Imagine that the employees at your post-secondary school arrived at work in the morning to find that their usual log-in screens had been replaced by a threatening message telling them that they were locked out of their devices until the institution pays a ransom. This situation could quickly send a panic throughout the institution. Would your employees know what to do? Do you have a technical committee that is ready to move into action? Do you have a plan for how to communicate to students, employees and other stakeholders on how the institution is handling the crisis?
It’s far better to think through this situation and to have a ransomware response plan before it happens.
Ransomware causes downtime and loss of data, and carries the potential for theft of intellectual property. In post-secondary institutions, a ransomware attack is considered a data breach. Have you implemented the three lines of defense (as outlined below)? Do you have a plan for a ransomware response?
It’s never too late to get started.
1. Formulate a Ransomware Response Checklist
The following is a basic ransomware response checklist. Each post-secondary institution should customize their checklist according to their needs.
- Form a ransomware response committee
- Assign a point person to manage any ransomware crisis
- Form a ransomware IT subcommittee
- Identify a professional cybersecurity company
- Ensure that all parties are aware of an alternative communications plan
- Keep a hard copy of all relevant documentation
- Inventory all electronic equipment
- Identify the location of all data
- Determine the type of ransomware
- Determine the extent of damage
- Determine if backup is sufficient to avoid paying ransom
- Inform law enforcement and any necessary regulatory bodies
- Develop an external communications plan
2. Form a Ransomware Response Committee
Post-secondary institutions will need someone who will be the point person for coordinating and making decisions for a ransomware response plan. The person identified should be responsible for monitoring the response plan and ensuring that everyone is adhering to it. One of the biggest responsibilities will be making decisions about data recovery. This is crucial because post-secondary institutions will need to make quick decisions about being able to restore the data from backup sources or paying the ransom to secure the decryption keys.
The point person should be the one to establish a recovery time objective and to re-evaluate it until the recovery process is complete. This is a crucial task that will be important in demonstrating efficiency in handling a ransomware crisis and to protect against reputational damage.
In addition to having a point person to head up the ransomware response plan, a Ransomware Response Committee is a decision-making governance team that may comprise the following experts:
- Senior executives
- Department heads
- CIO, CISO
- IT experts
- Legal counsel
- Public relations, communications
- Audit committee representatives
- Regulatory affairs representatives
- Human relations
- Student affairs
Such an incident will require strict confidentiality between all committee members. The best way to ensure this is by implementing a board management software system by BoardEffect.
3. Form a Ransomware IT Subcommittee
A ransomware IT subcommittee is a group that’s composed of all the technical folks in the organization, including the identified ransomware response point person, CIO/CISO, data managers, engineers and other IT experts. The group is responsible for all technical investigations and remediation. This group should also have the ability to work with a qualified cybersecurity company, if needed.
The subcommittee should be able to obtain a hard copy of the ransomware response plan, because if it’s stored on a server, it will also likely be encrypted.
The subcommittee can be instrumental in obtaining and maintaining an updated list of servers, workstations and electronic devices that store the institution’s data. This process should include conducting a risk assessment and assigning a value to all of the institution’s critical assets.
Taking this a step further, the subcommittee needs to determine what kind of data the post-secondary institution has and to decide what is of potential value to cybercriminals. Any employee data, customer data, student data, credit card data, protected health information and other personally identifiable information should be noted. Post-secondary institutions may also have other sensitive data, such as trade secrets, financial information or other confidential data. Subcommittees should know where this data is located and whether they store any of it in the cloud. All of these details should be included in the ransomware response plan.
In the event of a ransomware attack, the IT subcommittee should advise the ransomware response committee on the best possible recovery point so both groups can come to a consensus on whether they can afford to lose any data if they need to pull it from a backup source, or whether a ransom payment is imminent.
As soon as possible, the subcommittee should identify the type and variant of the malware to determine whether they can decrypt it and/or whether they need the assistance of a cybersecurity firm. The team should also be working to identify the scope of the damage and provide a list to the ransomware response committee at the earliest opportunity.
Another important part of the subcommittee’s responsibilities should be to study all of the ransom notes left by the cybercriminals on each infected endpoint and server and provide the ransomware response committee with a figure in digital currency and the dollar equivalent.
Notifying Law Enforcement and Regulatory Authorities
A designated representative of the ransomware response committee should immediately notify the local and provincial authorities, including the Canadian Security Intelligence Service, and provide details of the attack. They may be able to provide additional helpful guidance.
Post-secondary institutions may also be required to file notice with the Office of the Privacy Commissioner if the breach will cause a risk of harm.
Managing Internal and External Communications
Be aware that a ransomware attack could shut down email communications. Your ransomware response plan should include identifying an alternative method of internal communications such as BoardEffect, which has a high level of security built right in.
It’s common for word of a data breach to spread quickly. The ransomware response team will need to make a decision about whether to make a public announcement rather quickly. The amount of ransom requested, the extent of the damage and the time needed to restore data are all important factors in making this decision. A public spokesperson should provide external updates to students, customers, suppliers and any other external stakeholders.
Cybercriminals are getting craftier about how they lure employees to click on malicious links. According to Cybersecurity Ventures, ransomware costs are projected to top $20 billion by 2021. This is a very good reason to develop a ransomware response plan and to implement board management software as soon as possible.