionable improvements to your security program if your assessment comes with industry-backed and expert-proven recommendations for becoming more secure within your business.
- Incident Response Planning: You need to be able to act out a plan quickly and thoroughly in the event of an incident or breach. Create your plan, share it with your employees, improve it with experts, and practice it so that all the departments of your business are ready to mitigate the damages that may come with a breach attempt.
- Board Buy-In: Executives are constantly barraged with funding requests, and they often have very little time to listen to spiels about them. It’s important that you have a defensible plan with solid details—and one that you can present in a hyper-efficient manner. Their buy-in will be crucial, and they will likely play a big part in executing it.
If your organization is missing any of these, please reach out to us. We’re happy to facilitate industry-proven solutions for improving the security posture of your organization and will happily walk you through approaching information security in the age of ransomware.