Ransomware response for education providers and charities
Post-breach insights: lessons in ransomware response
Ransomware attacks have been sweeping the globe, and our crisis and data breach response team at Experian has been on the frontline helping organisations to manage the aftermath of data breaches. In this post, I reflect on our experience of managing post-breach situations in the education and charity sectors.
Schools and charities at risk
In recent months, we have seen a large number of schools, colleges, educational establishments and universities, as well as charitable organisations, impacted by devastating ransomware attacks. Education providers and charities often fall victim to ransomware attacks because their cybersecurity budgets and resources are smaller than those of larger corporations – making them more vulnerable to mass ransomware campaigns. This is borne out by our own research, which found that 89% of education sector respondents had experienced a cyber-attack and 85% had experienced a ransomware attack.
Ransomware attacks are indiscriminate
The first misconception is that ransomware attacks are targeted at specific organisations. In fact, they are usually indiscriminate. Ransomware firms seek to exploit vulnerabilities in the software and systems used by thousands of organisations. Once they gain access to these systems, they can exfiltrate or copy data from all of the organisations using that software.
The huge MOVEit attack is a prime example. By exploiting a vulnerability in the widely used MOVEit file transfer program, a ransomware firm attacked more than 1,000 organisations worldwide and accessed the data of around 60 million people[1]. None of the organisations impacted were specifically targeted – they were simply users of the software.
If data matters to you, it’s valuable to criminals
The second misconception is that cybercriminals are looking to steal personal data that they can sell on to fraudsters. In reality, it is far more lucrative for them to steal any data for which they can demand a ransom – rather than trying to sell individual personal details on the dark web. To demand a ransom, they only need data that is emotionally, financially or reputationally valuable to the individuals and organisations it is stolen from.
The data held by education and charitable organisations on their students, staff, alumni, donors and other groups is extremely valuable to those individuals. Think about the amount of personal data schools hold about their pupils. If this data fell into the wrong hands, parents would be extremely worried – meaning ransomware firms are in a strong position to demand a ransom for its safe reinstatement.
Managing a response
If you are a school, college, university or charity, how do you respond to a data breach? Who do you need to inform, and how quickly? How will you manage communications? Now that insurance companies are introducing more exclusions and limits to their cyber insurance policies, how do you minimise costs, protect your reputation and best deploy resources to manage your response?
At Experian, we’ve seen many breaches in the education and charity sector, so we understand the specific challenges they face, and how best to manage the post-breach recovery. It’s important to look at the situation from the point of view of the people impacted. These could be current and former students, parents, current and former staff, governors, suppliers, donors, beneficiaries and many others.
Contacting multiple cohort groups
The huge range of cohort groups is one of the biggest challenges for education providers and charities in responding to a breach. All of these groups must be contacted, so the first step is to identify the contact details you have and determine the best way to inform people. Where large numbers are involved, letters or emails are likely to be the most effective and efficient means of communication. But you might not have up-to-date contact details for everyone, particularly former and overseas students who have gone back home or moved away.
You then need to consider how to respond to queries and concerns. Can you put call centre resources in place, or outsource call centre agents from a specialist provider? What number do they call and is this freephone, local rate or international? Answering queries by email is often simpler and more manageable, but may not be acceptable to everyone. Everything you do must be focused on the needs of the individuals concerned.
You also need to understand the legal implications. What lengths should you go to in contacting people, and when can you cease your efforts after multiple failed attempts? We have the expertise at Experian to advise on all of these matters. We can help to formulate messages and advise on the best mechanisms for responding to queries, and help to minimise financial and reputational damage.
Preparation is key
Making all of these decisions and managing your response in the heat of a post-breach environment is especially challenging – when speed is vital and the ransom deadline is looming. To make everything more manageable and less stressful, it is far better to plan your crisis-response strategy in advance. That way, you can have plans in place and resources on standby, ready to swing into action if the worst happens. I will be offering advice on crisis-response planning and preparation in a forthcoming series of blogs – so watch this space!
How can we help?
If you are a school, college, educational establishment, university or charity and want to learn more about preparing for and responding to ransomware attacks, please visit our website or contact the Experian Crisis & Data Breach Response team on 0844 4815 888 or via email.
Further reading
Ransomware – Consumer response plans
How can data processors optimise resources and minimise costs? Fears about the threat posed by ransomware have proved well founded. Read more.
Why consumers need to be central to crisis response plans
The impacts of a cyber-attack, health emergency or data breach can be devastating for the business. But the greatest impacts are often felt by consumers.
Plan your crisis response plan before it happens
The costs of dealing with a crisis are significantly higher for businesses that have not planned their response in advance - that is why it is so important to plan in advance.
Breaking down barriers when forming a crisis response plan
With the working environment changing faster than ever, adapting to a digitally led economy also brings increased data breach risks. Find out more.
Data breach readiness: where are your blind spots?
How to prepare thoroughly for any breach and have the right resources in place to react effectively if the worst happens.
4 secrets to navigate Retail Media Networks (RMN)
In this article, we’ll discuss how to unlock the true potential of retail media networks and how we can help empower businesses in this evolving landscape.
Bring donors closer to the cause
For charities, fundraising is a constant focus in keeping operations running. But how do you turn one-off donors into long-term relationships. Read more.
4 reasons why good data quality is essential for charities
Experian work with a number of leading charities to deliver accurate contact data. Find out why quality contact data matters more than ever for charities.
What is a DBS Check? DBS Checks Explained
We answer your most popular questions on DBS checks, including costs, how long they take and more, and how to get them for employees.
3 types of bank account data errors and how to reduce them
In this blog, we look at the root causes of bank account errors and outline how you can take the first steps towards minimising them. Read more.
[1] MOVEit, the biggest hack of the year, by the numbers, TechCrunch