In the midst of a cybersecurity incident is not the time for K–12 IT leaders to discover their incident response plan has flaws. While having an IR plan is a positive first step for teams, they also need to ensure the plan will be effective when an attack occurs.
There is no single correct way to create an incident response plan, and the scope of these plans will vary by organization. However, there are common mistakes that all K–12 leaders should avoid.
Click the banner to explore incident response resources from the experts at CDW.
Lack of a Security Strategy or Playbook
When creating an incident response plan, districts should ensure they have both a security strategy and an IR playbook.
The security strategy should be the foundation upon which the IR plan is built. However, districts and organizations sometimes rush to create a plan, or they draw up a plan using a generic template, without fitting it to their security strategy.
Make sure you’ve laid the foundation for your incident response plan with a solid strategy, and work with a trusted partner to create a playbook your organization can follow.
Failure to Use the Playbook
Once the playbook is created, all the stakeholders should learn it and use it. Playbooks can help keep everyone on the team aware of common attacks and consistent responses.
Cybersecurity can present an intimidating learning curve to those who aren’t accustomed to managing it. Using playbooks can keep everyone on the same page, especially in a high-intensity situation such as a cyberattack.
LEARN MORE: How can vCISOs help districts fill cybersecurity knowledge gaps?
No Tabletop Exercises or Staff Training
One of the biggest mistakes a district can make is to not practice its incident response strategy. Schools that enact their IR plan only when a cyberattack has occurred may find out too late that some part of the plan is faulty or out of date.
Practice incident response with tabletop exercises and train staff on their duties as well as current best practices to ensure the team is ready when your school becomes the target of cybercrime.
Inconsistent or Inaccurate Logs
FRSecure’s Cybersecurity Incident Response Team found that 65 percent of organizations weren’t storing logs or were storing them for fewer than 30 days. With an average detection time of 197 days to identify a breach, according to IBM, the information those districts would need to detect and defend against a cyberattack would be long gone by the time they discovered the attack.
Without substantial and appropriate data, incident response teams won’t have visibility into what systems are affected, to what extent they have been affected, or where the problems are coming from. This will lengthen the time it takes to identify and contain a breach.
Incomplete Root Cause Analysis and Remediation
In the rush to return to business as usual, districts may overlook an in-depth investigation into the root cause of an attack. If the IR team works only to contain the attack, without root cause analysis, then the weak link in the district’s security posture remains.
This means that cybercriminals can — and likely will — hit the school again with a similar attack. “If only contained, without root cause analysis and remediation, threat actors will be back in 30 to 90 days or less,” according to Security Boulevard.
Outdated Incident Response Technology
Legacy technology, as well as tech that isn’t kept up to date, can by itself introduce myriad security risks to a school’s network. When using outdated technology for incident response, IT teams won’t have the capabilities needed to keep up with sophisticated cyberattacks.
Cybercriminals are constantly innovating and advancing their techniques. Without proper investment and maintenance, cybersecurity and incident response tools can’t perform reliably in the event of an attack.
Keep this page bookmarked to keep up with all of EdTech's Cybersecurity Awareness Month coverage, including featured articles on incident response plans.
DOWNLOAD THE CHECKLIST TO SAVE AND SHARE.