The Expert Lowdown on Reducing Cyberattack Recovery Time for School IT Leaders
By Charlie Sander, CEO of ManagedMethods
Securing K-12 school networks is one of the topics on everyone’s lips at the moment, with schools being primary targets for cyber attacks. This is because they play host to a huge amount of PII of students and teachers, such as financial information, social security numbers, addresses, and family details. The added layer of difficulty comes from the growing use of cloud technology in the learning environment, with so many potential weak points to be breached.
Just the other week, a school district in the south of Seattle with 17,500 students reported that it had detected unauthorized activity on their systems and had to take “immediate action to isolate critical systems.” It left Highline Public Schools unable to carry out their normal bus transportation routes, track attendance, or any of their standard communications and other vital functions.
Unfortunately, many school districts might not have the resources or expertise to implement effective cyber security protections, and they struggle to recover quickly—Highline Public Schools was completely closed for three days and the network infrastructure recovery will be ongoing for weeks.
So, how can schools expedite the process and resume normal operations without having a huge impact on your school district? Let’s dive in.
Proactive Incidence Response Planning
Undeniably, the most obvious solution to improving recovery is having a clear and strategic incident response plan. This plan refers to a document that displays all of the crucial steps for identifying, mitigating, and recovering from a cyber attack. The National Institute of Standards and Technology (NIST) outlines a four-step Incident Response Lifecycle to guide organizations in this process: Preparation, Detection & Analysis, Containment, Eradication & Recovery, and Post-incident Activity:
Preparation: This stage focuses on risk assessment, inventory management, and training your team. It minimizes the impact of a cyber attack and should be managed by a pre-assigned incident response team.
Detection & Analysis: Next, teams can identify, investigate, and assess potential suspicious activity or incidents in an organization’s network or systems. The goal is to look for malicious activities related to unauthorized access through methodologies such as log monitoring and anomaly detection.
Containment, Eradication, and Recovery: This phase is all-encompassing and makes up the bulk of the work, because, given how likely attacks are going to occur, containment and eradication are crucial. Containment measures mostly revolve around isolating systems and gathering information on the characteristics of the cyber event. Eradication involves removing malicious remnants of the attack, and recovery is restoring those systems to a secure state with backups or updated patches.
Post-incident Activity: This phase involves working out what occurred and why it happened, before thinking how to prevent it from happening again. It goes beyond merely assigning blame and technical aspects, but also involves thinking about policy change and key infrastructure change.
Active Monitoring Identifies Threats Early
Active monitoring means that you have more comprehensive visibility of your network’s infrastructure, activity, and performance. Monitoring technologies allow you to see what is going on in your network, apps, and other data systems. Many will also proactively address anomalous behavior and alert the admin when an issue is detected.
Districts that regularly monitor activity in their network and cloud systems can identify and respond to potential security breaches faster. This makes the recovery process much easier. Regular monitoring might involve acting on any alerts that come through from endpoint protection tools, such as anti-malware or anti-virus software, regardless of whether the malware has already been removed. Put simply, the faster the action the more likely schools are to mitigate the impact of an attack.
Data Recovery Solutions and Automation
To minimize data loss and reduce downtime after a cyber attack, there are some key recovery solutions to bear in mind. Firstly, schools often have a huge backlog of student records along with academic resources. So, multi-cloud backup systems can help allow them to store data across different cloud environments, including Azure, Google Cloud, and Microsoft. That way, there is no single-point-of-failure risk, and data can be restored quickly.
There are also automation tools that can further enhance your recovery through automated backup and recovery protocols, which means there isn’t the same dependency on manual interventions and that compliance with protocols for data is safeguarded across all of the school’s systems.
With regard to these processes, you need to ensure there are no indications of a further breach and that security flaws are remedies before regaining access to the network. It could be wise to get in touch with a cyber insurance provider and law enforcement, as it’s possible that a current team may not be well-equipped to solely deal with the problem. That is not meant as a slight on anyone, just a reality of the school IT infrastructure, as a lack of expertise and time constraints can really hinder a school’s cyber defenses.
Final Steps
Once the dust has settled, communication with external stakeholders and authorities is the final element of a well-timed recovery. You should not attempt to cover up the facts of the breach, as this will only further damage your school’s reputation.
Although the premise of this piece is to discuss how to mitigate damage quickly, you shouldn’t speed things up unnecessarily, as this will leave you more vulnerable. You need to allow the people who are assessing the systems, and deciding what out of the school’s operation needs to be brought back online, to be given the space to carry out their work.
Lastly, when you have recovered, it may be easy to think that everything is A-OK again. But, you have to remember that while you may have won a singular battle, the war is ongoing. Schools are often attacked on multiple occasions even from the same group looking to exploit the same vulnerabilities. That’s why incident response is so vital, as it gives you that foundation for the next cyber event. Basic techniques, aside from what we’ve discussed today, such as multifactor authentication and real-time monitoring can help protect your systems for the long run and make responding to any breaches faster.