Everything you need to know about cyberattacks (but were afraid to ask)

If you’re not aware that London South Bank University suffered a major malware attack, then I’ll claim at least some credit for how we dealt with the incident, as I was unlucky enough to have been the designated “gold commander” in charge of any major issues on the afternoon of Saturday 12 December 2020.

Let’s be clear – an attack of that nature affects everybody in an institution, in ways that you can hardly begin to appreciate unless you’ve been on the receiving end, and nobody was happy with the situation in which we found ourselves. But I was genuinely amazed at the pragmatic and inventive ways that everybody carried on with business, education and research. On a personal level, however, I would say it was 10 times worse to handle than Covid, as you really do feel like you’re fighting a huge battle almost entirely on your own because only a handful of colleagues really appreciate the complexity and challenges of the situation.

• Failing fast: what universities need to consider when adopting edtech
• Developing a faculty-IT partnership for seamless teaching support
• How to prepare and protect your institution against a future cybersecurity attack

Let me give you a timeline of what happened before focusing on three specific issues that I hope will provide constructive guidance concerning malware attacks.

The timeline essentially ran in three phases. The first phase lasted for the week or so after we discovered that key operating systems had been encrypted and that we’d need to pay a ransom (which we didn’t) to get them restored; from that point, the Metropolitan Police’s fraud division took control of our servers (ie, “the crime scene”), and we had to quickly work out how to continue teaching, carry out business functions, communicate with staff and students – and pay staff their Christmas salaries!

Phase two was an incredibly intensive period of about six weeks in which adequate workarounds were put in place and the student virtual learning environment was reinstalled – amazingly, that was back online on day two of semester two, so was unavailable for only 36 hours of term time. The third and final phase was the reinstallation of all software and data, which took a further six months or so.

Like most (but by no means all) universities, all of our data is routinely backed up, and that had happened the day before the attack. So I naively thought that once our software had been reinstalled, we could simply draw back down the data and carry on as before – how wrong I was.

Despite months of trawling through our servers, the fraud division never found the attack route, and this meant that our security systems had been breached – but we didn’t know how. So we needed to install a new and upgraded security system and also revalidate all users. However, and this turned out to be one of the biggest problems, the new security systems ran only on newer operating systems, and we had dozens of databases that had bespoke design but which were coded to interface through older operating systems.

Do not delude yourself into thinking that you have only a handful of key programmes that you’d need to reinstall and (almost certainly) redesign – education is complex, so dozens (probably hundreds) of databases need to be linked together for all the activities in a big institution, and they will all need amending to work with newer operating systems or security processes. Time frames are also incredibly difficult to predict. One IT expert told me that a crucial interface issue we had would probably take an hour to fix – but it would take somewhere between one and 14 days to locate the problem! And don’t forget that other cybercriminals will ride on the back of your misfortune, using the uncertainty and confusion of staff to lure colleagues into clicking links that appear to be genuine university workarounds.

So the three key things you ought to know about all this (but were afraid to ask):

1. Communications is the biggest nightmare, especially as everyone needs certainty about academic deadlines. I wish I didn’t know as much as I do now about our intranet, but this detail is of no interest to 99 per cent of staff and 100 per cent of students – all they want to know is when the systems will be running again. And why the IT team is so incompetent.

2. Everything, and I mean everything, runs through your computer systems. All financial, business support, academic and buildings-related systems went down – even getting into buildings becomes a major issue when access is controlled by an “identity management system”.

3. If you’re well prepared, it’ll still take six to 12 months to fully recover.

And my top three pieces of practical advice if you do find yourself and your institution on the receiving end?

1. Those around you won’t want you to communicate more than the minimum because of all the uncertainties. My advice is to fight against that, to stick to regular updates for staff and students and to be as open and honest as possible. For the first week, the police told us to minimise our communications in order to reduce the risk of scammers being alerted to potential uncertainties that they could exploit. But there was frequent pressure to delay updates if there was little to report or if an application “might be available if we waited another day” − this just feeds the rumour mill. Plus, it quickly became obvious that, even if emails were only read by, say, 40 per cent of staff and 20 per cent of students, the messages did get shared and regular updates were really appreciated.

2. Keep talking to staff “at the sharp end” to find out where the issues are and what you can do that will be of most help – the stress on staff is huge, often in unexpected ways.  For example, some issues caused delays for students in being able to submit work (if they couldn’t access course-specific software, for example), and this created huge pressure on staff in terms of meeting immovable end-of-term marking deadlines. Colleagues were already under stress from Covid, and so small, practical measures (better support for home printing; carry-over leave) were really helpful.

3. The sheer quantity, technicality and jargon associated with IT systems affected by a malware attack is mind-boggling. As well as communicating with 2,000 staff and 18,000 students, there are big, risk-based decisions that need to be taken. For example, how much should you compromise security in order to meet an end-of-term deadline? Or do you fix the finance system or student applications software first? Only a few people have a good understanding of the IT issues and are also able to relay them in everyday language or relate them to broader strategic planning − nurture them and integrate them into key processes and decisions when all is well because, when an IT crisis strikes, they are like gold dust.

Patrick Bailey is an independent HE consultant in education, leadership and sustainability. He is also an emeritus professor and honorary fellow at London South Bank University, where he served as deputy vice-chancellor/provost from 2014 to 2021.

If you found this interesting and want advice and insight from academics and university staff delivered direct to your inbox each week, sign up for the THE Campus newsletter.