“I literally have a small version of it in my wallet,” said Pamela Senegal, president of Piedmont Community College and chair of the technology committee for the North Carolina Community College Presidents Association.
The “it” is the North Carolina community colleges’ cyber incident response call tree information sheet.
After a cyberattack at Richmond Community College (RCC), the technology committee put together a list of contacts for community colleges to call in the event of a suspected cyberattack.
Once a cyberattack occurs, investigation and recovery involve the community college system office information technology (IT) personnel, State Bureau of Investigation, Federal Bureau of Investigation, Department of Public Safety, Department of Information Technology, the North Carolina National Guard, and the North Carolina Local Government Information Systems Association “Strike Team.”
While efforts to enhance security across the system continue, colleges won’t be able to toss out the call tree list any time soon.
“Cyberthreat, in my mind, is not going away in the near future,” said Jim Parker, senior vice president and CIO of technology solutions and distance learning at the North Carolina Community College System (NCCCS).
Between 2019 and 2020, ransomware attacks on colleges nationwide doubled. Ransomware is a type of malware that threatens to publish a company or individual’s data from a computer. The average ransomware demand in the U.S. was $312,493 in 2020 – more than double the ransomware demand in 2019.
While the FBI discourages victims from paying cyberattackers, several colleges across the country have admitted to paying the ransom. In July 2020, the University of California, San Francisco paid $1.14 million to hackers. In fall 2020, the University of Utah paid $475,000.
And potential financial loss is not the only concern for colleges. When hit by a cyberattack, colleges can lose personal data, time, resources, and sometimes years worth of class material.
Cyberattacks at North Carolina community colleges
Since 2019, there have been four major cyberattacks at community colleges in North Carolina.
“We are in a threat pattern where higher educational institutions and medium to large-sized businesses are targets,” Parker said.
RCC experienced one of the first major cyberattacks in the system. A Trickbot locked and encrypted the college’s Windows-based servers in July 2019. It took all online services down.
“Payroll went from taking an hour and a half to about 14 and a half hours,” said Dale McInnis, president of RCC.
It took weeks to recover and impacted how students paid and registered for classes. And while student and employee information was unaffected, the college had to get creative. RCC staff registered people on paper and rigged phones for receptionists in key positions.
By fall 2020, two more community colleges experienced cyberattacks that locked down systems and interrupted daily operations. Ransomware attacks shut down Guilford Technical Community College and Piedmont Community College for one day.
“The minute my IT staff saw some corrupted data, they stopped what they were doing, and they called that [incident response call tree] number,” said Senegal.
Even though each college’s core business operations were only down for one day, they’re still mitigating the effects of the cyberincidents.
“I’d say we’re almost 100% recovered, but we’re not completely there,” said Guilford Technical Community College’s president, Anthony Clarke.
Central Piedmont Community College (CPCC) experienced the longest shutdown in February 2021 after a ransomware attack put the college on pause for almost two weeks. The attack on CPCC disrupted their day-to-day operations and wiped out a number of classes.
At the time of the attack, CPCC was in the process of phasing out Blackboard, the learning management system (LMS) used for delivering courses online. But the phase out of Blackboard and full implementation of the new LMS, Brightspace, wasn’t supposed to happen until fall 2021.
Classes still housed in Blackboard were lost in the cyberattack. Everything from course plans to assignments and grades were gone.
“It really requires the college to pull together and do so pretty quickly,” said Jeff Lowrance, vice president of communications, marketing, and public relations at CPCC.
Colleges across the state stepped up, offering Brightspace course shells for lost CPCC classes, but some faculty members still had to rebuild their courses from scratch.
“That’s when you had faculty helping faculty,” Lowrance said.
Taking a systemwide approach
Before the cyberattack at RCC, the system’s approach to security was on an individual level, Parker explained.
But that’s since changed.
The system office established a memorandum of understanding (MOU) last year with the North Carolina Department of Information and Technology (DIT). The MOU is an agreement between NCCCS and DIT that says NCCCS will follow the state’s policies with regard to security.
“What this does is it requires us to come together a little bit more as a system … to establish some common approaches,” said Parker.
One of the first things the system office spent money on was a multi-year contract with an education and training vendor.
“We didn’t just go with basic training,” Parker said. “We went to the vendor and said, ‘We handle student FERPA-related information in addition to [personal identifiable information] and health information that needs to be protected.”
The educational material trains community college employees on how to handle such information and be cognizant of cyberthreats.
While education is a first step, leaders around the state say that they need a deeper bench of IT experts.
At February’s State Board of Community Colleges meeting, the system office outlined the impact of the four ransomware attacks and asked the State Board to approve a legislative request of $1,497,301 in recurring state funds to hire nine regional security officers.
These nine regional officers would be spread out across the state and would provide staff leadership, support, policy, development, localized training, and program evaluation.
“Their total responsibility is to stay current with the latest cyberattack tactics, to monitor our logs for suspicious activity, and to make recommendations about policy settings that we should have, or make, as a result of potential new vulnerabilities that literally come out every day,” said Senegal.
How can colleges prepare?
While the system is revising its cybersecurity approach, individual colleges are taking steps to protect themselves as well.
Caldwell Community College & Technical Institute (CCC&TI) is educating network users about suspicious emails and what to do if they receive one.
“I think the best defense for cybercrime right now is our users,” said Susan Wooten, vice president of technology and instructional support services at CCC&TI.
The IT department at CCC&TI uses software that allows them to simulate phishing attacks. If the user falls for the phishing attack, they are redirected to a training site that provides them with information on what they did wrong and what to look for next time.
Overall, system and college leaders have advice for colleges looking to protect themselves:
- Train your users. Remind them that “It’s you they are coming for,” said Wooten.
- Keep your phone tree list close. If a cyberattack is suspected, start your call tree immediately. “Colleges should establish contacts with state and federal authorities and perhaps discuss their systems beforehand — making sure they are in as good of a position as they can be,” Lowrance said.
- Know what kind of cybersecurity insurance you need. Senegal reminds presidents to have conversations with their insurance agents about what their cybersecurity insurance should cover.
- Assume your systems could be impacted. “Colleges and universities are being targeted,” Lowrance said.
And at the end of the day, understand there is no magic bullet for cybersecurity.
“The more we can make our faculty and staff and students aware to be on the ready and alert and prepared to deal with the threat … I think the better and more effective we’re going to be,” said Parker.