Do Your Homework: The K-12 Educator’s Guide to Ransomware Communications
In the past few years, education sector leaders have had to absorb more than their fair share of chaos, from pandemic-related issues like balancing remote and in-person learning to navigating increased politicization of curriculum. Cybersecurity communication challenges are no exception: ransomware has become a pressing issue that K-12 education institutions must prepare for. While a ransomware attack can be crippling to the entity impacted, targeted and tactical stakeholder communications can make all the difference when it comes to maintaining trust.
Ransomware has become such a prevalent threat for schools across the country that federal agencies released targeted guidance on how K-12 districts can best protect themselves. Specifically, the Government Accountability Office released a report in October 2022 suggesting that “additional federal coordination is needed to enhance K-12 cybersecurity.” Further, in January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a report on how school leaders and administrators can further protect their networks and be vigilant against cyber incidents.
Educational institutions in the K-12 space encounter a unique set of cybersecurity communication risks due to the vast amounts of sensitive information they maintain. Threat actors that target the education sector (some hacking groups, such as ‘Vice Society’, are known to specifically focus on K-12 institutions) attempt to apply pressure by essentially holding hostage this type of information with the goal of extorting their victims for financial gain. In addition to data exfiltration, ransomware attacks can cause major operational disruptions for schools – disabling internal resources, hindering students from submitting assignments and, even more nefariously, threatening critical services such as HVAC systems that are connected to the internet.
By its nature, ransomware is vastly different from other threats that schools can train for, as leaders must be prepared to communicate through an incident even before all the facts are available. It will take time between receiving a ransom note, identifying operational impacts, engaging counsel and forensic experts, and beginning system restoration. This can take days to weeks; conducting a thorough investigation of impacted data and notifying the population of impacted individuals can take several months based on the scope the incident’s scope.
Know Your Audience
It is important to remember that not all ransomware attacks are the same and that the communications impacts also differ. Threat actors do not operate in a vacuum – each ransomware gang may attempt to use their own extortion tactics against a victim, including publicly leaking information and directly contacting impacted individuals. Education professionals in the K-12 space must consider several distinctions when communicating with each respective stakeholder audience.
School Board: Across the country, School Board members may come from a variety of professional backgrounds – however, should they not have sufficient cyber experience, these individuals may demand answers and/or solutions that do not yet exist. These individuals may have different expectations for strategy and timelines; incident response leads must explicitly communicate about how a ransomware response is different from other crises that they may face. It will be pivotal to speak clearly and transparently about the recovery, restoration, and investigation processes in order to keep Board leadership apprised of new developments. Just as pivotal is ensuring that the Board – and its individual members – remain an ally when necessary to surpass any bureaucratic hurdles related to the response. By level-setting expectations about these processes, administrators can alleviate tension and better solve problems.
Parents: Parents of K-12 students will be primarily concerned about the safety of information surrounding their own children. During the data review process, rumors and speculation can quickly spread – especially if there is a lack of information provided. To mitigate this impact, it will be necessary for K-12 administrators to meet parents where they are – be it in-person at community events, posting on social media or sharing news at a community forum – in order to correct the record and combat any misinformation. As with Board members, it will be imperative to clearly explain the timeline of what comes next as well as continually share resources available to those individuals potentially affected.
Faculty: The primary tone of all communications with faculty should be appreciative and empathetic. This audience may feel the most direct impact of a ransomware attack should noticeable operational disruptions occur, hindering their ability to teach classes and access technology. Aside from concerns over their own personal data, faculty must manage questions that parents and other stakeholders raise, even when they don’t know all of the information. Faculty should be provided with reactive messaging materials to best address any inquiries they receive. Further, leaders should seek to empower faculty members to conduct “business as usual” – this means implementing workarounds that minimize disruption to normal classwork and sharing resources on how to best manage the current situation.
Media / Local Community: In any cyber incident, stakeholders inevitably will ask about the information impacted, who or what is at fault, and similar questions. As this information can’t be determined immediately (and may take weeks or months to fully analyze), it is imperative for administrators to keep a unified voice when discussing the incident with media or other external parties. Local media outlets that regularly liaise with schools may try to use existing connections to get more information – administrators must be ready to deploy legally-approved reactive messaging to address inquiries, balancing information sharing with legal disclosure obligations. Social media speculation could generate chaos for leaders; it is recommended that a single source of information be easily available (e.g., website) and regularly updated.
In a cyber incident, once the initial shock wears off, the clock starts ticking – stakeholders will only be patient for so long before the questions begin to flow in. Without dedicated communications guidance built into an incident response plan, it will be difficult to alleviate the concerns of key audiences. It is prudent for leaders in the education sector to focus on preparedness efforts and training exercises that balance technical resolution and communications strategy to best ensure they are ready for an incident not just if, but when it happens.
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
©2023 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com
