As warnings for the increased likelihood of cyberattacks for all sectors heighten amid the Russian invasion into Ukraine, school districts should be thinking about how to publicly communicate a cyber incident should one occur.
There’s a range of ways districts have reported cyberattacks in the past, though they often just go unreported. Recently, in fact, an investigation by the South Florida Sun-Sentinel discovered evidence the Broward School District in Broward County, Florida, worked to hide and then delay public notification of ransomware attacks that occurred from November 2020 to March 2021.
With schools becoming increasingly vulnerable to cyberattacks, a recent report by nonprofit K12 Security Information Exchange called for greater public disclosure of these incidents to help inform research, policymaking and cyber defense tools.
But what’s the best timeline for communicating details of a cyberattack? Mellissa Braham, associate director of the National School Public Relations Association, said it’s key to know how to prepare public communications before, during and after a school cyberattack.
Before: Plan ahead
While cyberattacks are not new, Braham said awareness is increasing about these incidents and how to best communicate them to the public.
“It’s something that all districts should be prepared for the potential of, and that’s why crisis communications planning around the potential for cyberattacks is so important,” Braham said.
To start, districts should consider if families and staff already know what a school day will look like in case schools are shut down or a student data system is hacked, she said. If not, Braham said, now is the time to develop a plan for communicating that information, similar to a plan for handling weather-related emergencies.
Districts can even share and update information each year about how they would handle and react to a cyberattack, which can help raise confidence and reduce panic in the school community, she said.
It’s critical to consider how staff and leadership will communicate with each other if the district’s email system is shut down and there’s no way to meet in person, Braham said.
District leaders should also make sure they have a communications crisis plan in place, she said. These plans should cite who will receive communications during a cyberattack, how to facilitate those communications, and who is responsible for issuing communications during the crisis.
During: Communicate immediately
As soon as a cyberattack occurs, districts can announce what happened, how the district is responding, who is affected by the incident, how the district will notify those impacted as more information comes out, and what cyberattack victims can do at that moment, Braham said.
“Those [details] don’t need to wait until the situation itself has been resolved,” Braham said. “I think that goes a lot to building trust with your community.”
While it's important to inform parents and staff during an ongoing situation, districts should also reach out to key vendors and community partners who could be impacted, she said. One tip is to keep a contact list of district partners, including local politicians and representatives, to include in communications about a cybersecurity crisis, Braham said.
Then, since there will be ongoing effects, provide regular updates to those affected, she said.
“A lot of times in the midst of a crisis, stakeholders are willing to extend grace, but that grace doesn’t last forever,” Braham said. “They want to see progress, they want to see what you’re doing to prevent. So it’s really important to keep these stakeholders informed, and particularly your employees because they’re really your ambassadors out in the community.”
After: Disclose financial details?
During an ongoing ransomware attack, a district might not be prepared to disclose how much it costs to handle the developing situation, Braham said.
But when an incident is over, a district could publicly share the financial consequences of a ransomware attack to be transparent, she said.
“When we’re dealing with public funds, there’s an expectation for transparency around the use of tax dollars,” Braham said. “We have obligations to share information about our budgets, our operational expenses, and I would anticipate that fiscal transparency would include dealing with threat actors.”
Ransomware attacks cost U.S. schools and colleges an estimated $6.62 billion total in 2020, according to an August 2021 report released by Comparitech, a pro-consumer website providing information and tools to the public to improve cybersecurity and online privacy.
The reason districts often don't reveal the cost of ransomware attacks is to avoid encouraging more cyberattacks in the future, said Paul Bischoff, author of the Comparitech report and a consumer privacy expert.
While Bischoff sees the value of transparency in schools disclosing the costs of ransomware attacks to grasp the real scope of the problem, he understands why schools fear sharing that information.
“If a cyber criminal sees that this school has lackluster IT admins [administrators] that aren’t doing a good job protecting their system, and that they paid $5 million in the past, then they’re sure as hell going to target that same school in the future,” Bischoff said.
The matter is a balancing act, he said, adding that maybe districts can wait a certain period of time before publicly sharing the financial costs of a ransomware attack.