How Data Gets Held Hostage

Educational facilities are also vulnerable to “ransomware,” a malicious type of software that can harm or disable computer systems until hackers receive a payoff. These types of attacks are up 400 percent, according to PhishMe.

Ransomware works by tricking an employee into opening a fake email and then clicking on a link or attachment that infects the system and locks the user out of the computer system or network until a ransom is paid. Unfortunately, paying the ransom doesn’t ensure a fix, as evidenced by the recent Petya ransomware attack, which hit 65 countries in June.

In the case of schools, the FBI warns against paying a ransom, as it would encourage hackers to target more districts in the future. It’s best to educate faculty and administration on habits that prevent a ransomware attack, including:

  • Implementing security patches – Every time the operating system or security software asks if it can run a system or security update, promptly follow through.
  • Backing up data – Back up files remotely every day on an external hard drive not connected to the internet.
  • Using an antivirus program – Antivirus programs can scan files to see if they might contain ransomware. Run the program automatically before downloading files. 

Bolstering Defenses 

The best protection against email fraud is to employ multiple lines of defense. While upgrading software and backing up data is critical, training employees to spot warning signs is the most important proactive measure. Empower your staff to:

  • Be cautious. Flag suspicious emails to IT. Additionally, never reply or open links and files within suspicious emails.
  • Get two approvals for transactions. No matter the size of the school, dual authorization should, at a minimum, be implemented for certain transactions. For example, beneficiary or address changes from vendors could be validated by phone.
  • Alert your bank to unusual requests. It’s essential to inform your bank of suspicious activity so proper action is taken to stop or prevent a financial transaction.
  • Remove every “dirty” PC. If a laptop or PC is compromised, remove it from the company’s network until it’s been cleansed of malware.

Ideally, every school district should develop processes to teach employees to recognize potential cyber-attacks via trainings and simulations. According to PhishMe, susceptibility to phishing email drops almost 20 percent after a company runs just one simulation.

Proactively training staff to recognize a potential cyber-attack or ransomware intrusion can prevent compromising private student information, prevent monetary losses and spare an institution from reputational harm.

Bank of America Merrill Lynch” is the marketing name for the global banking and global markets businesses of Bank of America Corporation. Lending, derivatives, and other commercial banking activities are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Securities, strategic advisory, and other investment banking activities are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp., both of which are registered broker-dealers and Members of SIPC, and, in other jurisdictions, by locally registered entities. Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are members of the NFA. Investment products offered by Investment Banking Affiliates: Are Not FDIC Insured • May Lose Value • Are Not Bank Guaranteed.

How to mitigate a #cyberattack on your #school

©2017 Bank of America Corporation

[1] Business Continuity Institute, February 2017

[2] Hackers Target Nation’s Schools, 2017

[3] In Columbia Falls, A Shaken School District Moves Forward from Cyber Threats

[4] CyberAdvisory – New Type of Cyber Extortion/Threat, 2017

[5] PhishMe, December 2016

[6] Federal Bureau of Investigation, June 2016

About the Author:

John Lenckos is senior vice president, Specialized Industries, Bank of America Merrill Lynch.