With the recent ransomware attack at Howard University, Morgan State University’s information technology department decided to revisit and revise its cybersecurity policies.

On Sept. 3, Howard University experienced a ransomware attack, causing the university’s critical functions to shut down.

After the attack, Howard temporarily paused all online and hybrid instruction. In a message to the Howard community, Tashni-Ann Dubroy, executive vice president, said that the university was fully operational for virtual and in-person learning as of Sept. 13.

Ransomware is a form of malware attackers deploy to encrypt files, preventing them from accessing their data. Attackers will hold their victim’s data hostage until the victim pays a ransom.

According to Paco Rosas-Moreno, Morgan’s chief information security officer, attackers may infiltrate an organization’s IT systems through external or internal attacks.

With external attacks, the attackers infiltrate organizations through vulnerabilities in their IT systems.

“They will use vulnerability scanners to scan to see what services and what systems are open,” said Rosas-Moreno.

Attackers may also research an organization to see what systems and software the organization uses and find common weaknesses that they can exploit.

With internal attacks, the attackers exploit users’ vulnerabilities and deploy malware to systems the user is already logged into.

Attackers may send emails asking people to click links or download apps or exploit people’s tendencies to reuse passwords.

“If your password has been exposed on one site, there’s a chance that people will reuse that password for all their sites,” said Rosas-Moreno. “So, as a good security practice, don’t use the same password for your sites and for your accounts.”

“People and businesses deploy different types of technological controls to mitigate these [security risks].”

To prevent the Morgan community from ransomware attacks, the university has been enforcing a limit on login attempts.

The university is also deploying multi-factor authentication for critical infrastructure as a preventative measure. Rosas-Moreno said they hope to get it in use by winter of 2021.

“We take the security of the data very seriously here at Morgan,” said Rosas-Moreno. “We work incredibly hard to protect that data that we’ve been entrusted with because we know that it has a real impact on people’s lives, and we want to protect our future leaders.