Password Management Matters

MFA + Passwords = Ransomware Defense

July 2, 2025

TLDR (Too Long; Didn't Read)

Key points:

• 57% of employees have not yet upgraded to Windows 11. Please note, Windows 10 will no longer receive security updates after October 14, 2025. To upgrade your device, visit the IT Hub: Windows 10 to 11 update article, and log in to get started.
• Ransomware attacks often begin with stolen passwords – protect them!
• MFA (Multi-Factor Authentication) blocks unauthorized access even if a password is compromised.
• Beginning late July/early August 2025, all MCC students, faculty, and staff accounts will require MFA.

TLDR END

Recently, a bad actor was able to successfully access McLennan Community College’s (MCC’s) VPN (virtual private network) through a compromised MCC employee’s account.

With the employees’ credentials, they were able to access our network and servers where the employee had access, to possibly steal data or install ransomware. Without MFA our only line of defense was our anti-malware software (Cortex). Luckily, the software stopped the ransomware attack…this time.

Ransomware Threats and the Human Factor

Ransomware is one of the most disruptive and expensive forms of cyberattack. The estimated average cost of an attack in 2025 is $5.5M (million) to $6M (according to Purplesec). It begins with one weak password, one compromised account, or one malicious email. Attackers use stolen credentials to infiltrate systems, encrypt data, and demand payment.

Cybersecurity is not only the job of ISS (Information Systems & Services) — it is everyone’s job. By strengthening how we authenticate users and protect passwords, we drastically reduce the odds of a ransomware breach.

MFA - Your Security Shield

MFA adds a second layer of verification beyond just a password. Even if an attacker steals your login, they cannot access your account without your phone, app, or hardware token.

Beginning in late July/early August 2025, all MCC students, faculty, and staff accounts will require MFA. The setup process is simple and helps meet NIST (National Institute of Standards and Technology) 800-171 and TAC 202 (Texas Administrative Code Chapter 2) standards for account security.

Strong Passwords Still Matter

Even with MFA, strong passwords are essential. Weak or reused passwords can lead to:

• Unauthorized access
• Credential stuffing (use of bots to automate and try many logins, quickly)
• Data leaks and social engineering

Use a password manager to keep track of unique, strong passwords. Duo Passport, Google Password Manager, iCloud Keychain, and Microsoft Authenticator are all free and secure – see IT Cybersecurity News Article: Password Management Matters [ insert link IT Hub – June Newsletter] to compare these password managers.

Real Consequences

Ransomware groups often target schools and colleges. Recovery can cost millions and impact student records, systems, and operations. MFA and password hygiene are the first line of defense.

What You Can Do Now

• Update your weak/reused passwords and use a manager
• Lock your screen every time you step away
• Think before you click – be cautious of links, especially in unexpected emails

Keep an eye on your MCC inbox for MFA enrollment info

MFA Project Information

Visit the following webpages:

• MFA Project
• MFA Strategy and FAQs (Frequently Asked Questions)