I have had to work through a number of these business email compromise (BEC) attack situations that were potentially reportable events.
It is important to understand that specific terms are legally charged words. "Breach" is probably the most significant. I am not a lawyer and Acture in no way can provide legal advice, but my very-strong suggestion is that you consult with your district's legal counsel before ever speaking that word.
If you call up the State or your cyber insurer and say 'breach,' you have started a process you may not be able to control.
You may have a breach, but that is for your district Superintendent and the lawyers to determine.
We investigate events, issues, and anomalies. Your district Superintendent and their leadership and legal team need to evaluate the issue and the risk and define the event.
I have seen too many cases where the district starts discussions with vague, imprecise information, and the other agency takes a defensive position. It is important that even if something bad happened, you have as precise a definition as possible about what happened, when it happened, what information was exposed, and what you have done to resecure the system.
I had the privilege this week of participating in a tabletop exercise on a theoretical security event with a school district in the region.
We spent a fair amount of time talking about the importance of word choice, strategies for proving what did and didn't go on, and how far it went.
We spent some time understanding the reporting obligations the district has to its cyber insurer to maintain full compliance with the cyber insurance policy.
We also spent a lot of time talking about 'one spokesperson" and speaking with one voice.
Only one person can be the district spokesperson, and you can have only one set of facts. There can be no theory or conjecture. If you say something that turns out to be wrong, you have lost trust and can't get it back. It is better to say less until you can definitively say whatever your legal and management team has authorized.
Tabletop exercises can help your organization better understand how to use your formal "Incident Response Plan" and refine it to reflect the district's current realities and the full spectrum of tasks that must occur in an actual event.
Acture can conduct a tabletop exercise with your administrative and/or technology teams.
If you are interested in setting a tabletop exercise up, give us a call.
Scott F. Quimby
Senior Technical Advisor, CISSP, vCISO
Acture Solutions, Inc.
You must be logged in to post a comment.