Oct 10 2022

How School Districts Can Take Incident Response Planning to the Next Level

In the face of growing cybersecurity attacks in K–12, schools work to protect all bases.

In K–12, cybercrime is a constant threat. Every day, school IT teams face and work to defend against cyber breaches. This makes cybersecurity critical.

“We see thousands of attacks of all kinds yearly,” said one respondent in the State Educational Technology Directors Association’s “2022 State EdTech Trends Report.” “In 2021, we had nearly 1,000 distributed denial of service attempts alone.”

However, not all schools are ready to respond effectively. District Administration and Education Networks of America recently surveyed 280 K–12 administrators and educators. Of those whose districts experienced a cybersecurity attack or event in the past three years, only 16 percent said their school systems dealt with the event “highly effectively.”


An airtight incident response plan can make a big difference, says Charlie Sander, CEO of cloud data security firm ManagedMethods. “The goal of your incident response plan is to enable a fast and effective response to a cybersecurity incident,” he says.

Marlo Gaddis, CTO for the Wake County Public School System in North Carolina, agrees, and is leaving nothing to chance.

“We know that in a time of crisis, you need to have a game plan,” she says. “What’s your first step, and what will you do next? Who will you need to contact right away, and how are you going to reach them?”

Gaddis notes that Wake County is working on its own incident response plan, but not because the district lacks a clear strategy for what to do when an attack happens.

“It’s because we’re always learning more, always revising,” she says. “A good incident response plan is never complete.”

When Faced with an Attack, Will Your Shields Hold?

As K–12 IT leaders everywhere squash one cyberthreat after another, many K–12 IT experts come to the same conclusion: The only way to win this fight is to go beyond basic incident response planning.

“The goal is to get as close as you can to making sure that nothing bad ever happens,” says David Banks, director of network services at Crandall Independent School District in Texas. “But you also have to realize that something will happen, and there are things you can do now to be prepared.”

Banks says Crandall revised its own incident response plan last spring in the wake of several security breaches in nearby districts. He and his colleague Amber Teamann, director of technology and innovation, started the process by hiring a consultant to conduct a comprehensive security assessment.

Click the banner to explore incident response resources from the experts at CDW.

“Crandall is a very fast-growing district, and that growth impacts our systems,” says Teamann. “That audit helped us understand what we have, and where and what attackers might see as low-hanging fruit.”

With their immediate needs identified, Teamann and Banks secured buy-in from district leadership, including the school board and superintendent. They also approached vendors about long-term partnerships that might ease the cost of ownership of security products and services.

Teamann gained assurance that the vendor would be there when the going got tough. “We didn’t want them to just see Crandall as just another number in a time of crisis; we needed them to think, ‘It’s Amber, she needs us,’” she says.

Protect, Detect, React: “Whatever It Takes”

The tools that Crandall eventually deployed reflect industry best practices, from a Barracuda email-filtering solution to deter phishing attacks to SentinelOne endpoint security and automated incident-detection products.

According to Sander, this step is critical. “Leveraging technology enables a lightning-fast response to any cyberthreat at every step, including protection, detection, response and recovery,” he explains.

When Banks and Teamann updated the district’s incident response strategy, they also met with stakeholders across the district to ensure everyone knew their roles and responsibilities. They now regularly hold tabletop exercises and other activities designed to prepare the staff for a range of attack scenarios.

“We go over things like what to be cognizant of and what not to fall for when you get a suspicious email,” Banks explains. “We also address how to respond in the event of a breach. Just like the students have to do fire drills, we’ve got to do our cybersecurity drills.”

Crandall also has implemented Veeam backup solutions both locally and offsite, and the district has cyber liability insurance to help cover the cost of recovery in the event of a successful attack. As with the other components of their incident response plan, Banks and Teamann say they consider these investments an integral part of the business of protecting students.

“Our entire reason for being here in IT is to support our learners and support our campuses,” Teamann notes. “If there is something we can do to be proactive and prevent our district from going offline, to me it’s worth it — whatever it takes.

Keep this page bookmarked to keep up with all of EdTech's Cybersecurity Awareness Month coverage, including featured articles on incident response plans.

Santi Nuñez/Stocksy

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT