For Mark Dean, Senior Systems Administrator at Morehouse School of Medicine (MSM) in Atlanta, Georgia, the cybersecurity war is a never-ending tit for tat with what he calls the ransomware people. Think you have built-in redundancy? They are already after it.
In this premiere episode of Innovations in Education–Higher Ed, Dean discusses his strategies for keeping the data, and more importantly, the people safe online at this prestigious institution.
MSM is among the nation’s leading educators of primary care physicians, biomedical scientists and public health professionals. An independent, private, and historically Black medical school, MSM works to increase patient access to high-quality care and eliminate health disparity in underserved communities.
When MSM decided to be proactive about defending against ransomware, the IT department quickly realized its legacy backup solutions weren’t equipped to handle cyberattacks–they were unreliable, difficult to use, and expensive. That’s when MSM turned to Veeam Availability Suite as a more affordable, efficient and secure solution, saving MSM $75,000 in backup costs and 500 hours of IT management each year.
eCN: When it comes to cybersecurity, it is never really a problem/solution discussion is it? Where are you currently on this journey?
MD: We’ve always had a good backup and recovery type of a scenario that we’ve been using for a number of years now. But what really got me worried was reading about how ransomware people—let’s call them that—they’re actually now going after your backups, so you have no way to recover. And if you use the cloud, they can get into your cloud stuff, and they’d leave your cloud backups unless you have arrangements with the cloud providers. So that really caused me a lot of concern because backups are only as good as you can put them back. And so, we looked at what we were doing, and we’ve made some changes based on industry standards and made a change in how we look at the backups. There are still some things we’re implementing but that was the impetus.
eCN: Talk a little bit about the behavior side of data security–that can play as much a factor in data security as the software, right?
MD: Absolutely. We have a security department that sends out test phishing examples, and if a user clicks on it, then they know about it. And then users have to go back and do some training. That number is coming down. The problem becomes when someone gets busy with their day, gets an email and the name is going to be from the president of a company or somebody that they may even know–they’ll scrape email addresses off our websites–and so they’re going to make it look like it’s from Morehouse, even though it’s not. We have things in the email that tell them this is from an external site, but people don’t think and it only takes one time.
You know, they click on it, it opens a PDF, and it says, “Oh, you need to put a password in there,” or something like that. That’s why I don’t have a lot of confidence that this is something that could be solved. Because in this case, it’s the users who were giving them what they want, their replicated password field, making it look like they are logging into something and make it look like our webpage. You really can’t blame them, even though we tell them don’t click on links in email. it’s just too much, I think for users to really get a handle on it. And it’s really hard from a security side to manage that because, when it comes to links, how do you know if they are good or bad?
eCN: Does being a medical school make you an especially rich target?
MD: Yes, only because we have a clinic, so we have healthcare data. So we have actual patients out in the remote clinics. And that kind of data is a prime target because it’s got a lot of information that can be used to steal identities. So my understanding is ransomware people go after that kind of data. And we get not just spam. We get phishing emails every day. So we’re constantly being hit.
eCN: Because of the surge of attacks, are these sorts of technologies something you still have to fight for?
MD: At one time we did, but about maybe three years ago, things happened where we said, “Okay, this is what we need to do is start trying to fight these things.” And we really beefed up the security side. We now have the hardware and software to help mitigate some of this as best we can. Security is something that the budget people really now understand is something we’ve got to do.
- How higher ed can set students up for successful internships - September 27, 2023
- How to prioritize data protection this school year - September 26, 2023
- Creating a positive campus for the new academic year - September 25, 2023