Five years have passed since the Iowa Valley Community College Board of Directors received a cyber security update. Protecting online information has become increasingly important, and IVCCD IT personnel are working hard to ensure student information remains secure.

Chief Information Officer Mike Mosher said the at-risk data, which goes back decades, belongs to the students and is important to keep secure.

“When we talk about security, it’s really all about management,” he said. “We cannot eliminate the potential for any type of breach or incident occurring. So what we have to do is manage that risk as it relates to confidentiality, integrity and availability.”

Confidentiality and availability are the two most important ones, Mosher said. IVCCD needs to make sure the students can obtain the data they need when they need it. That requires a balancing act of providing the access while keeping it secure.

One vulnerability of the IVCCD is there is no secondary data center. The primary data center is located in Marshalltown. Mosher used a tornado as an example of a threat.

“The risk in that is (that) we don’t have redundancy in some of our systems,” Mosher said. “What’s that risk? Are we willing to address that risk? Do we need to address that risk? Those are the things we think about when we talk about risk.”

He said that when it comes to risk, there are four choices — accept it and do nothing; manage and mitigate the risk; transfer, which is cybersecurity insurance for if an event does occur, there are resources to help recover; and avoidance which is ceasing action.

Mosher then explained data breaches and Ransomware. A data breach occurs when unauthorized parties gain access to confidential information. Breaches can be intentional when a hacker gains access to the system and steals data or it can be accidental. Mosher said an employee can unknowingly leak data through sending a spreadsheet of confidential information to the wrong person. It can also occur through a system misconfiguration, but in all circumstances, they have to be dealt with, he said.

“Educational institutions are actively being targeted, and in fact all industry is actively being targeted, and it just keeps increasing as we go along,” Mosher said.

He shared statistics pertaining to incidents involving higher education institutions.The average number of records breached is more than 28,000. The average cost is $200 per record. The average cost to recover is $7 million.

“When you think about that, that’s not just recovering it,” Mosher said. “In most cases, higher education institutions are a little more behind in cyber security.”

He said what is particularly scary is it takes an average number of 191 days to identify a breach. On average, breach recovery takes 66 days.

“Typically what they like to do is get into the system, spend a lot of time poking around, getting a lay of the land, figuring out what’s in there and then they actually launch the attack,” Mosher said.

Ransomware is a malicious software that encrypts systems and gives hackers access. Mosher said institutions then lose control.

“They’re trying to obtain money from us for that Ransomware attack,” he said. “Actually Ransomware attacks are on the downslide for a variety of reasons.”

That is because organizations and institutions have implemented better system controls and are backing them up, which is what IVCCD is undertaking. The chances of a successful Ransomware attack have dwindled, but hackers have switched to data exfiltration and breaches. However, Ransomware is still a valid concern, Mosher said.

“Of the Ransomware attacks in higher education, 58 percent of the organizations had their data encrypted, 35 percent of those organizations paid the ransom,” he said. “On average, only 68 percent of the data that was encrypted was recovered because the encryption keys provided by the attackers are bad or [the backups are bad], so they are not able to restore the data.”

The average Ransomware payment is $112,000, and the average cost to recover is $2.7 million.

An incident the IVCCD was involved with was the spring 2023 National Student ClearingHouse attack. Mosher said hackers were using a third-party transfer tool called Move It. The discovered vulnerability gave the hackers something to exploit.

“The Move It tool was used for transferring transcript data between us and the clearing house,” he said.

Luckily, only three IVCCD students were impacted, and district leadership took steps to ensure the students’ information was protected. Mosher brought up the summer 2021 breach of Des Moines Area Community College (DMACC). Classes were canceled for two weeks. He also spoke about the January 2023 Des Moines Public Schools attacks — classes were canceled for two days, and systems were unavailable for two weeks.

“When you think about the education environment today and how dependent we are on technology, putting kids back in the classroom, but not having access to materials in those systems makes it a very big challenge to teach,” he said.

To help combat cyber attacks, Mosher said they implemented an online staff training tool which informs them about fishing attacks and provides monthly lessons. An incentive was added for staff to complete the training.

IVCCD also completed a penetration test this year when a cybersecurity expert tried penetrating the IVCCD system externally and internally. Mosher said deficiencies were discovered and are being addressed, but they were told IVCCD is in much better shape than most other institutions.

He said long-term, they are working on developing a formal incident response plan.

Contact Lana Bradstream at 641-753-6611 ext. 210 or lbradstream@timesrepublican.com.