Oct 13 2022

Texas School Technology Leader Shares Ransomware Recovery Lessons

I was new to the job when my district fell victim to a ransomware attack. Here’s how we restored our systems in time for a new school year.

On June 17, 2021, I got the call that every IT person dreads. Matthew Fields, now my executive director of technology, called me at 5 a.m. He received the first notification at 1 a.m. that the email system was down. When he arrived at the office, he discovered the depth of the attack on the servers — and a ransom note on most devices.

I received this call only 30 days after I took on the role of assistant superintendent of technology for the Judson Independent School District in Live Oak, Texas.

CSAM TOC

Shifting Priorities to Manage a Ransomware Attack

My previous 12 years in corporate and educational leadership taught me that you need six to 12 months to build a trusting relationship with your team.

A month into the role, I had only just started breaking down silos, improving cross-team communication and moving toward working together as a unified department.

However, the district’s network, computer applications, servers, communication and email systems were all affected by the attack, and on at least one of our campuses, school was starting in a few weeks. My focus shifted quickly to triage. Fortunately, we had the right team members at the table to move the district forward.

Click the banner to explore incident response resources from the experts at CDW.

Building Team Spirit on the Fly During an Incident Response

Regardless of whether I was there for 30 days or 100 days, I believed it was my responsibility to protect our schools from this. It was also my responsibility to build a team to work through this crisis.

Our incident response team had its first meeting over coffee the morning we discovered the attack.

Over the next few days, I pulled the rest of the team into the cleanup efforts. The technology department of 47 people included staff from data services, cybersecurity, instructional technology, library services and more. We unplugged thousands of devices across more than 30 sites.

RELATED: Women in IT leadership share their code for success.

I think one of the best things we did as a team was rally together to fix the problem. We had to move past departmental lines and begin to function together, and this effort required a lot of communication.

As we dived into cleanup, I wasn’t doing what would be considered administrative tasks. Sometimes, I was right there with my team, walking the campuses.

Emotional Care and Ransomware Recovery

When it comes to disaster planning, we often think about having playbooks, getting our systems back up and getting the word out. All of those things are important, but we often don’t think about the emotional fallout.

When you have a team of employees invested in the work that they do, an attack does have an emotional impact on them. Planning for staff care is just as important as planning for the technological recovery from the attack.

We came up with ways to find joy in what was going on, because at times things were bleak and depressing. We had to look for the positive, and we had to ask, “What’s the one good thing that we got out of today?” We had a lot of conversations like that.

RELATED: Learn from CDW experts how to avoid becoming the bait of a phishing email.

Getting things back up and running on that first campus created some momentum and gave us hope. We created a system that mirrored very closely how a normal school year would start, and we replicated that for the rest of our campuses so that all 26,000 students could continue to get the great education they deserve.

Keep this page bookmarked to keep up with all of EdTech's Cybersecurity Awareness Month coverage, including featured articles on incident response plans.

Simone Wave/Stocksy

aaa 1

Register