Why schools urgently need incident response and recovery plans

In an exclusive for ETIH, Professor Jackie Wyatt, a GIAC Certified Enterprise Defender and Cyber Security Analyst at QuikTrip, as well as an Adjunct Professor at the University of Tulsa, delves into the critical need for educational institutions to prioritise cybersecurity.

The financial impact of cybersecurity threats has been increasing in recent years and are expected to keep surging in the years ahead. By 2025, cybercrime is projected to cost the world $10.5 trillion annually. Despite this, schools at both the K-12 and higher education levels have been slow to prepare themselves with incident response and recovery plans.

Organizations put themselves at serious risk this way because the consequences of being hit with a cyberattack while unprepared can be disastrous. Despite understandable barriers, if educational institutions could truly understand the risks and consequences of a data breach they would prioritize taking the steps necessary to protect themselves and their stakeholders rather than suffer those repercussions. 

The risks of incidents for schools keep increasing

One reasons schools are often underprepared for cyber attacks is that they have traditionally not been seen as prime targets, but that is no longer the case. Organizations in both K-12 and higher education have become increasingly reliant on digital learning and technologies in recent years, resulting in a much bigger attack surface.

Yet the level of awareness has not risen in proportion to this greater risk. In K-12, for example, nearly 40 percent of schools do not have an incident response plan. This lack of preparedness combined with the large amounts of personal data that educational institutions possess has led to them being seen as easy targets by cyber criminals. 

The two phases of an incident response plan 

A complete plan has two phases: response and recovery. The response phase details what to do immediately during an incident. The first step is usually to contact the people qualified to assess and contain the threat. Ideally, this would be an entire team composed of numerous specialists and not a single IT generalist who may be lacking the resources and potentially the skills to handle an incident alone.

Leadership and administration would also need to be contacted along with other relevant departments such as legal and public relations and third-party entities who may also have a vested interest such as insurance providers and law enforcement.

There are two important points to make here: First, for all contacts there should be backup contacts in case the primary contacts cannot be reached. There also needs to be backup means of communication - for example, landlines for when people can’t be reached via cell phones and instant messaging for when people can’t be quickly reached by email. Second, multiple hard copies of step-by-step procedures should be printed out since it doesn’t do any good to have this information online if people get locked out of the networks.

After the response phase is the recovery phase: getting networks and systems back up, restoring any needed backups, and minimizing disruptions to students’ education. We need to remember that due to the interconnected nature of modern IT infrastructure this often means more than just computer hardware and software. It can mean food services, school bus routes, and basic facility management functions such as lighting, heating, and air conditioning. 

Costs and consequences of getting breached

In a 2024 report, cybersecurity firm Sophos estimated that the mean cost for K-12 institutions hit by ransomware attacks was a staggering $3.76 million. For higher education it was even higher at $4.02 million. 

Astronomically high as these figures are, there are hidden costs that go far beyond the financial ones. In the aftermath of a cyberattack, downed networks can cause school operations to get disrupted for up to weeks at a time, especially when they don’t have existing response and recovery plans. This in turn can lead to hard-earned reputations getting damaged, something that generally takes more time and effort to repair than simply regaining access to one’s data or getting a system back online.

Overcoming the barriers to action

Despite these risks, significant barriers stand in the way of schools taking action. One of the most common is the cognitive bias of believing that an incident won’t actually happen to one’s own school - that is, until it actually does. Another common barrier is the lack of adequate funds being allocated to getting prepared.

The first step to overcoming these barriers is to highlight the increasingly high level of risk. 

As mentioned earlier, the perception that schools are not targets of cybercrime may have been somewhat true in the past, but it no longer holds today. The increasing digitalization of education and the growing amounts of data that schools possess combined with the widespread lack of preparedness has resulted in schools becoming attractive targets to threat actors.

However, many people are logically aware of the risks but still don’t feel emotionally invested in them. A more compelling case for getting prepared could therefore be a cost-benefit analysis in which the risks and costs of not taking action are factored in with the costs of taking action. Since people often make decisions for emotional reasons over logical ones, painting a scenario of the school’s reputation taking a big hit due to a cybersecurity incident could be more motivating for decision makers than citing abstract statistics. 

There is no question that running an educational institution is demanding work leaving leaders and decision-makers with limited energy and resources to spare. But incident response and recovery plans are not luxuries that schools can afford to postpone. They are necessities that many in the educational realm have been finding out the hard way. School leaders would therefore be wise to take action on this now while they still can. It is always easier and cheaper to prevent a crisis than to repair the damage after the crisis has occurred. 



Previous
Previous

Digital accessibility: empowering learners to succeed in education

Next
Next

How teachers and parents can approach the call for evidence on curriculum reform