Why Schools Need an Incident Response Recovery Plan Today

“IT leaders don't have the time to dedicate to it because there's always another emergency that comes up,” agrees Andy Boell, the cybersecurity director for the Nebraska Cybersecurity Network for Education, which works with 190 school districts in Nebraska to increase cyber resilience and reduce cyber risk. He also believes there is another reason more schools don’t have an IR plan: “The schools simply don't have the local expertise to create one.”  

What Is an Incident Response Plan? 

Between 2018 and 2023, schools and colleges globally faced 561 ransomware attacks, according to Comparitech. This suggests that, inevitably, districts will experience incidents that impact their school computer systems.  

Such incidents can include power outages, cut cables, lost laptops or a teacher who unwittingly installs malicious software, Boell says. He notes that sometimes, something as simple as a misconfigured firewall — rather than an actual cyberattack or other emergency — could be to blame for an outage.  

RELATED: What happens when the school network goes down?

An effective incident response plan can help school leaders map out next steps. In most cases, the first thing to do is figure out who to contact during or after an incident, so the plan should include those phone numbers and email addresses. The first point of contact should be a school district’s educational service unit, which can help determine who the district should contact next. The list should also include the state department of education, the district’s internet service provider, its insurance provider and law enforcement agencies such as the FBI, Boell says.  

“We always encourage our districts to go ahead and call their local police department or local FBI office to introduce themselves before a cybersecurity incident occurs, so they know who these people are,” he says.

Incident Response Plans Should Also Include Steps for Restoration

The IR plan should also include a remediation pathway for getting the district’s network back up and running. The plan should incorporate a list of assets and a system map that shows how systems are connected to each other, including the library services, special education, food services, school bus routing and student information systems, Richardson advises.

Then, the IR plan should outline how to restore these services and rebuild the technology infrastructure after an incident. It should also describe what services must be in place before restoring from backups, Richardson says.

Although a school district’s IT staff may have an idea of what incident response should entail, IR plans are often not documented, Boell explains.

“Being able to put it down on paper helps to streamline that process and make sure that the split-second decisions being made are in the best interest of the district,” he says.

DIG DEEPER: Schools turn to outside experts to improve their cybersecurity posture.

How an IR Plan Supports Learning Continuity in K–12

Although students might be able to return to Hillsboro-Deering Schools the next day after a blizzard, that might not be possible after a cyberattack, Richardson says. According to Comparitech, ransomware attacks in the education sector over the past five years resulted in unwanted downtime that “varied from a couple of hours to 36 days.” In these cases, learning was not the only thing that was affected.

This is why Ginger Jackson, CTO of Cleveland County Schools in Shelby, N.C., says K–12 school districts must also plan for business continuity. She points to employee payroll as an example. During a cybersecurity incident, schools may need a contingency plan for cutting paper checks, she says.

Superintendents should then meet with other leaders of departments, such as food services, to map out a backup plan in the event that a cyber incident disrupts the power or heating system.

Get Outside Help in Building a K–12 IR Plan

Rather than carrying out an IR plan on their own, districts should look to service providers that offer hosted solutions to help them recover. When schools maintain a solid relationship with a vendor, they can replace equipment such as servers and laptops at scale, Richardson says.

Vendors can also help schools manage their IR process. When Los Angeles Unified School District shared its ransomware recovery story at CoSN earlier this year, district leaders mentioned how valuable it would have been for them to have an IR retainer to support them through the process.

Although schools likely won’t factor every situation into their IR plan, a solid checklist can help them maintain learning continuity.

“If you can get a couple of broad scenario checklists, you can apply them to the specific scenario as it develops,” Richardson says.

He adds that inventory management is another key aspect of maintaining cyber resilience in schools. Schools should consider how many extra devices they might need to distribute during an emergency.

The Hillsboro-Deering School District maintains a stockpile of Chromebooks in case students or staff lose access to their Windows devices during an incident, Richardson says.

To ensure Nebraska schools are well prepared, Boell says, the state is partnering with CDW to conduct an IR planning workshop this summer that will be open to every school district in the state.

READ MORE: Don’t fall victim to these common IR mistakes.

Tabletop Exercises Support Cyber Resilience in K–12

While some may be reluctant to answer “what if” questions, tabletop exercises make it possible for all essential parties to practice their responses ahead of an actual cyber incident.

Because decisions during a cybersecurity incident may involve school board members or law enforcement, schools should include people beyond IT professionals in these tabletop exercises. For example, the PR team should be involved because they will manage the public response to an incident, Boell advises.

“Make sure you have administrators as well as your technical people in the room at the same time when you're going through these different exercises,” Boell says.

Tabletop exercises should also involve legal and HR teams as well as CFOs and chief academic or instructional officers, Jackson says. Cybersecurity insurance providers and facility managers should also participate, she adds. On the academic side, principals and perhaps even some students should participate to add their perspective, Jackson says.

In North Carolina, several entities have joined together to participate in tabletop exercises, including the North Carolina Department of Public Instruction, the Friday Institute for Educational Innovation, the federal Cybersecurity and Infrastructure Security Agency and the North Carolina Joint Cybersecurity Task Force.

“Practice improves performance,” Jackson reiterates. “You don't win athletic championships by never practicing, so I'm not sure how school systems could survive a cyber incident in a timely manner without an incident response plan or tabletop exercises behind them.”