We Need You to Fight Ransomware in K12 Schools#Data
by Mike BiancoRead time:
No one wants to imagine the headlines and aftermath of a ransomware attack. However, preparing for such an event is crucial to escaping with your data intact and without shelling out ransom to attackers. More than 56% of K12 education organizations suffered ransomware attacks between 2020 and 2021—with an average cost of over $265,000.
To help strategize, break planning into different stages of a hypothetical attack. Here’s how to prepare to weather the storm.
Before an attack happensNo one ever regretted implementing best practices. If you don’t yet have an incident response plan, create one now.
Implement the principle of least privilege. If someone does manage to infiltrate systems, their credentials ideally won’t be sufficient to reach valuable data.
Endpoint detection and response (EDR) is way more than simply antivirus software! Monitoring the health and security of each endpoint (read: a device connected to the network) zeroes in on the nooks and crannies criminals hope you neglect.
Keep up with software patches—it makes a difference and protects your network from exposure. In 2022, over 22.5 thousand new common IT vulnerabilities and exposures were discovered, a new record.
Data backup follows the 3-2-1 rule: 3 copies, 2 different media formats, 1 offsite. Then test it!
82% of breaches in 2021 involved the human element. 35% involved the use of email. You can expect 7–10% of real phishing emails to filter through your blocking systems, so practice matters. (Did you know some are authored by your own students?)
Make security training a regular routine of life. Include incentives for completing training, such as digital badges, leaderboards, and certificates, for completing training well. With regular practice using KnowBe4 training programs, districts have gone from a 32% fail rate on phishing tests to a 4% fail rate. Plus, some cyber insurance programs require proof of training and data backup.
What do I do if I suspect a phishing email or ransomware?
Decide the course of action ahead of time—for almost all users this will be to contact internal IT and follow their instructions.
During a ransomware attack
Front end users:It’s important users know what to do before an attack actually happens.
Number 1: Contact IT immediately.
Most folks’ roles will stop after that, but they still need to be told what to do in the meantime and how to communicate with their own stakeholders and students. To that end, make community-facing folks (admin assistants, teachers, etc.) aware of the situation and the unified messaging from the PR team.
Back end users:Enact your district’s incident response plan.
Disconnect and isolate infected systems but don’t turn devices off.
Locate patient zero to identify the source and type of breach.
Contact your cyber insurance, authorities, response teams, public relations.
Meet with vendors, work together, stay informed, evaluate options for moving forward.
Record facts and file them for retrospective later.
After a ransomware attackThe bad guys leave back doors, so never re-use compromised systems. Instead rebuild them after verifying it’s safe to do so.
Enlist the help of your vendors (like Skyward). There can be nuances that are critical to getting your systems back on track.
Learn from it: How did attackers get through? Re-evaluate policies and make changes to block copycat and repeat attacks.
Make retrospective questions standard and include vendor notes and feedback. Keep these facts and findings organized and confidential but allow transparency to stakeholder teams. Knowledge is power and data is private.
Be prepared! Create an incident response plan tailored to your district. Share and practice the plan with your stakeholders. By taking the time to prepare, you’ll eliminate headaches in the future. While we can’t prevent bad actors from targeting school data, we can definitely prepare as well as possible.
Empower everyone to be a cyber hero.
Follow up resources: CISA GuidesLearn more these guides from the Cybersecurity & Infrastructure Security Agency.
|Mike Bianco Vice President of Information Security, CISSP|