Security

CoSN2025: Incident Response Strategies Save K–12 Schools From Headaches

Is your school prepared to respond in the event of a cyberattack?

Twitter

Rebecca Torchia is a web editor for EdTech: Focus on K–12. Previously, she has produced podcasts and written for several publications in Maryland, Washington, D.C., and her hometown of Pittsburgh.

One of the strongest arguments for improved cybersecurity protections in an organization is “it’s not if, it’s when,” meaning that the digital ecosystem will inevitably come under attack at some point.

Eric Muckensturm, IT strategy manager for cybersecurity the Learning Technology Center in Illinois, said that’s not strong enough.

“As I’m speaking these words, every single one of you is under attack. I challenge you to go back to your organization and look at your firewall logs. You’re getting hit right now,” he said Tuesday to conferencegoers at CoSN 2025 in Seattle.

How K–12 IT leaders prepare for and respond to these attacks becomes even more important to protecting the school’s network, data and users.

Click the banner below to explore tech solutions inspired by CoSN 2025 insights.

The Importance of Audits and Inventory

While there are many steps K–12 IT administrators can take to mitigate cyberattacks, an often-overlooked element is inventory and documentation.

The K–12 environment is dynamic and demanding, said Duane Shaffer, director of technology service at the Learning Technology Center. “Emergencies are a huge part of technology documentation. That way, you know what you have, where it is and how to access it,” Muckensturm added.

Nathan Miller, chief technology and information security officer for the Georgia Department of Education, echoed the importance of documentation in a later CoSN 2025 session Tuesday.

“If you’ve implemented any cybersecurity framework, you know there’s a heavy emphasis on inventory,” he said. “Inventory is probably the least sexy, most mundane and irritating pieces, but it’s really important to know not just which products were affected but how those products were interconnected.”

And when it comes to inventory, you will never be done, Muckensturm said. “When you have new equipment come in or you take equipment out, documentation has to constantly be updated.”

“Remember to do that after your E-Rate projects,” Shaffer advised. People spend all their E-Rate money, and they forget to map out areas with new wiring or equipment, he said.

When Agua Fria Union High School District experienced an attack, Director of Technology Brandon Gabel had only been in his role for about five months and hadn’t yet had the opportunity to do a full inventory. He and his team had recently trained on their cyber incident response plan, however.

Create and Practice a Cyber Incident Response Plan

Because everyone played their parts according to Agua Fria UHSD’s cyber incident response plan — and because the district’s endpoint detection and response technology stopped a lot of the criminal activity — all critical infrastructure was restored by 11:45 p.m., Gabel told CoSN 2025 attendees Wednesday.

Muckensturm also stressed the importance of practicing incident response plans. Moreover, he said, use AI to prompt cybersecurity tabletop simulations. “It does need to be written down for you, because when you’re panicked, you forget a lot of stuff,” he said. “You want to make sure you have something tangible that you can look at.”

In addition to having a practiced plan in place, Gabel’s district was additionally protected by technologies that the Arizona Department of Homeland Security provided, including CrowdStrike, Cisco Duo, Tanium and Infosec IQ solutions.

I love when my enemies quit.”

Brandon Gabel Director of Technology, Agua Fria Union High School District

In case your systems aren’t back online in a day, Amy McLaughlin, project director for CoSN’s Cybersecurity and Network and Systems Design Initiatives, advised schools to consider what they can do with a pencil. “We used to do things without technology, so how do we shift our approach in a cyber incident to deliver a service without the technology?”

She also stressed the importance of a communication plan. “When something happens and there is radio silence from the district, that is also bad, because people will make stuff up on your behalf, and they never make up good stuff.”

Schools that are worried about being liable can put out a benign statement such as, “We are aware a service we use has experienced an attack, and we are assessing our systems.” The key to remember is that doing nothing not only allows rumors to start but it damages trust, McLaughlin said.

LEARN MORE: How does technology support the incident command system?

The Financial Aspects of Cyber Incidents and Responses

Agua Fria UHSD determined that no data was exfiltrated in its attack last January, and the incident only cost the district $20,000. Gabel was surprised. “I usually hear that it costs at least $100,000,” he said. Ultimately, a lack of data exfiltration, the processes the district had in place and, most important, Gabel’s ability to “take ownership of the network” kept costs low for the district. “They didn’t have to bring in project management and all of the extra people because we already had it underway,” he said.

As much as it’s beneficial to be proactive, in the wake of an incident, look at any additional protections you should put in place and remember that “this is your opportunity to ask for money. It’s your opportunity to make the case,” McLaughlin said.

In the aftermath of Agua Fria UHSD’s cyberattack? Another attack.

A month ago, the district experienced another attempted ransomware attack. However, the hackers couldn’t access any of the systems because of Duo’s multifactor authentication. They gave up after 15 minutes.

“I love when my enemies quit,” Gabel said.

Keep this page bookmarked to catch all of our CoSN2025 coverage, and follow us on the social platform X @EdTech_K12 for behind-the-scenes looks using the hashtag #CoSN2025.