I wear many hats as the head of a small, not-for-profit sport organization. Depending on the day, I can be expected to serve as problem-solver, counsellor, HR practitioner, lawyer, policy maker, spokesperson, or fundraiser. Reluctantly, I’ve added one more to the list: IT security specialist.
Until recently, I hadn’t paid much attention to the growing threat from criminals prowling cyberspace looking for vulnerable computer systems. A recent article from Maclean’s magazine quotes FBI statistics that estimate more than 100,000 computers around the world are infected with malicious software every day and that total ransom payments are closing in on a frightening milestone: $1 billion US.
The Attack
On a Sunday evening earlier this year, Ringette Canada’s main server and back-up server were hit with a ransomware attack. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. In our case, the program PHOBOS encrypted all of our data.
As soon as we discovered the problem, the server was shut down, the back-up drive disconnected, and all staff passwords were changed. But it was too late. All of our files were still intact on the server and there was no evidence that any had been stolen, but we had no way to access them. The encryption made them unavailable to us.
An email from the cyber criminals offered to run a decryption program on the server, but only after a sizeable ransom had been paid in Bitcoin, a cryptocurrency that is difficult to trace.
We consulted immediately with our external IT provider but all attempts to defeat the ransomware failed. Several data security and recovery specialists confirmed that there is currently no decryption software for PHOBOS. Police agencies would not investigate since there had not been any financial loss. Negotiations failed to reduce the ransom amount.
The Consequences
Let me pause here to share that, at this point, I felt completely blindsided, victimized, and furious with these faceless, nameless criminals who had violated our IT system and created such chaos in our organization. My first inclination was to question what I could have done differently: What additional precautions should have been in place? What had I missed?
A thorough discussion with our Board of Directors brought out several other considerations, including the possibility that the cyber criminals would refuse to decrypt our files even if the ransom were paid.
We were left with a decision to either pay the ransom and take our chances, or re-build the files ourselves. After working through the various scenarios with staff, we chose the latter.
Quite clearly, it has meant a lot of extra work for staff, but the task hasn’t been as difficult as we first imagined. On a positive note, it’s given us a chance to really look at what files we need versus ones that were outdated and no longer required. Moreover, it’s given us an opportunity to reconstruct our electronic filing system and to purchase a cloud-based solution to ensure we are protected from this type of attack in the future.
Lessons Learned
So, what is there to learn from all this? As I reflect on the experience, a few things jump out:
- Take a deep breath. At the time, it feels like your world is crumbling around you and that the very existence of your organization is under threat. Don’t panic. Take another deep breath. Once the dust settles, you’ll come to realize that there are reasonable options available.
- Cut yourself some slack. This kind of attack is happening tens of thousands of times a day, often against organizations with far more sophisticated security systems and large, in-house teams of IT specialists. It’s likely not your fault.
- Consult with experts who can help you get a grip on the size and scope of the problem, and to weigh the various options. In the case of ransomware, the files are locked and encrypted but the information is not compromised, just rendered unavailable.
- Ensure everyone in your organization is aware of the basic IT security tips:
- Think before you click on any kind of link or attachment that comes from an unknown or suspicious source.
- Update software and operating systems with the latest patches. Install protective software and keep it updated.
- Choose strong passwords using a combination of letters, numbers and special characters.
- Back up your files regularly.
- Take additional measures to protect sensitive data.
As leaders of not-for-profits, we have more than enough to keep us busy, and a growing number of hats to wear as the demands become increasingly more numerous and complex. Your IT infrastructure is something you can take steps now to protect; hopefully, you won’t be needing that hat anytime soon.