In early January 2021, Mott Community College (MCC) in Flint, Michigan, faced every institution’s worst cybersecurity nightmare: its network was breached and taken down, users were effectively locked out, and sensitive information was compromised.
“This whole episode stopped the college cold,” says MCC President Beverly Walker-Griffea. “It was January, and we could not open for the semester. We were totally taken down.”
“Even though they didn’t get into everything, so to speak, they got into some things that made a big difference,” adds Cheryl Shelton, chief technology officer at MCC, who spoke alongside Walker-Griffea and Jason Wilson, vice president, student academic success, at the 2022 AACC Annual this spring; she and Walker-Griffea later gave a Zoom interview to Community College Daily.
One area the hackers took down was the single sign-on server, which allows access to myriad systems. “Without the single sign-on server, it doesn’t matter if [other] things are working, you can’t get to them,” Shelton says.
Secondly, a system that housed “low-level files” was breached, and “those low-level things caused a tremendous amount of pain,” she says.
It took about a week for MCC to repair the breach and restore services, although the college was able to start getting classes operational the second day with a little creativity and hard work.
“You couldn’t use Canvas,” Walker-Griffea says. “Faculty had to reach out to students. We had to create ways to pull rosters. That was not very fun.”
In the days that followed, MCC determined that a student logged in to the Virtual Desktop Infrastructure (at a time when classes were all remote) had clicked a link or attachment, or used a weak password, and the hackers “used that to worm their way in through the rest of our system,” Shelton says. “The student was completely unaware that this even happened to them, and we never told them, to this day — because it wasn’t their fault, per se.”
Into the breach
Since then, MCC has taken several steps to better protect itself. For one, the college has adopted the standards of the National Institute of Standards and Technology (NIST) for passwords, setting a minimum for 15 characters; and to help promote that new standard, MCC provided the Dashlane password-saving software product to all users.
“We’re trying to give the college community all the tools possible to embrace security and to be able to function, as well,” Shelton says.
Secondly, Mott implemented multi-factor authentication for employees and students, Shelton says.
“A lot of higher education institutions don’t do that, particularly for students,” she says.
The school has converted its files to encrypted-at-rest, so that if files like the ones that caused so much pain are ever pilfered again, they won’t be as easy to open, Shelton says. The college also has encrypted its emails.
To bolster its ransomware antivirus capabilities, MCC put into place the Carbon Black endpoint security product for all of its servers, laptops and other access points. Given that all systems were down, MCC also used that time to move its Enterprise Resource Planning (ERP) system to the cloud to ensure future security of that system. It also contracted with a security operations center (SOC) to monitor what the system was detecting.
“Somebody has to be able to read and interpret all of those things that came through,” Shelton says. “And we just don’t have that capability.”
MCC hired a virtual chief information security officer (CISO) to help keep it on track with best practices, examining its systems from the outside “to give us the business perspective, versus a college perspective,” Shelton says. The CISO, who reports directly to Walker-Griffea, has found other gaps that have helped strengthen cybersecurity.
To guard against employees or students clicking on the wrong attachment — and to make its insurance company happier — MCC now requires cybersecurity training, Shelton says.
“You have to be able to document your training — how many times you’ve done it, who’s taken it, and things like that. So we’ve started rolling out multiple training measures so that we can inform people,” she says. “Even if you put all these other things in place, if people still don’t know what not to click on, it’s not very helpful.”
Other measures have included locking accounts of people on long-term leave and requiring employees and students to use the VDI to access all sensitive systems to keep data safer, Shelton says.
“We want to really make sure that we don’t have people taking personal information, HIPAA information, etc., and downloading it onto personal laptops or even work laptops, where it can be accessed too easily,” she says, adding that the next step might be a level of mobile device management.
What can other colleges learn from MCC’s experience? One is the realization that bad actors are usually several steps ahead of you, Shelton says.
“We tried to work in a traditional college mentality, I guess I would say — adopt things slowly, and try to be accommodating,” she says. “You can’t be accommodating anymore. You have to treat your college environment like you treat your bank account. We want to keep those things secure, and use your best practices.”
Mott’s CISO is currently examining how money and personal data move through the college’s system, Shelton says. That can ruffle some feathers at the college as change is tough for some people. But security is a top priority, she says.
Given the way MCC had to scramble to upgrade its ERP system to support Carbon Black, Shelton also suggests that other colleges not let their systems become too out-of-date.
“It can really bite you if you have to upgrade everything within a week’s time,” she notes.
Advice from the president
Walker-Griffea says that one lesson for her as the college president is to never let your guard down. The hackers hacked over the winter break, “so we were caught unaware because we were on holiday celebrating,” she says.
Secondly, make sure to have top-shelf cybersecurity insurance.
“It is quite expensive, but when this happens, it is very, very valuable,” Walker-Griffea says.
Her third piece of advice is not to try to control the situation as it unfolds — listen to your insurance provider and do what they say because that’s their business, and not yours.
“They deal with these [hackers] every day,” Walker-Griffea says. “And you have to give up the control just like you do with active shooter [planning]. Just let them do their work. Follow exactly what they tell you to do.”
Typically, the bad actors are watching how a college reacts to its breach, which is part of why it’s important to listen to the experts, she notes.
“If you start going in your own vein, because you think you’re doing it the right way, they can get quite aggressive to the institution, and publicly. That, you don’t want. And other colleges have felt that wrath.”
Walker-Griffea also recommends an occasional cleaning of the system and to reconsider what is saved.
“You find that you have things that should have been erased a long time ago, or you find data that should never have been saved, ever, because they contain Social Security numbers and other kinds of things that you never want out there,” she says.
MCC is happy to talk in more detail with other colleges about its experience, Walker-Griffea adds. She started her AACC Annual presentation by saying, “I thought I had the most secure system possible, that we were using everything that we were supposed to be, and that this would never happen to us.”
“I think there are other presidents who believe that, but the bad actors, as Cheryl said, are always two or three steps ahead of the latest products. So you’ve got to be vigilant,” Walker-Griffea. “No one should have to go through this. And I’ll say it again: Get the cybersecurity insurance. Do the audits. Get a CISO. They are very valuable. It’s expensive, but it’s worth it.”