After an incident, Brackett writes an incident report for district leaders and an after-action report to find lessons learned.
A few years ago, the district successfully thwarted a spear-phishing attempt when hackers impersonating an administrator targeted a new staff member in the business office. They sent her an email saying she needed to pay a bill right away.
She responded to the hackers. Then she reached out to an employee in the administrator’s office and said the funding request wasn’t going through proper channels. That employee flagged that it was a fake request.
The team members collaborated to verify the legitimacy of the request, ultimately determining it was a phishing attempt. The district’s IT administrators confirmed no financial loss occurred and used the incident to strengthen cybersecurity protocols.
In the after-action review, the employees involved reflected on their disagreement over the legitimacy of the request. Brackett praised their willingness to question and verify the situation, as this ultimately prevented the threat from succeeding.
“The after-action review is your learning experience,” Brackett says. “We can document what worked, what didn’t work and what we can do better if this happens again.”
Improve Incident Response With Backup Solutions and Tabletop Drills
In New Jersey, a May 2024 ransomware attack prompted the Township of Union Public Schools to strengthen its cybersecurity posture, including making improvements to incident response and disaster recovery planning.
When the 10-school district suffered a network disruption after the attack, the district took systems offline while the district’s IT department, aided by external cybersecurity experts, assessed the intrusion, secured the network and restored operations using data backups.
While the district had viable backups, the antiquated backup server itself was impacted, requiring the IT staff to rebuild the backup server to restore operations, says John Sousa, the district’s new chief information & technology officer who was not part of the district during the cyberattack.
Sousa, who joined the district last November, is developing a high-level incident response plan. He is focused on having the right people, processes and technology in place to tackle any cyber incident.
LEARN MORE: Securing endpoints gets easier for overwhelmed K–12 IT teams.
He recently upgraded data backup and recovery with a new Cohesity solution that backs up data on-premises with a second, air-gapped backup copy in the cloud.
“The biggest thing is the business continuity part of incident response,” Sousa says. “Making sure we can bring ourselves online anywhere at any time is important, and that’s what we have now.”
The district also has a third-party incident response team that’s available 24/7. Next school year, he hopes to get budget for tabletop exercises, so he can practice incident response with key stakeholders. The exercises will allow Sousa to observe team dynamics and fine-tune his plan.
“The next year is about firming up people and processes,” he says. “In the meantime, having an air-gapped backup gives us some comfort and a little peace of mind.”