Return to Headlines

School Officials Warned of Ongoing Cybersecurity Attacks in New Jersey

PISCATAWAY – May 17, 2019 – One could argue the most difficult state job in New Jersey goes to Michael Geraghty, the first-ever director of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC).

Geraghty, part of the state’s Office of Homeland Security and Preparedness, is on the front lines of the State’s cybersecurity efforts, as cyber-attacks are launched against New Jersey’s public and private sector systems on a daily basis.

Patrick M. Moran, the business administrator for the Educational Services Commission of New Jersey (ESCNJ), said Geraghty is leading the state’s cybersecurity efforts every day, which is why he was invited to serve as the keynote speaker for the ERIC North™ 16th-Annual Training Seminar on May 10. ERIC North (Educational Risk Insurance Consortium) is a sub-fund of the New Jersey Schools Insurance Group and provides ESCNJ’s property and casualty insurance for New Jersey public schools.

One of the most frightening attacks that grows in prevalence is “ransomware,” in which the perpetrators install and execute malware that encrypts all the files holding them for ransom until the victim organizations spend thousands of dollars to get back access to their data, Geraghty said.  

“Ransomware attacks continue to grow in sophistication and impact; more recent variants also target an organization’s back-up files so you can’t recover from the attack and are forced to pay the ransom,” Geraghty said. “We are seeing the ransom numbers increase over time.”

He noted that in addition to the increasing numbers and impacts of ransomware incidents, the ransoms being demanded by the threat actors also continue to increase.  In late December, the NJCCIC responded to seven reported incidents in which the average ransom was $210,000.

“We expect to see that number going up as long as victims continue to pay ransoms,” Geraghty said.

Most recently, in the beginning of May, the FBI responded to an attack on Baltimore City’s network. More than a week later, city officials continue to struggle to get the network to full capacity. Baltimore, by the way, refuses to pay the ransom.

Another example occurred in Newark in 2017, when two hackers behind an international wave of ransomware attacks shut down the Newark computer system until the city paid $30,000 via Bitcoin, a so-called “cryptocurrency.”

Geraghty said the only “benefit” to ransomware is that the hackers alert you when the computer system has been hijacked.  In other cases, a system could be compromised for months or years without the victim having a clue.

“It is like having cancer,” he said. “It is eating at your system, but you don’t know it.”

Geraghty said school districts are “a virtual buffet” of valuable data, filled with student information, health records, employee payroll data, financial data and access to security systems, such as cameras, intercoms and security plans.

Education Week noted school districts tend to have the weakest cybersecurity risk management practices of any state or local government agency, and are least prepared to respond to an attack.

Geraghty recommends that school districts and all other organizations develop comprehensive, defense-in-depth cybersecurity programs with the aim of managing cyber risks that is consistent with the sensitivity and criticality of the organizations’ systems and information.  As technology continues to be integrated into all aspects of business and society, cybersecurity risk management needs to be incorporated into enterprise risk management plans, he said.

Last year, the NJCCIC published the Statewide Information Security Manual, a set of policies and standards that is intended to help organizations apply a risk-based approach to cybersecurity while establishing required behaviors and controls necessary to protect information technology resources, secure personal information, safeguard privacy and maintain the physical safety of individuals.  

The manual features industry-standard best practices in 33 control areas. Following the manual will not stop cyber-attacks, Geraghty noted, but it will certainly help manage the risk, adding each department can now conduct self-assessments.

There is a simple way to begin. Does your organization have someone responsible for cybersecurity? Are there policies and standards in place to manage risk? NJCCIC can help, email njccic@cyber.nj.gov or visit www.cyber.nj.gov.

end