Nov 02 2022

How to Execute an Incident Response Plan

With cybercrime on the rise, higher education IT leaders share thoughts on best practices.

The inevitable finally happened at Howard University on Sept. 3, 2021.

Just two weeks into the fall semester, the Washington, D.C., institution was forced to suspend classes in the wake of a ransomware attack. The good news? The breach had been contained; networks were down, as was the Howard website, but the university’s IT department had the situation under control.

“We were fortunate to have an internal team and a vendor-driven support system that allowed us to diagnose and determine our next steps for network stabilization quickly,” recalls Howard Associate Vice President and CIO Olga Osaghae. She and others within IT had previously collaborated with stakeholders across the university to develop and hone their incident response plan. They knew before the attack took place what they’d do in order to recover; all that was left when the day came was to put their plan into action.

Universities Must Take Action with Incident Response Plans

As cybercriminals have become more advanced and their attacks have increased in complexity and severity, most colleges and universities have recognized the need for incident response planning. According to Sophos’s “The State of Ransomware Report 2022,” 64 percent of higher ed IT professionals report their institutions fell victim to ransomware in 2021. Howard University is certainly not the only school that’s had to execute its incident response plan; today, those that have not that are the exception to the rule.

2022 NCSAM ToC image

Patricia Clay, CIO at Hudson County Community College and co-chair of the Higher Education Information Security Council at EDUCAUSE, says that when an attack happens, taking a wide view is imperative.

“I always tell people, your first step should be to suss out exactly what’s happening,” she says. Most incident response plans hinge on the nature of the specific threat. “Your response will be different depending on the scenario: Was one important person’s account compromised? Are your websites under attack? It’s important to understand the situation right away so you know what you need to do next.”

At Howard, Osaghae says, once team members realized what they were facing, they immediately kicked their plan into gear. “Our IRP dictated that our first step was to analyze and protect the organization by disconnecting all systems to stop the spread,” she says. From there, she notes, further analysis was done “to detect the timing, location and scope of the attack to ensure that the vulnerability was addressed.”

Communication and Recovery Are the Next Steps of Incident Response

Also critical in the early stages of any response is clear and concise communication, Clay says. Even as your threat detection system does its job and IT seeks to stem the breach, “you have to reach out to everyone who needs to know, from executive leadership to your cybersecurity insurance people.”

Many insurance providers have consultants they can send “who are highly skilled, and this is all they do — the kind of experts you want in your corner,” Clay says. That’s an especially important consideration for smaller institutions that may not have substantial IT resources.

Outreach and communication should be consistent and carefully worded, so as to not cause confusion or unwanted distractions.

Click the banner below to learn how to strengthen your team's security strategy

“I might fancy myself a decent communicator,” Clay says. “But as a tech person, I can get stuck in the weeds of explaining too much or using jargon.” Lean on your internal communications team and ensure you provide students, faculty and other stakeholders “with the information that matters to them,” she recommends.

Finally, Clay says, once you’ve recovered from the attack by following the protocols in your incident response plan, it’s important to file an after-action report.

“Look back at what happened with a critical eye to see if there’s anything you should have done differently, whether it’s around prevention or your response,” she says. The idea is not to point fingers; rather, “it’s to make it harder for the hacker the next time, so maybe they’ll decide to target somewhere else.”

At Howard, Osaghae says, once the team was satisfied that the specific vulnerability had been identified and isolated, “we recovered by going net new and strategically bringing systems online according to priority.” They initiated a “total overhaul” of the campus’ tech deployment, replacing all servers, desktops, and distributed laptops and mobile devices. All systems “were and remain on predefined schedules to be fully patched and backed up,” she adds.

As Howard looks ahead, its incident response training and tabletop exercises now make it clear that legal, communications and other university groups should be fully engaged in the response process. Meanwhile, back in IT, “We have continued implementing high cybersecurity standards to protect the organization from future attacks,” Osaghae says.

Bookmark this page for more security stories from Cybersecurity Awareness Month.

Nuria Seguí/Stocksy

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT