Case study: how to respond to the reputational aspects of a cyber incident
- Published: Monday, 02 March 2020 08:56
While hardly a global brand, a recent cyber attack on Dundee and Angus College provides a good example of how to deal with a cyber incident. Charlie Maclean-Bristol looks at the lessons that can be learnt from the response.
Whilst the attack on Dundee and Angus College was not a major incident, and it only really made the local papers, I thought that, as their response was effective, I would share some details as an example of a good response.
When looking at Dundee and Angus College’s response, I have no insider information; I only have access to their response on Twitter, Facebook, their website and local paper reports. I think reading this information gives a good overview of their response. What I have not been able to get is the students’ reaction and their thoughts on whether the incident was well managed or not.
According to a local newspaper, The Courier, the incident started at 3am on Friday 31st January and during the day all three campus’s IT systems became infected with ransomware. On Friday the college sent students home and cancelled classes. On Saturday there were no communications, but on Sunday they posted on social media that the college would be closed on the Monday. Communications on Monday told students that on Tuesday classes would also be closed. However, students were asked to come into one of their three campuses on Tuesday and sign back in in order to access the college systems. On Tuesday they announced that the college would reopen on Thursday, which it duly did.
The following points include the communications I thought were good practice, which the college carried out throughout the incident:
1. If the incident affects your organization and there isn’t the possibility of keeping silent, then you should quickly acknowledge publicly that you have had an incident and that once you have further information you will post an update. In the college’s incident, although it occurred on Friday there was no communication until Sunday - I suspect this was all about timing. As the incident occurred on Friday, they had the luxury of the weekend to decide how serious it was and whether they could resolve it before students and staff returned to work on the Monday.
2. In their first communication, which was on social media on Sunday 1st February, they admitted immediately that it was a cyber incident, not a computer glitch or, as Travelex displayed on their website for two weeks, ‘this site is temporary unavailable due to planned maintenance’.
3. If your main website is down due to ransomware, then you have lost your main means of communication, especially if you have a number of different messages to communicate. The college followed the well-trodden path of using social media to communicate with their stakeholders, until they were able to get their website up and running. Twitter was used to give short messages signposting those wanting more information to go to Facebook. Twitter is well used by the college and they have over 6,900 followers. They have built their audience on Twitter so that when an incident occurs their students and others would naturally turn to social media for information. On Facebook they had over 14,000 followers and so used it effectively to give out incident information. Facebook is useful in an incident, as people can post messages and the organization have the ability to reply. It can be used as a good repository of questions and answers on the incident. You can see the questions and answers from the college, in response to queries from students on Facebook.
4. It was clear that the college put ‘the victims’ (the students) and staff at the centre of their response and throughout the incident thought about what might be worrying them and then reassured them in their communications. Communications stated that they believed no personal data had been lost in the attack and those students in receipt of ‘bursary entitlement or any other payments’ would not be affected. Even when they asked students to come in to sign on to their college computer accounts, they had the buildings open for extended hours (9am to 7pm), and they made sure that the canteen was open during that time. After all students returned on Thursday, the college had to admit that some of their backups had been impacted by the ransomware, but they were very clear to say that this would be taken into account when grading their work.
5. Most of the activities usually carried out in the college were stopped for three days, even the Gardyne Gym & Swim. The only activity which continued was the Helping Hands Nursery, Arbroath. Closing the nursery, I presume, would have had a major impact on staff and others in the local area and perhaps even those who might have been responding to the incident, so this shows that the incident team had thought through their response and not just closed everything as a knee jerk response.
6. Throughout the incident the college said when they would give the next update, usually the next afternoon; and they kept to their word.
7. The principal was not featured in the communications from the beginning, but on Wednesday he released a full statement on the event, he praised staff for their amazing response, talked about the college having Cyber Essentials Plus in place, proving that they had taken cyber security seriously and described that the cyber attack was not targeted at them, but can ‘happen to any organisation and the feedback we have had from experts is that we have been unfortunate’. Visibility of senior managers and their comments are an important part in any incident response and although the ‘message from the principal’ was delivered five days into the incident, it was a lot better that the Travelex CEO who took two weeks to come up with a statement on their cyber incident.
8. It was interesting to note the tone of the principal’s message. He described the organization as a victim and didn’t apologise for the impact on students and staff. Perhaps this was the right call to take at this time, but if the college is found negligent in any way during the investigation then this position may be more difficult to hold.
9. After the incident it was reported in the local paper, The Courier, that a ransom had been demanded for the decrypting of their data and the principal is quoted saying ‘The idea of paying a ransom, or paying any money, is a non-starter for us. It’s just not going to happen’. This is perhaps not to panic students and staff, but it was only admitted after the event that a ransom had been demanded. I think the information about a ransom makes the attack seem more personal, so I can understand only releasing this information after the event. It also plays into the college’s narrative that they are a victim and it was due to a student or staff member clicking on a phishing email and their system perhaps being vulnerable to this type of attack.
You can find a timeline of Dundee and Angus College's events and communications here (PDF).
On the whole I am impressed by quite a small local institution responding to a cyber attack much more effectively that some of the large, more resourced organizations such as British Airways, Marriot and Travelex.
Charlie Maclean-Bristol, FEPS, FBCI, is a Director at PlanB Consulting, a UK-based company that provides business continuity training and consultancy.