Friday (5/8) morning, the computer network serving the state’s appeals courts was shut down after discovering it had been attacked by ransomware the previous night.
It was predicted in early March that hackers might leverage the coronavirus pandemic to execute ransomware attacks, and many companies have been buckling down. Ideally, the same would have been happening across state and local governments as well. Regardless of whether or not this particular instance could have been anticipated, the Texas Judicial Branch office made several commendable decisions from a communications standpoint:
Quick, albeit temporary, alternatives for users
A temporary site was made available Monday (5/11) morning. We can only assume that this was as soon as possible. While limited in functionality, many options are still available through third-party vendors that the office was already working with.
Rapid response to the issue with pertinent information
The same Monday morning, a statement was released by David Slayton, Administrative Director, which outlined the breadth of the attack and the steps taken by IT staff when the breach was discovered. They emphasized that the TJB will not be paying any ransom, and is actively working with law enforcement to fully resolve the issue. As well, they were able to confirm that this breach was not in any way linked to working conditions during the coronavirus pandemic. While they did not outline what additional steps they would be taking going forward, it is still an ongoing investigation so it may be important that details of remediation and prevention are closely held.
Did not bunker down
Poor cyber-attack responses typically run in two polar opposite directions. The first being that no information is released, and the public is largely uninformed or misinformed about what has happened because the organization affected feels that it has to know all information before addressing the public. The opposite can be equally damaging. By releasing too much information, you can find yourself in a spiral of constantly updating your total number of systems or individuals affected, and every update brings more and more bad news.
What the Texas Judicial Branch office did well here was informing the public on the services that had not and had not been targeted, while not yet releasing any exact figures that may be subject to change. They made themselves readily available to news sources as the story broke, but in their statement Monday morning they stated that they will also not be commenting on any more additional information until there is more concrete evidence available. By doing this, they are now the source of all forthcoming information, and they have made their landing page the best source for users to find it.
What I would advise going forward
Keep the temporary website as a trusted source of information for people who want to stay in the know until the crisis is resolved entirely.
Release the scope of the attack and the figures associated when you have that information.
Instead of focusing on finding and naming the source of the attack, focus on what matters to those affected. How is the situation going to be fixed, and what will the remediation process look like if necessary? What can you do to instill confidence in people that this will not happen again?
Utilize social media. When you have a website that is down and a temporary one that may be difficult to find or navigate, you have to use all communication channels to reach your audience. You cannot assume that everyone is watching your website for every update you can provide.
Bunkering down can happen at any time. Just because you were quick to respond to the initial events doesn’t mean that you get to ignore the media calls that haven’t come in yet.
Be concise with your updates. A lengthy statement may be necessary to address all the concerns from the beginning, but going forward send out bits of information as you get them.
Your actions going forward from this will speak louder than words. You can talk about training your IT staff to be more prepared and mending outdated systems that may prevent this in the future, but if you don’t follow through you will not regain that trust from those who go to you for your services.