How to Create an Effective Incident Response Plan for Your School District

K–12 schools aren’t exempt from cyberattacks. How do they create effective incident response plans capable of both identifying threats and reducing their impact?

Doug Bonderud is an award-winning writer capable of bridging the gap between complex and conversational across technology, innovation and the human condition.

2020 was a recording-breaking year for K–12 cyber incidents, according to the State of K-12 Cybersecurity 2020 Year in Review. With more than 400 incidents reported across the country — including everything from student and staff data breaches, phishing and ransomware attacks and distributed denial of service (DDoS) threats — districts can’t afford to wait until it happens to them. Effective incident response plans are now essential to identify threats early and minimize their overall impact.

Here’s what districts need to know about creating, supporting and maintaining effective IR plans.

What Is an Incident Response Plan?

Thuan Nguyen, president and chief operating officer of Advancement Via Individual Determination, a nonprofit educational organization, offers a straightforward definition of incident response for schools: “At a high level, it’s a plan that, in normal times, lets teams come together and put pen to paper on all the different activities they need to do if an incident occurs.”

Why Is It Important in K–12 Districts?

School networks contain a lot of sensitive student data. Incident response plans are critical to help districts minimize the impact of potential system compromise or data breaches. Common concerns include:

• System downtime: “Ransomware has become ubiquitous,” says Simon Jelley, general manager and vice president of product for Veritas Technologies. “It’s no longer a question of when your district is attacked, it’s how bad will it be? The education sector is a prime target. Almost 50 percent of education organizations were hit by a ransomware attack in the past year. They’ve become so common, there’s a term circulating for when a school cancels classes because an attacker has locked them out of their IT systems and data: a ‘cyber day.’”
• Reputational damage: If attackers can compromise systems and access data, they can leverage this information to damage school reputations. “I remember a situation where a district was breached and hackers were threatening to expose data as a way of intimidation,” says Nguyen. “Threats and fear can be very real even though these incidents are virtual.”
• Legal obligations: Because districts collect and store information about students and staff, they often have a legal obligation to disclose if breaches occur and inform affected parties. They may also be required to provide post-incident protection in some circumstances.

What Components of Incident Response Plans Are Critical?

According to Jelley, several components are critical when building an incident response plan.

“The first thing every effective ransomware incident response plan should include is an outline of who needs to be involved and what their responsibilities are,” he says. “Next come the steps those individuals need to carry out.”

These include detection and initial analysis of attacks, defining the scope of the attack and determining if the attack has concluded or is ongoing. Then, schools must contain the impact of the attack and look for evidence of how the breach occurred, eradicate any malware and remediate vulnerabilities that enabled the initial breach.

Finally, schools need to recover lost data from hardened backups and respond to any regulatory or contractual obligations.

How Do Districts Keep Their Incident Response Plan Updated?

Nguyen puts it simply: “Practice.”

“When was the last time you practiced your incident response plan? In my experience, 99.9 percent of the time, the answer is never. You may do backups for months or years but don’t know if it’s successful until you need to use it,” he says.

He recommends regularly testing and enacting IR plans to fine-tune them for when they’re really needed. Testing frequency will depend on the turnover rate in the organization, but Nguyen recommends schools have a practice run of their IR strategy every time there is turnover in a key role.

What Resources Exist to Help Districts with Incident Response?

“Too many schools try to do this on their own,” says Nguyen. “The challenges are now so broad that you need the right type of support. Ransomware is very different from DDoS.”

Potential resources for district incident response development include:

• CoSN: Nguyen points to the Consortium for School Networking as great resource for technology and security information. For example, CoSN offers a downloadable cybersecurity toolkit to help schools build robust response policies and processes.
• Government agencies: Jelley notes that agencies such as the U.S. Cybersecurity and Infrastructure Security Agency offer solid advice to recognize and reduce the risk of ransomware attacks. CISA provides these resources at their Stop Ransomware site.
• Insurance providers: Nguyen highlights the role of insurance providers in effective school incident response. With a vested interest in reducing the total number of successful cyber incidents, insurance providers can often provide online resources and guides to help schools create basic IR frameworks.

Nguyen also recommends that smaller districts band together to identify common challenges and build best practices around incident response. Not only does this streamline the process of IR plan development and implementation, but it also gives districts the ability to negotiate at scale with technology and service providers.

What Solutions Do Districts Need to Succeed?

For incident response plans to succeed, districts need solutions that cover all aspects of a potential attack.

This starts with tools such as next-generation firewalls that make it possible to conduct packet-level inspection of data and stop the flow of any traffic that looks out of place.

Intrusion detection systems are also critical: Nguyen notes that attackers are now doing enough research on districts and their personnel to ensure that the amount of time between initial contact and compromise is extremely small. Intrusion detection systems can help pinpoint these potential problems.

Research suggests that only 49 percent of organizations that pay up actually retrieve the data that was stolen or encrypted.”

Simon Jelley General Manager and Vice President of Product, Veritas Technologies

Jelley points to the need for robust and reliable backups. “Research suggests that only 49 percent of organizations that pay up actually retrieve the data that was stolen or encrypted,” he says. “In every case, having a dependable data resiliency solution to help you back up and recover your data is much better than having to pay for a hacker to return it.”

Agile and adaptable incident response plans are critical to help school districts reduce total risk, minimize attack impact and act quickly to get IT services back on track after a breach.

Bottom line? This is an all-hands-on-deck situation. “The best time to create a ransomware incident response plan was yesterday,” says Jelley. “But if you don’t already have an up-to-date plan, there’s no time like the present.