The scope of the global attack is sobering to think about, and I am thankful for the cybersecurity professionals who work to protect us all. Many of the students who train in our lab will become cybersecurity pros themselves. Some come to us to enhance their existing skills and go on to the thousands of available computer and cybersecurity career opportunities in government and industry. We need every one of them.
Of course, these criminal endeavors never stop. Despite our diligent focus on security and protecting our assets, in September of 2019 Montgomery College fell victim to an internet fraud committed by criminals outside the college. They stole funds totaling $2.8 million by routing them to a fraudulent bank account. The fraud was discovered quickly, and we took immediate steps to recover the funds. We have recovered 39 percent, resulting in a net loss of $1.7 million. A year later, we remain hopeful yet realistic about the possibility of recovering more of the stolen money.
As you might expect, it was initially disconcerting to know that we were victimized in a fraud scheme. It is an intrusion, albeit an electronic one, but an intrusion nonetheless. It is like realizing a stranger has broken into your home. The initial shock of the crime fades quickly, you discover how the criminal took advantage and you take every step to catch the perpetrator and prevent it from happening again.
Knowing that criminals frequently target colleges and universities through similar fraud and other schemes offered some consolation, but not much.
We immediately chose to be as clear and open as we could about the fraud, and I am gratified by the responsiveness and support we’ve received. Our full cooperation with the investigating authorities required that we keep some details of the crime under wraps, but we otherwise had straightforward conversations with the Montgomery College community, our state and county leaders, our accreditors at the Middle States Commission on Higher Education, journalists, and other stakeholders about the fraud scheme. Our transparency and forthrightness about what happened was always rewarded with cooperation, assistance and advice.
Our most important message in the immediate aftermath of the crime was to assure our students, faculty members and staff members that the fraud scheme would not adversely affect their studies and work or the college’s financial strength. While a significant amount of money was stolen, our educational mission continued without fail. The net loss amounted to about one-half of 1 percent of our operating budget. We recognized the loss in our financial statements for the fiscal year ended June 30, 2020, and we received an unmodified opinion from our auditors for the year, the highest level possible. What’s more, we earned an Aa3 Stable rating from Moody’s Investor Service, a testament to our long-standing conservative financial management philosophy.
Learning from the Incident
Naturally, we all wanted to know how this could have happened, even though our employees had followed strict internal financial controls. Security experts remind us that criminals are continually inventing new ways to commit their internet crimes. The steps we take to safeguard ourselves today will soon be met with new criminal threats. So, in addition to working with the FBI, local law enforcement authorities and the Montgomery County inspector general, we conducted a rigorous internal investigation to learn from the incident. We also commissioned an external accounting firm to conduct a special audit of our financial controls, contract administration and vendor relationships. As a result, we have implemented several new controls to further secure our assets, data and operations.
A big part of our response has been to increase the training of our employees. To stay ahead of the criminals, the training program is ongoing and regularly updated. Any employee who approves an invoice payment, manages a vendor or administers a contract needs to know how to spot a scam. To date, more than 2,000 of our employees have participated in the training that will improve their ability to detect potential fraud.
Our response to the fraud scheme also benefited from having the expertise of our Office of Compliance, Risk and Ethics. We formally established the office nine years ago to help us identify and prioritize internal and external risks and threats. The office’s expertise includes an internal auditor dedicated to improving financial controls and responding to new threats. I am thankful to these Montgomery College professionals and others in finance, procurement, information technology and additional areas for their dedication to safeguarding us.
As prepared as any institution can be for this kind of fraud attack, you can always do more. Some lessons we learned from our experience might be useful to other institutions in preventing a fraud scam or responding to one should it occur.
To prevent a criminal attack:
- Consider intrusion testing as a way to assess the vulnerabilities of your financial controls.
- Conduct independent audits of financial controls by auditors who are different than those who conduct the college’s annual audits on a routine basis.
- Implement consistent and relevant fraud and cybersecurity training for all employees, with specialized training for employees in high-target areas, such as procurement and accounts payable.
- Consider adding staff with expertise in compliance and risk to better anticipate vulnerability and threats, as well as to quickly respond to problems when they occur.
To respond to a criminal attack:
- Define who will lead any internal investigations and who will serve as liaison with law enforcement and other relevant entities.
- Ensure the coordination of communication, reporting, liaison and investigation functions with clear lines to the president and through the president to your board.
- Follow the advice and counsel of ranking law enforcement professionals regarding communications and next steps.
- Engage all of your stakeholders (employees, governing board members, legislators, accreditors, law enforcement officers and volunteers) deliberately and directly with timely messages conveying the facts and the remedies.
I have to admit that it is a bit humbling that we at Montgomery College, with our respected track record of preparing so many students for successful careers in cybersecurity and fighting internet fraud attacks, have ourselves been victims of such a crime. Yet this experience has taught us that, even with sophisticated fraud-prevention measures in place, we were still vulnerable. Institutions must continually advance their defenses to protect themselves. We’ve also learned that our instinct to respond with transparency was correct, and we benefited from the support of our colleagues and community.
The next time I visit our cybersecurity lab, I will have an even greater appreciation for the enormity of the criminal threats we face every day — and the confidence to know that we are employing all the safeguards we can so that the flurry of criminal activity on the lab’s screens has nothing to do with us.