In March, the National Cyber Security Centre (NCSC) reported that “an increased number of ransomware attacks have affected education establishments in the UK, including schools, colleges and universities”.
In April, it announced its membership of a new US-led Ransomware Task Force to combat ransomware, with participants from governments, software firms, cybersecurity vendors, non-profit and academic institutions from across the world.
These developments highlight how combating ransomware attacks is a global priority for governments. However, until significant advancements are made in the fight against the perpetrators, the education sector will continue to face the devastating impacts that ransomware incidents can have.
While every effort should focus on avoiding a ransomware attack in the first place, establishments also need to plan for the day they fall victim.
What, then, are the key factors for senior education leaders to consider in the first 48 hours of a ransomware attack?
Leadership & Teamwork
The immediate “on the ground” response to a ransomware attack will be technically led. A much wider crisis team must also be established quickly to manage the organisation’s wider response to the incident, bringing together the leaders of key areas, such as: internal and external commnications, student liaison, HR, legal, data protection and IT.
The crisis team leader will often depend on the organisation’s size. For smaller colleges, it could be the head teacher or principal. For larger institutions, it may be a major incident leader who will report separately to vice-chancellors or similar.
Ultimately, the crisis team must have senior level empowerment to make urgent critical decisions, while remaining sufficiently close to the response itself, and implement actions immediately.
Organisations should not shy away from bringing in external expertise early on, as they can bring much needed experience and expertise from similar incidents, or simply provide additional capacity and resource.
Typical external support will assist with investigations into how the attack occurred, as the organisation focusses on the recovery of services, drafting preparatory communications and statements, and dealing with regulators and other stakeholders.
External experts typically include: legal, IT (recovery), IT (forensic investigation), communications specialists, and notification specialists (see data exfiltration below).
The crisis team also needs to ensure that any insurance has been engaged at the earliest possible stage.
Traditional liability insurance programmes will typically only operate once liability claims come forward. Cyber insurance, however, will usually operate from the point of incident, covering the costs of the external experts above. Indeed, the insurance may specify the experts to be used.
Once convened, the crisis response team should action a response plan, ideally drafted and rehearsed in advance.
We find the following structure (based on the ICO’s own guidance) is helpful:
● Containment & Recovery This will include the actions taken to ensure that the spread of the attack is stopped, vulnerabilities are closed, and systems and data are recovered safely and securely.
● Assessment What systems and data were affected will determine who and what needs to be informed or notified. External cyber experts can help recover, analyse and interpret evidence and provide additional capacity to do so quickly.
● Notification & Communications Who, what, why, when and how to notify and communicate can be very difficult decisions in the early stages when information is scarce. External assistance from legal and communications experts, who have experience of similar incidents, can help decision-makers.
● Evaluate As well as dealing with the immediate decisions, the crisis team should use any available time to plan for ‘what next’. ‘Plan for the worst, hope for the best’ is a useful mantra.
Over the last 18 months, ransomware perpetrators have increasingly threatened to leak (or indeed leaked) the stolen data online as added leverage to extort a ransom payment.
This has meant that the ransomware response has moved from a technical recovery problem, to managing the fallout of a large data breach.
This further highlights the importance of including the wider business functions, and external experts in the crisis team, early on.
Often, an incomplete evidential picture emerges as to whether data was, or was not, taken in the attack.
This inevitably raises legal and practical questions as to what an organisation should do.
Where data is published, it can be a race for the organisation to review, assess and inform those affected.
The work required can be substantial, and again, specialist external resources can be of great assistance to ensure timely notification.
Hans Allnutt is a partner, and Cameron Carr a solicitor, in the cyber and data risk team at DAC Beachcroft. The team has advised on many ransomware attacks against education establishments.
For advice on any data breach-related queries, please contact our 24/7 breach response service hotline on +44(0) 800 302 9215 or our breach response team through our dedicated email address firstname.lastname@example.org