Jun 03 2024

How Cyber Resilience Gives Schools an Edge in Post-Attack Recovery

Schools prepare for inevitable cyberattacks with proactive mitigation efforts.

For the past few years, K–12 schools have been in the crosshairs of cyberattackers and ransomware gangs. According to Emsisoft’s 2023 ransomware report, the number of school districts affected by ransomware attacks more than doubled, from 45 in 2022 to 108 in 2023. The report notes that “the impacted districts had a total of 1,899 schools between them, and at least 77 of the 108 had data stolen.”

Schools are attractive targets for bad actors because they are rich in valuable personal data and often lack the ability to protect and defend it. When schools are attacked, operations can come to a standstill, and classroom learning is often disrupted. With the ongoing risk of ransomware attacks and schools being locked out of their data, K–12 security efforts have shifted their focus to cyber resilience and cyber recovery.

Click the banner to learn what it takes to build a cyber resilient K–12 environment.


What Is Cyber Resilience?

The National Institute of Standards and Technology defines cyber resilience as “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

What does that mean for schools? “This means you’re able to respond to problems, shut down an attack and recover from it,” explains Amy McLaughlin, project director for CoSN’s Cybersecurity and Network and Systems Design initiatives. “You’re able to identify attack behavior, terminate it and get the data back. Then, you’re able to lock down the threat right away.”

DISCOVER: What happens if the network goes down? K–12 delves deeper.

What Technologies Help Schools to Be Resilient and Recover?

To support cyber resiliency, experts suggest schools should align to a cybersecurity framework such as NIST’s CSF 2.0, which provides guidance on managing cybersecurity risk. Efforts to support resilience don’t typically require large expenditures and are within every school’s reach. They include implementing multifactor authentication, removing administrative access across user accounts and enabling long passwords consisting of at least eight characters.

“We are seeing a lot of bad actors dispersing their activity across entire geographic areas,” says Don Wolff, CTO for Portland Public Schools. “The bear-in-the-woods theory applies here. Schools that do at least the bare minimum of preventive measures for resilience will be passed over — the bear won’t bother with them because it’s looking for easy pickings. It’s a harsh truth: If you’re more difficult to hack than the next district over, you won’t be the one that gets targeted.”

An additional consideration is how best to maintain learning continuity. Cyberattacks can greatly impact a school’s primary mission of classroom learning. Schools need a plan for carrying on learning if they lose systems and data.

“One risk we have is that people become reliant on certain tools for day-to-day learning functions,” says McLaughlin. “What is your alternative? What can you shift to? You need to be prepared for losing the internet or other online systems. Be prepared to pivot to traditional classroom learning delivery.”

DIG DEEPER: What schools should know about business continuity.

What Is Cyber Recovery? How Is it Different from Disaster Recovery?

Cyber recovery is similar to disaster recovery, which also focuses on restoring access and functionality to critical IT systems as quickly as possible. But with cyber recovery, it is a cyberattack — not a natural disaster or one caused by humans — that defines the recovery efforts.

Cyber recovery involves a comprehensive and proactive plan that operates from the presumption that a successful cyberattack is inevitable. Cyber recovery also focuses on preparation and remediation efforts that include incident response, continuous monitoring, security controls, accelerated response to threats, and orderly restoration of data and systems.

“I see this as two-tiered: cyber recovery and cyber restore,” explains Wolff. “Recovery is the level of operations I can restore for basic functioning in the district, meaning people can log in to systems. Restore means everything is back, and you wouldn't notice that something has happened — no breach, no data loss.”

Don Wolff
You can’t protect every resource, so protect those with the biggest risks, then put your resources there. Risk evaluation is a valuable security skill.”

Don Wolff CTO, Portland Public Schools

Data remediation efforts must include a process for backing up systems. “With recovery, you should have your backup capacity outside of the day-to-day network,” says McLaughlin. “If it’s in there, it can be compromised in an attack. You need to airgap your backups, or separate them from the main network.”

Wolff adds, “With recovery, you need to know what the high-priority systems are. You can’t do them all at once. Do them in shifts, in the right order, efficiently. If you don’t do that, you will be making poor decisions in the heat of the moment.”

LEARN MORE: Cloud backup systems can help K–12 leaders rest easy.

Why Schools Must Focus on Insider Threats

Phishing attacks are a common entry point for ransomware. This kind of insider threat that originates from an authorized user account requires mitigation efforts, much the same as any other threat. However, insider threats do not typically get the attention they deserve.

“One of our biggest challenges is internal people not knowing enough about threats and security,” says Wolff. “Phishing continues to be a big problem. It only takes one person to unlock the door in a district or school. There is an ongoing problem with educating staff about security. In K–12, there’s just not enough time for a good focus on this.”

Tom Ashley, a K–12 education strategist at CDW, agrees. “There is often not enough support from top leadership and the school board, not enough budget for security and not enough awareness of how to best secure schools,” he says. “Security needs to be systemic in its reach, where everyone in the organization participates and is part of the solution.”

For overstretched IT teams that don’t have the means to handle everything, risk management becomes an important consideration.

“Risk management deserves more attention,” says Wolff. “You can’t protect every resource, so protect those with the biggest risks, then put your resources there. Risk evaluation is a valuable security skill.”

Have an Incident Response Plan for the Inevitable

Preparation is the key for any successful response to a cyberattack. This can include preventive mitigation efforts to lessen the opportunity and impact of an attack. It also requires having a clear response plan in place for when an attack is successful.

“Make sure there is an incident response plan that’s up to date, and have both a physical and digital copy,” shares Wolff. “The plan should list insurance agency contacts, partner contacts, who’s going to be the communications point person and who’s going to do the tech work. Most important, have you held exercises on it? Without practice, it is useless. You need your staff to be experienced with it.”

McLaughlin adds, “Schedule tabletop exercises and practice sessions. Do them quarterly or every two months. Include other people in the district beyond the IT team. Have an incident response plan ready to go. It’s no different than a fire evacuation plan; it’s the same level of criticality.”

jacoblund/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.