Assemble Your Team and Assess the Damage Following the Attack
Gosch assumed her role at Judson ISD in May 2021. Six weeks later, she got a call that every IT professional dreads: There had been a ransomware attack.
The first action Gosch and her team took was to notify the proper authorities, including local law enforcement, the FBI and the Southwest Texas Fusion Center in San Antonio. They then sent out communications to staff to prepare them for what was ahead and instruct them about what to do next. Then they got to work unplugging devices across the district.
“One of the huge things that was a benefit to us was our relationship with our vendors,” Gosch said. “We could not have done this without the vendors. We had vendors that came with workers to help walk through 40 sites and start unplugging things and collecting items.”
At this point, the team worked to uncover just what data had been compromised, what had been backed up and what could still be secured. Practicing an incident response plan before its needed can be beneficial when a situation like this occurs, Gosch said.
“There's a lot of moving parts that go really, really fast,” she said. “Do tabletop exercises with your staff, so that they understand that when this happens, the circle of trust includes these people.”
DISCOVER: An incident response plan is essential to K–12 cyber resilience.
During a cyberattack, communications need to be tightly monitored, which means staff members who might think they should be involved and informed might actually be left in the dark, for good reason.
“The less information that gets out of that room, the better off you are,” Gosch said. “The only information that needs to come out of that room is what people need to know on the other side of the room to help you get to the other end.”
Determine How to Protect the Stolen Data
In the days following the ransomware attack, Gosch, Fields and their team worked around the clock to assess the damage and determine where the attack originated, all the while communicating with the school board and administrators.
“Be prepared to talk to them and tell them what happened and your plan to move forward,” Gosch said. “You need to have that running around your head and what that looks like in terms of cost, because they are going to have to provide some immediate funds in order to begin your work.”
WATCH: A Texas school district incorporates cybersecurity training into its coursework.
The team also contacted the cyberattackers to determine the types of files that were compromised and where the data came from. They found that most of the data was taken from hard drives, as the district hadn’t yet moved to the cloud. Luckily, the district’s backup strategy meant the impact was not as severe as it could have been.
“We had tape backups of everything,” Gosch said. “In fact, we ended up only losing one day of data.”
Still, the criminals, connected to a large ransomware group that targeted educational institutions, Gosch said, wanted their ransom, and the organization’s reputation worried the district and its vendors.
“First and foremost, what we do as educators is protect kids,” Gosch said. “We knew that they had kids’ information or they had employee information, and at that point, we didn't know how much. It took us over a year to mine the data, and 600,000 individuals were affected by the breach itself — in all 50 states and Puerto Rico.”
Because of this impact, the school board ultimately instructed the team to pay the ransom to prevent the release of the data.
Make Changes to Procedures Based on Lessons Learned
The district’s backup system ensured that the data loss was minimal, but since the attack, the district has switched to an immutable backup system, Fields said. They also updated their wireless network and improved port security across the district.
READ MORE: Purple team exercises can help districts proactively address cyberthreats.
“We ended up taking a lot of that time to go back and look at our online policies,” he said. “We have no shared drives. Everything is pretty much cloud-based, other than the data that we need specifically onsite, which is monitored.”
The district’s cyber insurance policy requires multifactor authentication to access devices, Fields said, and they made choices to prioritize user preference as well as security.
“We actually use a hardware key rather than a software multifactor,” he said. “We have people who don’t want to use their phone. On top of that, a hacker can’t get ahold of something virtual, they have to have it in their hand.”
A cybersecurity attack is a high-stress situation that can take a toll on employee mental health.
UP NEXT: Read the latest cybersecurity research from CDW.
“Make sure that you have contacts and information for mental health people for your team, because it really takes a toll, especially when you're working in a locked room,” Fields said. “It’s really hard when you're working in a room 14 hours a day trying to undo something that somebody did to make sure you couldn't undo it.”
Ultimately, Gosch said, it’s important for IT leaders to recognize the roles they play in these scenarios and take responsibility for their teams both before and during an attack.
“Make sure that whoever it is that you're reporting to understands that you carry the weight of responsibility,” she said. “If somebody's system is compromised, it’s on you. Make sure that you communicate to your team, ‘This is going to happen to us. My goal here is to make sure it doesn't happen to us like it happened somewhere else because I’ve heard what it costs.’’’
Visit this page to catch up on all of our ISTELive 25 coverage, and follow us on the social platform X @EdTech_K12 for a behind-the-scenes look at our coverage.