More than three weeks after some kind of cyber attack took place at Cedar Rapids Consolidated School District in Iowa, staff and parents still do not know the type of attack, the extent of the attack or when systems will be brought back online. Parents were not notified of the July 2 Cedar Rapids cyber attack until July 4, when they found out the schools would be closed for a week, leaving many parents scrambling to find child care.
This is a case study in what not to do after a cyber attack. Organizations that think they can control the message, or that feel they should wait until they have a “sufficient” level of information, may find themselves on the receiving end of lawsuits in the near future, as Congress takes a closer look at financial losses associated with hacking. Delays in reporting may also violate the terms of a Cyber Liability Insurance policy, leaving organizations responsible for financial damages suffered by employees, clients and the public.
What Went Wrong with the Cedar Rapids School District Response?
The response of the Cedar Rapids Consolidated School District shows a significant lack of understanding in how data breaches must be handled. Best practices in data security call for the following steps:
- Inform all impacted parties immediately. Any delay in reporting a breach leaves impacted individuals vulnerable to identity theft and financial losses. Insurance providers and lawmakers are catching up to this reality, and it is a matter of time before data breach disclosures are mandated by law. Until then, organizations must understand that the bad press and embarrassment of a data breach is far less significant than the material harm caused by identity theft.
- Inform anyone potentially impacted by a breach immediately, even if you have doubts. People would rather change their passwords and find out they were not affected than learn weeks later that their personal information has been compromised.
- Disclose the nature of the cyber attack. Were systems hacked? Was data stolen? Was there a ransomware demand? Was the ransom paid? Organizations seem to believe that failing to disclose this information makes the problem go away. In fact, it makes your employees, customers, potential customers and the public aware that you are not transparent when you have a problem. This erodes confidence in your organization and harms your bottom line.Some organizations may get away with hiding details once with minimal impact. Suffer a second breach and your employees and customers will lose all confidence in you.
- Recall all potentially compromised devices immediately. KCRG reported that staff at Washington High School were told to turn in their laptops before the start of the year, something that one teacher called “very unusual.” When asked if this was related to the cyber attack, CRCSD said it is “not able to provide further details.” As cyber security experts, we know that an attack on a network impacts every device connected to that network. There are two immediate steps that must be taken after an attack: Turn every device off and turn every device in.
Malware may be lurking on connected devices to reinfect systems or, in the worst case scenario, to continue transmitting data to hackers. Organizations with strong cyber security have protocols in place that disconnect users from compromised systems and alert them to stop using those devices immediately. In the most robust environments, a CISO, Virtual CISO or IT specialist can shut off network access for all devices remotely.
What is more concerning here is that employees appear to have no information about the extent of the breach, even though their ability to do their jobs was directly affected by it. That is a massive communication failure that compounds the impact of the breach and may lead to challenges in investigating both the cause and the extent of the breach. If employees do not need to be concerned, that should be communicated clearly.
Cedar Rapids Case Study – Conclusions
The poor response of CRCSD to this cyber attack is a classic example of what happens when organizations do not have a response plan. It is very likely that this school district will spend more time and money to remedy this breach than they would have if they had a full cyber defense plan in place.
How would you respond to a breach? Would you have backup data ready to deploy and emergency communications for your employees and clients? If the answer is anything other than yes, you need to contact us online or call us at 1-800-658-8311 to speak to a cyber security expert.
Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.