Feb 11 2022

TCEA 2022: One School District Shares What Not to Do to Prevent a Ransomware Attack

With K–12 schools a prime target for ransomware, school leaders discussed how they are protecting themselves going forward.

“It’s like your home was robbed, and there’s nothing you can do about it. We had 800 employees and 5,200 kids, and everybody is shut down,” said Julie Gauthier.

The deputy superintendent of Port Neches-Groves Independent School District in southeast Texas explained to a room full of TCEA attendees in Dallas what it felt like when her school district was hacked back in November 2019.

“It was a nightmare,” Superintendent Mike Gonzalez agreed. “We couldn’t believe this happened to us. We didn’t believe that it could happen to us. There’s tremendous pressure, and you want to get things right, but we quickly realized it was not going to be a quick fix.”

With ransomware attacks top of mind for many school districts, it was not surprising that there were multiple TCEA sessions on the topic and that employees from several districts were willing to share their experiences.

Click the banner to keep up with educational tech news all year when you register as an Insider.

In the “After a Ransomware Attack: Lessons Learned” session, a panel of Port Neches-Groves ISD employees — including the technology director, a librarian and a high school principal, in addition to Gonzalez and Gauthier — candidly shared what it was like living through the attack, where they went wrong, and what improvements they made in the aftermath.

In November 2019, someone clicked on a link in an email, and all the files in the district were encrypted, including files in the cloud for some people. Thankfully, the district had insurance, and when the attack happened, it turned to its insurers for assistance. Port Neches-Groves panelists shared some key takeaways from the experience:

To Pay or Not to Pay a Ransom

Today, the advice is not to pay ransoms. However, back in 2019, Port Neches-Groves leaders said there wasn’t a lot of guidance on how to manage that type of situation. Technology Director Crystal Werkheiser, who was the director of instructional technology when the attack occurred, said guidance from the district’s insurance company was part of the reason they paid.

READ MORE: Create an effective incident response plan for your district.

“We also weren’t confident in our backups,” she said. “That was something we weren’t checking every night. Sometimes it would run, sometimes not. We couldn’t deny that. So now we’re confident in our backups if it were to happen again.”

Get an Outside Third Party to Review Your Security System

To make sure that they were doing everything they could do to keep the district safe, Gonzalez hired an outside firm to check for vulnerabilities. After running tabletop exercises and discovering weaknesses, the district made several changes to its security plan.

GET STARTED WITH SECURITYSee how CDW•G helped one school amp up security.

Make Regular IT System Updates

Werkheiser freely admitted that the district had made errors that left them vulnerable to attacks. “We had servers running outdated operating systems. Over 75 percent of our computers were running on Windows 7,” she said. “We also needed to be better stewards of our information. We had given privileges to a lot of people who didn’t need it. Now we are taking back a lot of permissions that we had given over the years.”

"After a Ransomware Attack: Lessons Learned" TCEA 2022

Crystal Werkheiser, Scott Ryan and Candice Curran speak at TCEA 2022.

Force Compliance and Regularly Educate Staff

Werkheiser said that, while it can be really inconvenient at times, the district has implemented mandatory security practices such as multifactor authentication, annual phishing tests and periodic password resets. Her team also attends monthly cybersecurity meetings and other relevant training.

DISCOVER: Protect your school's network from bad password habits.

Make an Incident Response Plan and Regularly Review It

Since they were hacked, Werkheiser said, the team has updated the district’s incident response plan to address the worst case scenario, and they regularly test and revise it.

Keep Backups of Critical Documents

Scott Ryan, high school principal, recommended that schools keep printed copies of things like schedules, emergency contact lists, class rankings, etc. “I’m sure everybody has emergency cards, but our attendance office did not have paper versions at the time,” he said. “Luckily, I had a couple in my office. Now we make sure that’s one of the first things they do each year.”

Werkheiser said the district now has several backups and also keeps its critical data backed up in the cloud. She also strongly encourages all teachers to move their files to Google Drive, going so far as to make personal visits to holdouts. “Our insurance company policy dictates a lot, and now we go above and beyond,” she said.

Join EdTech as we provide written coverage of TCEA 2022. Bookmark this page and follow us on Twitter @EdTech_K12.

LanaStock/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT