How prepared is your school for the unexpected? A recent high-profile event at the White House with K-12 administrators and cybersecurity professionals highlighted the importance of protecting schools against ransomware and other hacks.
Sandra Paul, Director of Information Technology and Operations for the Township of Union Public Schools in New Jersey, discusses incident response plans versus disaster recovery plans and how both can keep students, educators, and their personal information safe while also helping schools to recover from cybersecurity breaches and quickly return to the important business of learning.
Incident Response Plans vs. Disaster Recovery Plans: Prepare for the Unexpected
Cyber threats and attacks on educational institutions are making the news daily. For example, the University of Michigan, which serves 50,000 students, recently faced the challenge of kicking off the fall semester sans internet for several days after having to cut connections following a significant cybersecurity incident. Access to services such as financial aid, research materials, courses, and other resources necessary for a smooth start created a tough environment for everyone.
These types of cyber attacks are hardly confined to the university level, with more than 120 school districts already suffering ransomware attacks this year, which provoke concerns over private information and put the identities of minors at risk. Private details such as grades, medical records, behavioral information, documented home issues, and financial information are typically compromised.
Having plans to prepare for and overcome potential risks is key.
“The primary focus of an incident response plan is a collection of the processes and procedures that a school district follows if there is a cybersecurity breach/incident,” says Paul. “This type of plan is a response to an incident that caused a disruption of business and educational services leading to a disaster. In a disaster recovery plan, the primary focus is business continuity for the school district if there is an interruption of business and education services. This plan is implemented when there is a stoppage or halting of services.”
This two-pronged approach can reduce risk and give administrators a clear path to finding their way through an incident without wasting precious time formulating a response.
“Districts need both plans to systematically resolve or prevent technological issues that can be caused by outside and/or inside incidents, including natural disasters,” says Paul.
Disaster Recovery Plan: 3 Best Practices
- Have major stakeholders involved in the development of plans. By doing so, it creates support and buy-in for the district, and can also prevent any delays when time is of essence. In addition, it ensures communication is clear and understood, as any potential areas of confusion will be hammered out during the plan’s creation.
- Avoid complacency. Those involved need to keep updated and practice the plan. Coordinated response exercises via simulated scenarios with key personnel in the form of tabletop assessments can offer an opportunity for a walkthrough to see if the plan works and makes sense in real-world conditions.
- Communication is crucial, as is detailed documentation. Keeping records of results of tabletop assessments can help tweak a plan to be even more effective and usable. Post-incident, clear and specific documentation can help solve issues in the present and prevent future repeat situations.
Pull Together a Community and a Plan
Clearly, a response plan for these sort of emergencies requires a specific skill set and background knowledge. CIO/tech directors are trained and keep abreast of the latest development regarding the tools and strategies to keep schools and their students and educators safe. However, the implementation of these plans are not–and should not be–a solo effort.
“These plans should be developed by CIO/tech directors because there are several resources that will be called upon if any of these plans are to be implemented,” says Paul. “This includes technology service companies, cybersecurity insurance carriers, district security and safety personnel, community emergency management office, district IT, business and administrative personnel, school legal advisors, school board members, etc.”
As anyone involved in education knows, support for plans not only involves a united front in deciding how emergency scenarios will be handled, but how developing plans and the various aspects within those plans will fit into an often tight budget.
“These plans require financial and IT equipment resources that will have to be approved by the school board and community members,” notes Paul.
Smoothing the pathway throughout the process by including all stakeholders can avoid political hiccups that could lead to delays or leave schools vulnerable while points of any plan are debated.
5 Phases of the NIST Cybersecurity Framework
The National Institute of Standards and Technology has created a framework which can help create an Incident Recovery Plan.
- Identify — Determine your district’s critical functions and what cybersecurity risks could disrupt those functions.
- Protect — Define safeguards needed to prioritize the elements necessary to deliver a school’s critical infrastructure services.
- Detect — Monitor in a continuous manner to quickly discover unusual activities which could be tied to a potential threat.
- Respond — Once detected, implement measures to accommodate and adjust to the threat or incident without hindering the daily business of learning.
- Recover — Create a strategic plan to restore systems that might have been compromised or damaged. Consider lessons learned and tweak existing plans to help better protect from future threats.