A Big Breach, A Very Big Breach In The Country: Maynooth University
Maynooth University has very recently claimed it was the victim of an IT Security Attack in which data and records relating to students and alumni that had previously attended the college were taken. It has confirmed that Blackbaud (Maynooth University’s IT Security provider) were at the centre of an incident which involved a ransom being paid.
Blackbaud paid the cybercriminal’s demand with confirmation that the data copy they had taken from their network had been removed and destroyed. Maynooth University was not the only college to be affected by the same attack. NUIG was also a victim of the same cyber criminals and there were many other institutions involved that have not been made public.
Opinion
Cyber attacks involving a ransom being paid are a lot more common than the public are often made aware. Companies and institutions won’t often make public that they have been victims of an IT attack which involved a ransom being paid because quite simply, it’s not very good for their image. To Maynooth University’s credit they have come out and made public the incident, which may influence similar institutions and organisations to do the same in the future. It’s important to note here that, it was Maynooth University’s security provider that ultimately paid the ransom, and not the university itself. It raises a hugely important point, a “Sophie’s Choice” -like conundrum. When a cyber criminal successfully infiltrates a network and gains access (And in this case ,makes a copy of some rather sensitive data) should an organisation pay the ransom? Is it the correct and righteous action for an organisation to make? Is it the only action they can make. It sets a rather unsettling precedent, given that successful cyber criminals are likely to move bullishly on to their next “project’ buoyed by the knowledge their previous efforts were profitable. The alternative, which is unthinkable for most companies and organisations, is to let the criminals have the data, to let it be leaked out or exploited in whatever creative and damaging ways they come up with. For an organisation to suffer the penalties for networks being breached and to let countless individuals that are associated with the organisation, whose data has been stolen, be completely vulnerable to a personal attack themselves. It doesn’t seem like much of an option, does it?
Troubling Questions
It raises a lot of troubling questions when large organisations and institutions are forced into a corner by bad actors and are forced to take care of these particular problems in such an uncouth way. Should companies budget to pay ransoms for Network or data breaches? Should they budget for repeat attacks? Do cyber criminals have a more talented “Workforce” than the IT Security sector? Well this particular question is perhaps unfair. Of course cyber criminals aren’t more talented than IT Security technicians, it just so happens that not being bound by morals or any code of integrity means they have a lot of wiggle room when it comes to achieving their “Goals”.
Answers
As with any great quandary that troubles any industry or country or generation, the answer doesn’t lie with any one person, institution or organisation. The answer to this particular problem lies with every company that keeps sensitive data on their network and also with the employees and members of the public that let their information be kept on an institution and also with the IT Sector as a whole. It’s incredibly important that every organisation relying on its network is committed to best practice and is absolutely committed to finding and mitigating threats before they occur and not after. It’s incorrect to say that all IT Security attacks are preventable. The complexity of both Network designs and a bad actor’s approach means that sometimes, a successful breach of a network is the only way the IT Security sector can learn about new threats or techniques. However it’s important to note that most network breaches are preventable or at least their repercussions mitigated by being obsessively “Network Hygienic” . Businesses in general have to be aware of the price of having such a powerful tool as a business network.
Whatever the case may be institutions paying ransoms to cyber criminals for data breaches is not a sustainable model for most businesses or institutions. The coming years in the IT Security sector, will be about learning to what extent we can prevent, not react.