“IT leaders don't have the time to dedicate to it because there's always another emergency that comes up,” agrees Andy Boell, the cybersecurity director for the Nebraska Cybersecurity Network for Education, which works with 190 school districts in Nebraska to increase cyber resilience and reduce cyber risk. He also believes there is another reason more schools don’t have an IR plan: “The schools simply don't have the local expertise to create one.”
What Is an Incident Response Plan?
Between 2018 and 2023, schools and colleges globally faced 561 ransomware attacks, according to Comparitech. This suggests that, inevitably, districts will experience incidents that impact their school computer systems.
Such incidents can include power outages, cut cables, lost laptops or a teacher who unwittingly installs malicious software, Boell says. He notes that sometimes, something as simple as a misconfigured firewall — rather than an actual cyberattack or other emergency — could be to blame for an outage.
RELATED: What happens when the school network goes down?
An effective incident response plan can help school leaders map out next steps. In most cases, the first thing to do is figure out who to contact during or after an incident, so the plan should include those phone numbers and email addresses. The first point of contact should be a school district’s educational service unit, which can help determine who the district should contact next. The list should also include the state department of education, the district’s internet service provider, its insurance provider and law enforcement agencies such as the FBI, Boell says.
“We always encourage our districts to go ahead and call their local police department or local FBI office to introduce themselves before a cybersecurity incident occurs, so they know who these people are,” he says.