Jun 17 2025
Security

Incident Response Helps Schools Quickly Recover from Cyberattacks

School districts are creating incident response plans, practicing them and writing after-action reports to discuss lessons learned.
by

Wylie Wong is a freelance journalist who specializes in business, technology and sports. He is a regular contributor to the CDW family of technology magazines.

After realizing that network access problems were caused by a cyberattack, the IT department at Agua Fria Union High School District immediately shut down the network and launched its incident response plan.

Early that January 2024 morning, IT Director Brandon Gabel called the Arizona district’s third-party network and security consulting firm, and together they worked to assess the damage, eliminate the threat and restore services.

“We just ran with it,” Gabel says. “We dug through the logs to figure out how they got in. We made sure there were no additional networking issues. We verified the integrity of our backups, and we got all critical services restored within 24 hours.”

An incident response plan provides a framework for districts to respond to cybersecurity incidents, mitigate their impact and recover as quickly as possible, all while communicating with stakeholders. When a cyberattack hit, Gabel’s plan worked as designed.

The district discovered that hackers obtained a service account’s credentials and infected a cluster of virtualized servers with ransomware. The IT staff kept district leaders informed. When the tech teams got operations up and running and determined no data was exfiltrated, district leaders notified staff and parents with details.

Click the banner below to learn more about physical security and cybersecurity in K–12 education.

k12-q125-safety-cta2-desktop k12-q125-safety-cta2-mobile

 

What’s in an Incident Response Plan?

While many districts proactively deploy cybersecurity measures and technology to detect threats and prevent breaches, no IT infrastructure is completely impenetrable. Schools must plan for the inevitable and develop incident response plans to execute when successful cyberattacks take place, district IT leaders say.

A plan includes having an incident command structure: identifying who leads the response, who handles communications, who has authority to turn off IT systems and establishing the criteria for when to escalate issues to district leadership, says Amy McLaughlin, project director for CoSN’s cybersecurity and network and systems design initiatives.

McLaughlin recommends that districts develop high-level plans. “You don’t know what the incidents are going to be. Sometimes, people try to plan for every possible scenario, and then it becomes overwhelming,” she says.

Other important elements include updated contact information, including after-hours emergency numbers, for IT staff, key district leaders, vendors and ISPs, she says. Districts should also maintain readily accessible technical documentation, such as network architecture maps and a detailed inventory of servers and applications.

“You want to have it all in one place, so it’s at your fingertips,” McLaughlin says.

After recovering from an incident, districts should also perform after-action reports to identify lessons learned and make improvements, she says.

READ MORE: Inventory is a key element of incident response planning.

Arizona School District Activates Response Plan After Attack

When Gabel was promoted to network operations manager, the Agua Fria lacked an incident response plan, so he drew one up: a one-page flowchart that outlines staff roles and responsibilities and the process for identifying, containing and eradicating threats to restore operations.

In September 2023, he presented the strategy to the superintendent and the executive cabinet, got their buy-in and then explained the plan to his IT staff.

“It’s imperative that you have a blueprint for what’s going to happen, if not for yourself, then for your team and stakeholders, so that everyone knows what part they will play,” he says.

There is no one-size-fits-all plan. It can be as detailed as a district needs it to be, says Gabel, now IT director. In Agua Fria’s case, Gabel created a simple chart that matched his team’s technical knowledge.

“We are a cohesive team,” he says. “We’ve built trust with each other, where we know our capabilities and we know who’s going to do what, so when an event happens, our team is ready.”

Agua Fria’s plan was put to the test when ransomware infected the district’s virtualized environment. Gabel served as incident commander, managing the process.

At 6 a.m., the IT team didn’t know ransomware was the cause. The server cluster, which runs about 40 virtual machines, was nonresponsive, so the team rebooted it, but it was still not working. Meanwhile, the district’s CrowdStrike security software sent alerts that it repeatedly blocked a service account from accessing other servers over VPN. That’s when the staff and the consulting firm realized the district was hacked.

They immediately shut down the network and VPN and alerted the Department of Homeland Security, the FBI and the district’s insurance provider. Then the IT staff and consulting team collaborated on two tasks: investigating how the hackers got in and determining the scope of impact. Meanwhile, a recovery team sanitized affected servers, verified the integrity of data backups and restored services.

Brandon Gabel
It’s imperative that you have a blueprint for what’s going to happen, if not for yourself, then for your team and stakeholders, so that everyone knows what part they will play.”

Brandon Gabel IT Director, Agua Fria Union High School District

As outlined by the incident response plan, Lauren Owens, executive director of technology, kept district leaders informed while shielding the IT staff from interruptions.

By 11:30 p.m., they had critical systems back up and running. The recovery team restored the virtual environment using air-gapped cold backups. They also changed everyone’s passwords across the district’s six high schools and headquarters.

Since the attack, Gabel has beefed up cybersecurity by replacing an outdated firewall with a new Palo Alto Networks next-generation firewall and upgrading to a Commvault solution that backs up data on-premises and in the cloud.

The district’s consulting firm said that this type of attack could cost up to $100,000, but Agua Fria limited damages to $20,000, primarily because the district’s IT staff were hands-on and because no data was stolen, Gabel says.

Gabel’s advice to other districts on developing and using an incident response plan: “Trust the process, because we put the process in place for a reason,” he says.

Practicing Plans and Writing After-Action Reports Is Key to Recovery

In Illinois, Oak Park Elementary School District 97 has prepared itself for cybersecurity incidents by creating an incident response plan and continuing to practice it.

The 10-school district has not yet suffered a cyber intrusion. But instead of waiting for a major breach, IT Services Director Will Brackett uses small incidents, such as email phishing attempts, to practice response procedures.

“Some people may say, ‘I don’t want to do an incident response unless it reaches a certain level,’ but how do you know you’re going to do well if you don’t practice it?” he says.

Brackett’s plan defines people’s roles and duties and serves as a general blueprint for responding to cybersecurity incidents. He works with the IT staff to diagnose and resolve incidents, while the CTO shields the IT staff from phone calls, emails and texts so they can focus.

When needed, the CTO also gathers resources by reaching out to vendors. The IT staff pulls in affected departments, while the communications team updates employees and parents with information, he says.

The first step, however, is to contact the district’s insurance company because it may provide the district specific instructions, such as using a preferred third-party forensics expert, he says.

28%

The percentage of school districts that have handled cyber incidents with in-house incident response plans

Source: CoSN, 2025 State of EdTech District Leadership, May 2025

After an incident, Brackett writes an incident report for district leaders and an after-action report to find lessons learned.

A few years ago, the district thwarted a spear-phishing attempt when hackers impersonating the superintendent targeted a new accounts payable employee. They sent her an email saying she needed to pay a bill right away.

She responded to the hackers. Then, she reached out to the superintendent’s administrative assistant and reported that the funding request wasn’t going through the proper channels. The administrative assistant warned the employee that it was a fake request.

Brackett used the situation to practice incident response. IT administrators checked financial software to make sure the employee didn’t send money.

In the after-action report, both employees thought they had made mistakes while arguing about whether the request was real. But Brackett praised them because their hesitation stopped the threat.

“The after-action review is your learning experience,” Brackett says. “We can document what worked, what didn’t work and what we can do better if this happens again.”

Improve Incident Response With Backup Solutions and Tabletop Drills

In New Jersey, a May 2024 ransomware attack prompted the Township of Union Public Schools to strengthen its cybersecurity posture, including making improvements to incident response and disaster recovery planning.

When the 10-school district suffered a network disruption after the attack, the district took systems offline while the district’s IT department, aided by external cybersecurity experts, assessed the intrusion, secured the network and restored operations using data backups.

No data breach occurred. Still, while the district had good backups, the antiquated backup server itself was impacted, requiring the IT staff to rebuild it to restore operations, says John Sousa, the district’s new chief information and technology officer, who was not part of the district during the cyberattack.

Sousa, who joined the district last November, is developing a high-level incident response plan. He is focused on having the right people, processes and tools in place to tackle any cyber incident.

LEARN MORE: Securing endpoints gets easier for overwhelmed K–12 IT teams.

He recently upgraded data backup and recovery with a new Cohesity solution that backs up data on-premises with a second, air-gapped backup copy in the cloud.

“The biggest thing is the business continuity part of incident response,” Sousa says. “Making sure we can bring ourselves online anywhere at any time is important, and that’s what we have now.”

The district also has a third-party incident response team that’s available 24/7. Next school year, he hopes to get budget for tabletop exercises, so he can practice incident response with key stakeholders. The exercises will allow Sousa to observe team dynamics and fine-tune his plan.

“The next year is about firming up people and processes,” he says. “In the meantime, having an air-gapped backup gives us comfort and peace of mind.” 

3 Tips for Developing Incident Response Plans

Use existing templates or borrow plans from others. When creating a plan, you don’t have to start from scratch. Use templates available online or ask other districts for their plans and customize them.

Keep plans concise. It depends on how detailed districts want to get, but smaller districts can meet their needs with a plan that runs two or three pages. Some districts write long plans because they can double as training documents. In those cases, create an abbreviated version so the team can quickly reference it during an incident and see the plan’s main points.

Supplement with playbooks. Districts can create addendums to their plans by creating playbooks that provide more detailed procedures or instructions on how to respond to specific incidents.

Photography by Steve Craft

More On

Related Articles

Close

New AI Research From CDW

See how IT leaders are tackling AI opportunities and challenges.

Click Here to Read the Report