For 17 days after The Lincoln College Group was hit by a serious cyber-attack, Graham Harrison and his key staff hardly slept.
The group director of IT, information management and projects, explains:
“Our average working day in that period was 20 to 22 hours. The toll was huge, especially during those first two and a half weeks. I really didn't sleep during that time, and neither did the head of IT/chief technical architect.
“Getting the IT estate back within such a short space of time was a good result, but it created a lot of stress, pressure and anxiety for a lot of people; and not just technical staff. Teachers, administrators, managers and students were affected, as well as key stakeholders like suppliers and employers.
“There was immense pressure and the human impact is not always fully appreciated.”
Like so many ransomware attacks on the education sector, this one occurred at a time when staff were least likely to notice – at 8pm on Friday, November 20, 2020.
“We had good fortune in that IT staff happened to be logged in performing out-of-hours maintenance when the attack began, so we got a very early warning.
“I was called around 8pm. At that time there was insufficient evidence for us to be sure an attack was underway; it might have been a virus or malware. We continued to monitor the situation until about 4am when we took the decision to shut down the entire network.”
This turned out to be the right decision since a later investigation showed the attack would have spread to other servers.
Because of the shutdown, almost all the IT systems across all campuses were immediately unavailable, apart from Microsoft Office365 (so email and Teams were online) and the virtual learning environment, which was also hosted externally.
Teaching was able to continue because, as Graham notes:
“Teachers are resourceful and committed and will find a way to teach whatever obstacles are thrown in their path”, but day-to-day operations were severely impacted.
Then the hard work began, as Graham explains:
“Crucially, the launch point for the attack was identified and secured: more than 80 servers were fully restored, 1,600 desktop and laptop computers across multiple sites were wiped and reimaged, and passwords were reset for 1,000 staff and 5,000 students.
“The college’s technical team fast-tracked procurement of a long talked-about advanced threat protection capability, including out-of-hours automated and expert human monitoring in a service operations centre (SOC).
“My IT team and I worked in partnership with our cyber consultants to implement all their recommendations, which included eight major system changes.
"We listened to them because there’s no point just restoring what was in place before the attack – it’s crucial to build back better, even if some of those changes are unpopular with users.
“It was very hard work, but all systems and services were restored and brought back online within 17 days.”
Changing user credentials was a huge task, but volunteers came forward to man a pop-up helpdesk. They set about calling all staff in person, verifying their identity and resetting their passwords. This was one of the measures recommended to address the possibility that a hacker had obtained usernames and passwords.
Besides the technical, logistical and operational challenges there were a range of reporting and communications obligations.
“While my team was dealing with the technical issues, I led on the reporting to the Information Commissioner’s Office, the insurer and the legal team appointed by the insurer, the Education and Skills Funding Agency, and the police, which also included Interpol because we discovered the attackers were a well-organised, professional gang operating internationally.”
At the time of the attack, Graham felt Lincoln College Group had a strong level of traditional security measures like firewalls, anti-virus, anti-malware, policies, processes and procedures in place.
Investment had been made in IT infrastructure and an industry-strength backup system and the college had also achieved the government’s Cyber Essentials Plus accreditation, but as Graham points out:
“Accreditation, certification and audits are no guarantee of defence against sophisticated, professional cyber-attacks.
“Because of the number of cyber-attacks against the sector and nationally, insurers are setting tighter criteria. This will lead to better cyber-security, but often requires significant investment. It is exactly the same with Cyber Essentials accreditation; it helps but won't guarantee safety. Organisations need to go beyond these measures and I recommend advanced threat protection and a security operations centre provided by experts.”
Graham believes that organisations that don’t have this level of protection are vulnerable, explaining:
“Having all the usual protection measures in place, like firewalls, strong passwords, multifactor authentication (MFA) and robust policies is like having a castle and building a better outer wall or a deeper moat or reinforcing the front gate.
“Advanced threat protection works totally differently. It assumes that all those traditional defences have been breached and bad people are roaming around inside the castle walls looking for an opportunity to steal the crown jewels.
“The software and service work to spot that these people dress a bit differently, have a different accent or behave suspiciously and it clamps on the handcuffs until it can be certain of their intentions.”
The role of senior leaders
As Graham notes:
“Top-level support is critical: senior leaders must be interested, supportive and committed to cyber security because it requires investment and can involve making unpopular changes. The board also needs to be regularly briefed.
"My role is part of our executive leadership team so technology, data and cyber security all have a ‘voice’ at the top table.
“While I had that critical senior level support prior to the attack, the experience laser-focused the need for additional resources to avoid a recurrence.”
Now, almost two years post-attack, Graham sleeps easier at night and is confident the Lincoln College Group is “stronger”.
His advice to others is that investment is worth it.
“I've concluded that further education (FE) colleges probably ought to be investing about a half to one percent of turnover on cyber security and ring-fencing that budget to ensure critical measures are implemented.
“Affordability is a constant consideration in FE, but as we discovered on that November night, the financial and human costs of dealing with a cyber-attack can far outweigh the cost of building a robust cyber security capability to keep staff and students as safe as possible.”