Feature
IT team working together
Creative Commons attribution information
©Laurence Dutton via Getty Images
All rights reserved

Comprehensive insurance policy was crucial in supporting college’s cyber attack recovery

A year ago, Bridgwater and Taunton College was severely impacted by a ransomware cyber attack.

Key systems, including email, were offline and the decision was taken to quickly remove access to other systems to lessen the likelihood of the attack spreading.

Matt Tudor, interim director of IT, explains what happened:

“During the lockdowns, we had increased remote desktop access for staff and students and the threat actor used that protocol to get past one of the IT staff.

“We were alerted in the early hours of Thursday, January 14, when the email function and other servers stopping working.

“There was also a minor breach of unstructured data, which we also discovered early on, but this did not affect key business data sets, which was a relief. We were lucky because our backups were only 12 hours old. This meant we hadn’t lost a significant amount of data.

“Two days after the attack, we were able to teach and assess students online and students could also submit work remotely.

“The skeletons of our core systems were up and running within 30 days, but there was a lot of ongoing work to do to get them back to their original form. It took another two months to unravel all the workarounds we had put in place to compensate for the systems we had lost.

“Even now, a year on, we are still having ongoing conversations with clients, and we still have to report and update our systems.

“Staff and students have had to get used to significant changes to the systems they use, and we also had to drop some systems altogether because they proved to be insecure.

“One of the most significant impacts was losing school leaver applications, which happened when the website was down.”

Initial response

One of the first actions was to appoint an incident response lead - a role that Tudor, who at the time was director of strategy and partnerships, stepped into. He says:

“I think it’s important that this was neither the CEO, nor the head of IT.

“In this situation, the CEO will be busy communicating with the various stakeholders, the media and the board, and the head of IT will have his or her sleeves rolled up getting stuck into the technical problems.”

From day one, the response team began a series of sunrise and sunsets meetings, which covered questions such as ‘what do we know?’ and ‘what do we need to do?’. These went on for 30 days, until all systems were rebuilt.

Initially, because email was unavailable, the team used WhatsApp to communicate and held meetings in person.

The role of insurance

Tudor describes the college’s comprehensive cyber insurance cover as “critical”. It meant the college was able to draw on the expertise of lawyers, a PR company and a special IT forensic team to help it recover.

“Our insurance cost was £10k at the time of incident and the cost of recovery and putting our systems back together again after the attack wasn’t far short of £1m. The top three costs were cyber forensics, legal expertise and infrastructure rebuild.

“This year we will spend £30,000 on insurance and it’s worth every penny; we realised we didn’t have the depth of expertise or resource to cope without help.

“The senior team including our CEO and the head of IT, were greatly reassured to have these experts in place, which enabled us not only to build back better, but to also keep faith with clients, students and staff.

“It was a very busy time and having the support of these critical experts appointed by the insurer was so important.”

However, no matter how busy, it’s crucial to make time to capture the costs of a cyber attack, warns Tudor, including loss of earnings, which is important for a subsequent insurance claim.

Recovery planning

“In terms of containment, the forensic team appointed by the insurance company was vital in ensuring the threat actor had left the systems, and that no back doors had been created which would have allowed them access later. We have since installed state-of-the-art threat detection software.”

A PR firm took over communications, preparing letters, statements for the website and updating stakeholders. These included staff, students, the governing body, and funders, plus apprenticeship providers, government agencies and large companies with which the college had contractual obligations.

Tudor’s advice on the appropriate communications tone?

“We responded quickly and honestly. One of our values is to be transparent and honest and we were commended by our stakeholders for this.”

With hindsight...

Tudor admits that, while the college had started to improve its cyber security posture, it was not well defended when the attack hit.

For example, it was using a remote desktop protocol without a web gateway, which would have prevented unauthorised traffic from entering the college network.

This has now been remedied and further measures put in place to reduce the risk of a threat actor using the same entry point again. These include multi-factor authentication (MFA) for staff and students, and virtual private networks for staff working from home.

Before the attack, Jisc had conducted a penetration test and the college was working through its recommendations when the attack occurred. During the past few months, another penetration test and a cyber audit, again carried out by Jisc, have been completed and further improvements made as a result.

Pre-attack, Cyber Essentials was in place, but its requirements, says Tudor, should be viewed as only part of a strategic security plan. The college is now working towards Cyber Essentials Plus and ISO 270001.

Personal impact

Aside from the disruption and the financial and reputational impact, organisations often report a high emotional cost. Tudor is no exception. He says:

“There will be tears, there is no doubt about that. It took a toll on myself and my team. There were moments when I wasn’t sure how we were going to get through it.

“It has been a career-defining moment for me, and I hope I’ll never go through anything like it again. It was utterly exhausting.”

Silver lining

Now the college has emerged from the technical and emotional trauma, there are some positives to come out of the attack.

Tudor explains:

“Having worked alongside the cyber experts brought in by the insurers, my team have significantly increased their knowledge. Some of them have also changed roles so they are pointed at the right things, and we are now advertising for a dedicated cyber security role.

“The pandemic increased the college’s use of digital technology and, as a result of the attack, I have been able to leverage increased funding to beef-up security and take us further along that digital transformation journey.

“We are in a far better place now, with a better plan and more expertise. We also have more resilient and effective IT systems than we would have had we not had a cyber incident.”

Further information