Why schools need an Incident Response Recovery Plan today

Incident response plans should also include recovery steps

The IR plan should also include a recovery plan to get the district’s network back up and running. The plan should include a list of assets and a systems map showing how systems are connected, including library services, special education, food services, school bus routes and student information systems, Richardson advises.

The IR plan should then outline how to restore those services and rebuild the technical infrastructure after an incident. It should also describe which services need to be in place before restoring from backups, says Richardson.

Although a school district’s IT staff may have an idea of ​​what an incident response should include, IR plans are often not documented, Boell explains.

“The ability to put everything on paper helps streamline the process and ensure that the split-second decisions made are in the best interest of the district,” he says.

DIG DEEPER: Schools are turning to outside experts to improve their cybersecurity posture.

How an IR plan supports learning continuity in grades K–12

Although students may be able to return to Hillsboro-Deering schools the next day after a snowstorm, that may not be possible after a cyberattack, Richardson says. According to Comparitech, ransomware attacks in the education sector over the past five years have resulted in unwanted downtime that “ranged from a few hours to 36 days.” In these cases, it wasn’t just classes that were affected.

That’s why K-12 school districts also need to plan for business continuity, according to Ginger Jackson, CTO of Cleveland County Schools in Shelby, NC. She cites employee payroll as an example. In the event of a cybersecurity incident, schools may need a contingency plan for writing checks, she says.

Superintendents should then meet with heads of other departments, such as food service, to develop an emergency plan in case a cyber incident causes disruptions to the power or heating system.

Get outside help creating a K–12 IR plan

Rather than executing an IR plan on their own, districts should turn to service providers that offer hosted solutions to help them with the recovery. When schools maintain a solid relationship with a vendor, they can replace equipment like servers and laptops on a large scale, Richardson says.

Vendors can also help schools manage their IR process. When the Los Angeles Unified School District shared its story of recovering from a ransomware attack at CoSN earlier this year, district leaders mentioned how valuable it would have been for them to have an IR representative to assist them through the process.

While schools are unlikely to address every situation in their IR plan, a solid checklist can help them maintain continuity of learning.

“If you get some general scenario checklists, you can apply them to the specific scenario as it develops,” says Richardson.