Restoring ransomed files was only the first step to recovery

Situational Overview

With a staff of 125, Family Service Rochester (FSR) in Minnesota focuses on educating, supporting, protecting, and empowering individuals and families. Its 30 programs address child maltreatment, child welfare, children’s mental health, and domestic violence. FSR was founded in 1965 to support and enhance its community, and while its core tenet of service remains the same, the challenges it faces have grown and evolved.

One such challenge occurred in January 2017, when FSR staff discovered the organization was the victim of cybercrime, their files had been encrypted, and they were faced with a ransom demand to unlock them. The good news was that FSR was prepared, and through its contracted IT vendor, the organization was able to restore all files to the system within 24 hours. While this part went smoothly, the work to recover from the attack and the associated costs were just beginning. As FSR Executive Director Scott Maloney would soon find out, the legal requirements, time commitment, and related expenses were going to be staggering.

“We paid about $25,000 just to find out how they got into our system and where they went once they were in,” said Maloney. “We learned that hackers had access to our system from Dec. 26, 2016 to Jan. 25, 2017.” And although it could not be confirmed that the hackers extracted information, it was a HIPAA breach because more than 500 FSR clients could have been compromised, and the files simply could have been viewed.

While the IT firm had fulfilled its contractual requirements and made several upgrade recommendations, the attack took advantage of FSR’s own procedural gaps and its lack of understanding as to the level of security it truly needed. This included FSR’s policies on using and retaining passwords, staff knowledge of cybersecurity, and a records retention system that was vulnerable to a breach.

FSR was unaware of its risk, and the IT firm failed to investigate and assess the organization’s vulnerability thoroughly and was not proactive enough in identifying the guidance and training needed to help ensure a better-protected system. The result was that the attack exposed as many as 15,000 clients, including those who had been served by the organization 10 years before the attack.

However, through diligent, but costly, work with an attorney and cyberattack recovery specialists, FSR was able to meet the legal obligations of both the federal government and each state that a client, current or past, now resided in. And because of the exceptional work of its entire team, no fines were levied; however, the total cost to FSR was still over six figures, not including the tremendous number of hours spent by staff.

“I would spend all day addressing the data breach then I’d go home for dinner and then come back to work until midnight; then I’d get to do it all over again for three or four weeks,” said Maloney. Knowing a cyberattack could mean the end of the organization, FSR now contracts with a new firm and spends approximately $100,000 annually for a fully managed IT system. “Initially, I Googled ‘what to do when there’s a cyberattack,’ and I still to this day remember the first thing that came up said, ‘60 percent of businesses that suffer a cyberattack are no longer in existence.’”

Challenge

It’s no secret that cybercrime has increased in conjunction with the sophistication of methods used to compromise IT infrastructure. FSR found that hackers were able to breach their IT system via remote access and an unsecured password. They had no idea the criminals had access to their system until the hackers locked files and demanded money.

Hacking, phishing scams, and social engineering designed to mine information from staff make an organization’s system vulnerable. And even if you have IT security in place as FSR did, it may not be robust enough to blunt an attack. “We never felt like we were being cheap in terms of our IT prior to the breach. We did everything, every upgrade, every security recommendation from our IT company that was brought to us,” said Maloney. “We thought we were safe!”

Since the attack, FSR increased its IT budget, created a board IT subcommittee, and instituted a document management system to ensure client data was either deleted when not needed or made secure through stronger viewing permissions. “This experience has made me reflect. As we continue to grow we need to pay close attention to what I call our infrastructure—the support services and staffing that allow us to deliver on our mission. We need to grow our IT systems, services, and security at the same rate,” explained Maloney.

Lessons Learned

For FSR, the lessons of cybersecurity came at a high cost. To avoid the same fate, one of the most basic recommendations is to not go at it alone. Today’s cybercriminals go beyond rogue individuals looking for a quick score. Cybercrime is an industry that extracts millions of dollars from both large and small organizations. To safeguard against criminals means working with IT professionals that specialize in keeping security on par with the level of attacks that are bound to be made. This includes:

  • Reviewing and updating of current policies and practices related to cybersecurity
  • Regularly auditing and monitoring IT platforms and file systems
  • Providing staff training on cybercrime schemes and the correct ways to handle files, correspondence, passwords, and anything else that opens a window into the organization’s IT system
  • Reviewing insurance needs to ensure coverage of the total cost of a data breach
  • Creating an IT crisis plan that addresses board and client communications, media coverage, and the required legal procedures in the event that a data breach occurs

To support community-based organizations, the Alliance for Strong Families and Communities offers several services and resources around cybersecurity awareness and protection. These services center on preparedness and prevention, so that an organization doesn’t suffer as FSR did. This includes system monitoring, an automated security awareness training program for staff, and cyber liability insurance.

Because the Alliance understands the unique needs of nonprofits who work directly within their communities and the sensitivity of their client records, we will work with you to understand your needs in direct relation to your current IT security, level of staff IT knowledge, and budget constraints. We not only provide immediate service and guidance but also offer recommendations for additional help from other IT security resources.

Cybercriminals are relentlessly working to grab data to ransom or sell. Make sure you are doing all you can to keep them out of your network so you can continue to serve your community.

Learn more about the Alliance Operations Support Services online.