Make a Solid Disaster Recovery Plan for K–12 Data
All K–12 districts should have a solid plan in place for their data backups, but not all of them do. A district’s IT team may feel safe knowing their data is being backed up, but they may not know how quickly it can be recovered if it’s lost.
Among the best practices recommended for K–12 districts by backup and recovery provider Unitrends: a disaster recovery plan, including annual plan reviews, walk-through drills and routine tests.
“Routine testing helps you spot issues before they become major problems. It can reveal outdated contact lists, misconfigured backup settings, hardware limitations or unclear communication protocols. These are exactly the kinds of surprises you don’t want in the middle of a real crisis,” states the company’s report.
WATCH NOW: Secure and optimize your K–12 learning platforms with expert help.
Identify Vital Data to Back Up
A complicating factor for district IT departments is knowing what data to recover. When there’s a need to restore data after a cyberattack, IT professionals can become overwhelmed with terabytes of backups to choose from, with incremental backups showing multiple versions of files that are constantly changing.
Instead of restoring the crucial files needed to get the district up and running again, admins do a bulk restore, delaying the district’s operational status for hours or even days.
This is why, while planning for disaster recovery, K–12 IT managers should single out the files and applications that need to be restored quickly for the organization to function again, and then make a plan to restore the rest of the data in the background.
Follow the 3-2-1 Rule (or a Variation) to Secure Backups
Seagate and other backup vendors recommend the 3-2-1 rule to ensure organizations can recover data.
- There should be at least three copies of the data: the original and at least two copies.
- The backups should be on two different forms of media.
- At least one copy should be stored offsite.
In today’s environments, 3-2-1 is used as a baseline.
Commvault lists variations of the rule, like 4-3-2: four copies of the data are maintained in three locations, with two being offsite (for example, using two different cloud vendors for offsite backups).
A 3-2-1-0 backup emphasizes the need for zero-error backups. The 3-2-1-1 rule assures that one copy of the backup is offline or isolated from networks that can be affected by cyberattackers.
Rely on Cloud Providers and Backup as a Service
In its 2023 K–12 Digital Infrastructure Brief, the Cybersecurity and Infrastructure Security Agency strongly recommended that districts move on-premises services to off-premises vendors. “Such systems require time to patch, to monitor and to respond to potential security events. Few K–12 organizations have the resources and expertise to keep them secure,” the brief notes.
READ THE Q&A: CISA safety expert explains how to bridge physical and cybersecurity.
While there is no guarantee that using cloud services in these cases will be unwaveringly secure, cloud providers can patch, monitor and maintain systems more efficiently than school IT organizations. Because of this, migrating to the cloud is a decision that can give K–12 schools more security and cyber resilience. In fact, the CoSN report found that cybersecurity is the most common function farmed to off-premises vendors.
Managing backups is a service that might be better handled by a vendor than by school IT staff. Organizations that have a large quantity of data to store, or not enough people to manage their backups, may want to consider a Backup as a Service vendor such as Microsoft Azure, Google Cloud or Commvault.
BaaS vendors can manage every aspect of a school’s backups, including backup hardware and software, maintenance and execution, and data restoration if needed. Whatever the services provided, working with these vendors can take this vital responsibility off the plate of already overburdened IT staff.