Why Is It Important in K–12 Districts?
School networks contain a lot of sensitive student data. Incident response plans are critical to help districts minimize the impact of potential system compromise or data breaches. Common concerns include:
- System downtime: “Ransomware has become ubiquitous,” says Simon Jelley, general manager and vice president of product for Veritas Technologies. “It’s no longer a question of when your district is attacked, it’s how bad will it be? The education sector is a prime target. Almost 50 percent of education organizations were hit by a ransomware attack in the past year. They’ve become so common, there’s a term circulating for when a school cancels classes because an attacker has locked them out of their IT systems and data: a ‘cyber day.’”
- Reputational damage: If attackers can compromise systems and access data, they can leverage this information to damage school reputations. “I remember a situation where a district was breached and hackers were threatening to expose data as a way of intimidation,” says Nguyen. “Threats and fear can be very real even though these incidents are virtual.”
- Legal obligations: Because districts collect and store information about students and staff, they often have a legal obligation to disclose if breaches occur and inform affected parties. They may also be required to provide post-incident protection in some circumstances.
What Components of Incident Response Plans Are Critical?
According to Jelley, several components are critical when building an incident response plan.
“The first thing every effective ransomware incident response plan should include is an outline of who needs to be involved and what their responsibilities are,” he says. “Next come the steps those individuals need to carry out.”
LEARN MORE: Experts discuss how to protect K–12 networks in cybersecurity roundtable.
These include detection and initial analysis of attacks, defining the scope of the attack and determining if the attack has concluded or is ongoing. Then, schools must contain the impact of the attack and look for evidence of how the breach occurred, eradicate any malware and remediate vulnerabilities that enabled the initial breach.
Finally, schools need to recover lost data from hardened backups and respond to any regulatory or contractual obligations.
How Do Districts Keep Their Incident Response Plan Updated?
Nguyen puts it simply: “Practice.”
“When was the last time you practiced your incident response plan? In my experience, 99.9 percent of the time, the answer is never. You may do backups for months or years but don’t know if it’s successful until you need to use it,” he says.
He recommends regularly testing and enacting IR plans to fine-tune them for when they’re really needed. Testing frequency will depend on the turnover rate in the organization, but Nguyen recommends schools have a practice run of their IR strategy every time there is turnover in a key role.