I wear many hats as the head of a small, not-for-profit sport organization. Depending on the day, I can be expected to serve as problem-solver, counsellor, HR practitioner, lawyer, policy maker, spokesperson, or fundraiser. Reluctantly, I’ve added one more to the list: IT security specialist.

Until recently, I hadn’t paid much attention to the growing threat from criminals prowling cyberspace looking for vulnerable computer systems. A recent article from Maclean’s magazine quotes FBI statistics that estimate more than 100,000 computers around the world are infected with malicious software every day and that total ransom payments are closing in on a frightening milestone: $1 billion US.

The Attack

On a Sunday evening earlier this year, Ringette Canada’s main server and back-up server were hit with a ransomware attack. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. In our case, the program PHOBOS encrypted all of our data.

As soon as we discovered the problem, the server was shut down, the back-up drive disconnected, and all staff passwords were changed. But it was too late. All of our files were still intact on the server and there was no evidence that any had been stolen, but we had no way to access them. The encryption made them unavailable to us.

An email from the cyber criminals offered to run a decryption program on the server, but only after a sizeable ransom had been paid in Bitcoin, a cryptocurrency that is difficult to trace.

We consulted immediately with our external IT provider but all attempts to defeat the ransomware failed. Several data security and recovery specialists confirmed that there is currently no decryption software for PHOBOS. Police agencies would not investigate since there had not been any financial loss. Negotiations failed to reduce the ransom amount.

The Consequences

Let me pause here to share that, at this point, I felt completely blindsided, victimized, and furious with these faceless, nameless criminals who had violated our IT system and created such chaos in our organization. My first inclination was to question what I could have done differently: What additional precautions should have been in place? What had I missed?

A thorough discussion with our Board of Directors brought out several other considerations, including the possibility that the cyber criminals would refuse to decrypt our files even if the ransom were paid.

We were left with a decision to either pay the ransom and take our chances, or re-build the files ourselves. After working through the various scenarios with staff, we chose the latter.

Quite clearly, it has meant a lot of extra work for staff, but the task hasn’t been as difficult as we first imagined. On a positive note, it’s given us a chance to really look at what files we need versus ones that were outdated and no longer required.  Moreover, it’s given us an opportunity to reconstruct our electronic filing system and to purchase a cloud-based solution to ensure we are protected from this type of attack in the future.

Lessons Learned

So, what is there to learn from all this? As I reflect on the experience, a few things jump out:

1. Take a deep breath. At the time, it feels like your world is crumbling around you and that the very existence of your organization is under threat. Don’t panic. Take another deep breath.  Once the dust settles, you’ll come to realize that there are reasonable options available.
2. Cut yourself some slack. This kind of attack is happening tens of thousands of times a day, often against organizations with far more sophisticated security systems and large, in-house teams of IT specialists. It’s likely not your fault.
3. Consult with experts who can help you get a grip on the size and scope of the problem, and to weigh the various options. In the case of ransomware, the files are locked and encrypted but the information is not compromised, just rendered unavailable.
4. Ensure everyone in your organization is aware of the basic IT security tips:
   • Think before you click on any kind of link or attachment that comes from an unknown or suspicious source.
   • Update software and operating systems with the latest patches.  Install protective software and keep it updated.
   • Choose strong passwords using a combination of letters, numbers and special characters.
   • Back up your files regularly.
   • Take additional measures to protect sensitive data.

As leaders of not-for-profits, we have more than enough to keep us busy, and a growing number of hats to wear as the demands become increasingly more numerous and complex. Your IT infrastructure is something you can take steps now to protect; hopefully, you won’t be needing that hat anytime soon.

---

About the Author(s)

Natasha Johnston is the Executive Director of Ringette Canada, a position that has merged her love for the business of sport with her passion for ringette. With the deep belief that good sport has the power to mobilize and inspire, Natasha continues to be active on the ice, the court and the field as a participant and a supportive mom.

---

The information presented in SIRC blogs and SIRCuit articles is accurate and reliable as of the date of publication. Developments that occur after the date of publication may impact the current accuracy of the information presented in a previously published blog or article.