Expert Viewpoint

After a Cyber Attack: Three Do's and Don'ts for K-12 Leaders and IT Teams

• By Charlie Sander
• 02/08/23

As is the case for so many multimillion-dollar organizations that collect sensitive data, K–12 schools are prime targets for hackers. According to Comparitech, at least 60 school districts and 26 universities suffered ransomware attacks in 2021.

Cyber attacks can leave a significant recovery costs in the aftermath. For example, Baltimore Public Schools spent over $8 million on recovery after being attacked in 2019.

The costs go far beyond any ransom demands, however: public anxiety over potentially compromised data security, feelings of privacy invasion, and unfavorable public impressions of the district or its leadership, just to name a few of those hard-to-quantify impacts. Another common result of a cyber incident is school closure and short- and long-term operational disruptions. Schools in the United States shut down for an average of seven days after a cyberattack in 2021.

So how your district recover as smoothly and efficiently as possible after a cyber attack? What steps should be required — or avoided — to minimize an incident’s negative impacts and costly disruptions? Following are some tips to avoid making a cyber incident even more costly, for district leaders, risk management planners, and IT practitioners: What to expect and some do’s and don’ts to move forward with as little damage as possible.

Three Post-Cyberattack Do’s and Don’ts for School Leaders

1) Absolutely Do Not: Don’t Avoid Disclosure

It’s crucial that district leaders do not try to sweep an attack under the rug or to simply deal with a cyber incident quietly. Handling communications with stakeholders in a way that is perceived as “not transparent” will alienate the community the school serves. Keeping everything hush-hush will also potentially prevent your district from accessing valuable resources for incident response and recovery.

2) Do: Let the Pros Handle What they Do Best

Additionally, although it is tempting for administrative leadership to get involved in the recovery process, it can cause a lot more stress on the technology team and hinder their progress. It’s much more helpful for administrative leaders to be the go-to for communicating with other stakeholders and being a liaison between your technology team and service providers working to solve the issue.

3) Do: Expect Recovery to Take Several Weeks

The length of time for recovery naturally depends on several factors, including the size and scope of the attack, the extent of resources available to respond, and the quality of your district’s incident response plan. After most of the recently disclosed ransomware attacks disrupting K–12 schools, students and faculty were able to come back to their buildings within a few days — but that doesn’t mean the district had fully restored all its disrupted operations.

According to Statista’s research team, on average, it takes an organization about 20 days to recover from a ransomware incident. Naturally, an attack will be harder to recover from if your system isn’t monitoring for breaches. Some districts will have a retainer agreement already in place with a incident-recovery service provider, who can come in and get things fixed relatively quickly. In other cases, a school or district must rely entirely on their in-house staff, who may or may not have the expertise or the capacity to bring all systems and data back online in a timely manner.

Three Post-Cyberattack Do’s and Don’ts for School IT Staff

1) Absolutely Do Not: Don’t Skip Analyzing the Logs

Typically, after a threat or attack is contained, the recovery team will prioritize which systems are critical versus those that they can work to restore a little later. IT and incident recovery staff need to make sure that any system brought back online is first “cleaned” of the malware or whatever the problem was — before it is reconnected to the network and other infrastructure. This includes analyzing logs from all areas of the network’s data systems to see what actions have taken place and by which user accounts. Hopefully, the district will have log analysis software in place that can do most of the work of pulling these logs together into just one or a few reports to analyze. Otherwise, incident recovery is going to take a very long time.

2) Absolutely Do Not: Don’t Avoid The Post-Recovery De-Briefing Lessons

Often, having recovered from an attack's drama and exhaustion, a district’s IT team is back to “fighting daily fires” that continue to spring up. This makes it too easy to put off reviewing what happened and designation which areas of the incident responses — and/or the prevention methods in place — need to be improved to avoid another disruption. Don’t wait for weeks or months, when the intricacies of the “good” and “bad” recovery steps may be forgotten. Ensure a proper de-brief with the response team immediately after the recovery is complete.

3) Absolutely Do: Review and Boost Security Practices

Implementing a multi-layered cybersecurity approach should be an automatic requirement in the following a cyber incident causing disruption. Some basic measures all schools should have in place include phishing and cybersecurity awareness training for staff, multi-factor authentication, and updating the network security technology to match the current technology being used and the modern threat landscape: things like next-gen firewalls, anti-viruses, and cloud security. The ultimate goal, most cybersecurity experts advise, should be that school districts focus on implementing a zero-trust cybersecurity strategy.

Schools and school districts have several free resources courtesy of the Cybersecurity and Infrastructure Security Agency and the cybersecurity framework provided by the National Institute for Standards and Technology. These resources can help schools create goals and actions to address cyber threats in the future. The framework comprises five roles or areas of cybersecurity that every risk management plan should address: Identify, Protect, Detect, Respond, and Recover.

Unfortunately, the reality of public schools’ potential for dealing with a cyber attack is “when, not if” it will happen. Knowing the steps your school or district should prioritize and those to avoid — regardless of how big or small a disruption the incident might result in — is essential. Given how heavily every public school leans on technology for running front office, classroom, facilities, transportation, and all other operations as well as for delivering instruction, the importance of minimizing costly disruptions and having a response plan in place cannot be understated.