Your school or district likely has an emergency plan in place, but does it include how to respond to a cyber attack? Unfortunately, it’s not a matter of if it might happen but when.

Even for the most secure organizations, no one is immune to a ransomware attack. And the education sector is being targeted more than ever before. According to the Global Risks Report, nearly 83% of all malware attacks hit schools and their related technologies, costing nearly $6 billion in 2020 alone. An even more alarming statistic: In 2021, a company was hit by ransomware every 11 seconds!

So what should you do if you find your school or district as the target of a cybercrime? As is true for most situations, you learn the most from experiencing it firsthand. Finalsite was the target of a global ransomware attack in January of 2022. We were fortunate that we caught the situation early, contained the activity and ultimately prevented any client or employee data from being viewed, compromised, or extracted.

In the aftermath, we walked away with seven key lessons learned:

1. Invest in secure systems

2. Do what’s right, even if it’s unpopular

3. Bring in specialists  

4. Have a back-up plan 

5. Communicate early and often 

6. Make friends with the media

7. Be humble

1. Invest in secure systems and security education

Although schools have many choices for software providers, they aren’t all created equal – especially when it comes to security. Much of your software protection sits in the hands of your hosting provider and the level of data security they invest in. This is true across all systems, from website hosting to student information.

When evaluating your provider, ask how and where your data will be hosted, and whether or not it is encrypted. At Finalsite, our data is encrypted and hosted on Google Cloud, an investment made with security in mind in 2020. 

Additionally, ask your software provider if they engage in penetration testing. This is comparable to an active shooter drill your school might conduct, only for cyber attacks. Annual, sophisticated penetration testing is part of Finalsite’s security plan.

Understand the importance of password security

Educating your team about the importance of password security should be an ongoing effort. Include the following in your password education plan: 

• Ensure passwords are long and complex, containing upper and lower case characters, letters, numbers and symbols. 

• Never, ever reuse passwords on different websites. If one of those passwords is leaked in a data breach, it compromises every other site you’ve used that password on. 

• Don’t share your passwords with anyone else.

• Avoid using words that are found in the dictionary.

• Invest in password management tools like 1Password or LastPass to help users securely manage complex, unique passwords

Continuously educate your team about information security

Consider utilizing a program like KnowBe4 or Proofpoint to enroll your team in Security Awareness Training to protect your organizations against other threats like social engineering, phishing and malware.

Even with the most secure systems and processes, ransomware attacks can still happen (just like it happened to us). However, the more security measures you have in place, the easier it will be to identify and stop threat actors quickly to prevent data from being compromised.

2. Do what’s right, even if it’s unpopular

When our team identified a bad actor in certain systems within our environment, we immediately took steps to secure our systems and contain the activity – which meant we proactively took 8,000 school websites offline. 

Although this was the right choice from a security standpoint, shutting down thousands of school websites globally certainly wasn’t easy for the clients we serve. School websites have become the most important means of school-to-home communications. Turning them off meant taking away access to this trusted resource, which was especially difficult when COVID was surging and weather-related closures loomed. 

The right choice is not always the easiest one to make. If you find your school in a similar predicament, holding to your core values of security and integrity will make these tough calls much easier. 

3. Bring in specialists

Although Finalsite has a number of security and software personnel on staff, a situation of this capacity warranted outside perspectives to ensure everything was covered. 

Among the first calls made were to a data privacy law firm and forensic investigation consultation firm. We relied heavily on these outside organizations to guide us through each phase of the process, from identification of the bad actor through complete resolution. It was reassuring to both employees and clients to know that organizations with extensive backgrounds in cybercrime and data security were part of our emergency plans. 

Although you may have legal counsel on speed dial, your everyday school attorneys might not be the right fit for a situation like ransomware. Work with your insurance agency to identify a law firm you can rely on should ransomware strike your organization. Your insurance company will also be able to refer you to a forensic consultancy to assist with the full criminal investigation.

4. Have a back-up plan

You don’t fully realize the importance and impact of your digital communications tools until they aren’t available. Although this is likely a rare and unusual occurrence, don’t wait until your website or communications software goes down to come up with a back-up plan.

Consider these three tips: 

Keep an up-to-date download of your contacts and other important information.

Download a fresh contact list from your student and staff information systems weekly to have on hand should your communications systems be down or your Internet access is cut off. Do the same with important health and academic records you may need in a pinch. We recommend storing these lists in multiple locations, including a hard copy. In case of an emergency, you’ll be able to quickly grab information to use as needed.

Have alternate tools or redirects ready.

If your website or other technology system gets attacked by cybercrime, be ready to go with a back-up plan. Check with your vendors to inquire how they store data back-up files and how quickly things can be up and running, should the need arise. Following our incident at Finalsite we were able to rebuild our systems in a clean environment thanks to our disaster recovery planning. We also learned where we can improve our recovery times so we’ll be able to get our clients back online much quicker if needed in the future.

If you can’t wait for a back-up system to be launched, have a plan B in mind.

An alternate tool or system doesn’t need to be as robust or dynamic as your primary software, but should be an option for you in case of emergency.

For example, if your digital communications platform is down and you need to send an emergency notification, be ready to run with your in-house email workspace, learning management system and/or student information system for a quick message to your parents, students, or staff. 

5. Communicate early and often 

When it comes to crisis communications, speed matters. Letting your constituents know there’s a problem as soon as you can will keep the rumor mill at bay and allow you to tell your story before someone else does it for you.

• Be as complete and to the point as possible, understanding that you can’t share everything during an active investigation.

• Be clear and quick to communicate if there is a data breach. There are likely reporting obligations your schools will have should data be compromised that are sensitive. Finalsite was fortunate that no data was viewed, extracted or compromised, but these questions and concerns were still frequent.

• Provide frequent updates. Even if you feel like there’s nothing new to share, provide updates regularly. When too much time goes by without an update, rumors and misinformation spread. At Finalsite, we shared a total of 18 email communications, plus additional webinars and status page updates over the course of seven days. Find a cadence that works for your community and stick to it.

• Consider a video message or webinar. Written messages are important, but videos offer emotional connections that especially resonate during a crisis. Hosting a webinar or virtual meeting to allow two-way interactions between your school leadership and constituents will also be appreciated.

• Create a crisis communications hub. Don’t assume people have seen all of your emails. Make it easy for them by creating a communications hub containing links to communications and important information. For inspiration, check out Finalsite’s ransomware communications hub.

6. Make friends with the media

The phrases “ransomware” combined with “school” will generate a lot of interest from media outlets near and far. The Finalsite ransomware incident landed in more than 40 publications within 24 hours, including the front page of CNN.

The only path forward when managing the media during a ransomware crisis is to make them your friends. Reporters are only doing their jobs. If you can make their jobs easier, it’s a win-win situation.

Your local media contact list won’t cut it during a ransomware situation. Press coverage will be vast, extending beyond your local community. We suggest making a spreadsheet with press contacts who have reported on the incident and sending all of them a company statement with clear facts and information.

Don’t run from the media coverage – it’s going to happen whether you like it or not. Make friends with the media. Be available 24/7. Provide your cell phone number. Offer a media statement. Hold a press conference. All of these touchpoints will ensure what is published is accurate and personalized – all key factors to successful press relations.

7. Be humble

There are very few organizations that handle crises perfectly — we all make mistakes. Admitting your shortfallings and subsequent areas you plan to improve is an important way to gain respect. Additionally, an apology and sincere empathy for what others are experiencing can go a long way.

Speaking with a “me first” tone can land you in the PR textbooks for what not to do. Take Tony Hayward for example, the former CEO of BP. In 2010, a BP oil rig exploded causing a major environmental disaster that lasted for nearly three months. The BP execs repeatedly staved off blame from what happened, making frequent public remarks that were seen as insensitive. Hayward told TV news reporters, “There’s no one who wants this thing over more than I do. You know, I’d like my life back.” That quote is used repeatedly in PR lessons on what not to do in a crisis.

When you experience a cyber attack, the days will be long and stressful. But for your stakeholders on the other side of the situation, the same will likely be true. Lead your messaging with an understanding of what others are experiencing as a result of the incident and be sure to apologize for any inconvenience or stress it has caused.

Key Takeaway

No one is immune to a ransomware attack, even the most sophisticated software companies. Before this unfortunate situation strikes your school or district, be prepared with solid security measures, a dynamic team of specialists, a cyber-crime communications strategy, and a technology back-up plan.

ABOUT THE AUTHOR

As founder, CEO, and current Board Member of Finalsite, Jon Moser is passionate about web trends and strategies that impact education. For more than twelve years, Jon and Finalsite have been committed to providing cutting-edge web technology for clients. He is a frequent advisor, keynoter, blogger and presenter on all things web related. When he isn't at Finalsite HQ, Jon can be found on his farm raising chickens and selling free range eggs or spending time with his wife and five children.