Boards of Education have a fiduciary responsibility to proactively require Training Policies and Disaster Recovery Procedures for managing network and server security, business continuity, and employee welfare. But for many, this new “Wild West” cyber-landscape presents a daunting journey through unknown territory. Scott Jeffreys, cybersecurity expert and Hofstra University special associate professor, discussed how school districts can reduce the risk of ransomware attacks and respond most effectively when those attacks occur.
“You have to think of protecting your district’s assets in the same way you insure your car or home,” said Jeffreys during Cybersecurity for Schools, an event at Hofstra’s Cybersecurity Innovation and Research Center. “A modest investment now can save huge payouts and massive disruptions in the future.”
In his presentation to school superintendents and IT personnel, Jeffreys outlined how to develop a recovery plan.
Develop a Disaster Recovery Plan
It is difficult to marshal your resources and take effective action while you are in crisis mode. Your district needs a well-thought out set of directives that clearly spells out who does what, and when, so that that when you are hit with a ransomware attack, you are ready to hit the ground running. Appoint an Emergency Crisis Manager trained in Project Management who can work with IT to coordinate all activities on the ground and provide status updates. Do not expect the IT Manager who is elbow-deep in hands-on damage control to also keep stakeholders involved and informed.
According to Jeffreys, a good Disaster Recovery Plan will include the following key steps:
- Isolate the infection by disconnecting from any networks and the internet. It may be too late to stop the spread of malware, but you can at least lessen its impact.
- Identify the infection and its location on your server. What processes have been compromised?
- Report the infection to the proper authorities. Many districts and businesses have been slow to take this step for fear of the bad publicity. This is a mistake. Contact the FBI’s Internet Crime Complaint Center immediately after you learn of the infection. Victim reporting helps the authorities get a better picture of the overall ransomware threat and contributes relevant information to ongoing cases, potentially helping them identify the perpetrators and their methods.
- Determine your options. Do you pay the ransom, knowing the hacker might not honor the agreement to unlock your system? Can you remove the malware or bring entirely new systems online? Is it possible to recover lost data via backups?
- Restore and/or refresh your hardware and network. While there is some debate over their efficacy, there are decryptors available to remove ransomware. But because new decryptors might not have been developed to address the latest malware, it is generally considered better to completely wipe affected systems and restore them from safe backups.
- Plan to prevent recurrence. Those who think lightning never strikes twice may be sorely mistaken when it comes to malware. Like all computer programs, ransomware evolves and grows more sophisticated every year. One way to reduce your vulnerability is to put your Disaster Recovery Plan to the test with both scheduled and unplanned server outages. Pull the plug on a random server and see what happens. How long would it take to rebuild a mission-critical server? How long will the school district be shut down? Do you need redundant hardware? If you can’t answer these questions, you aren’t ready to face the real thing.
Cybersecurity is Everybody’s Business
Protecting your data isn’t the sole responsibility of the IT team. Jeffreys says it needs to be instilled in every employee, and ensured by proven best practices such as the following :
Update software to the newest version to help prevent abuse of unpatched vulnerabilities in older iterations.
Back up data using the 3-2-1 rule, creating at least three copies of the data in two different storage formats with at least one copy located offsite.
Build a smart cyber-culture at all levels of your organization. This starts by putting policies and procedures in place and training all employees to be wary of suspicious e-mails and links that can deliver ransomware or steal user credentials.
Avoid the blame game and encourage communication. If an employee is afraid of reporting a potential breach, it can lead to an unchecked spiral of infrastructure damage that might have been reduced if caught early enough.
Share your experiences with other potential victims. Too often, school districts are concerned about bad publicity and fail to alert other districts and pool their knowledge and resources. By working together, keeping each other informed and sharing best practices, the region as a whole can build stronger protections against ransomware and other cyberattacks.
Take advantage of Hofstra’s Cybersecurity Innovation and Research Center and the university’s students in computer science, business and cybersecurity. Work with the center to provide information and resources you can use to buttress your cybersecurity efforts. Let Hofstra students develop a “spear-phishing” campaign against your district as a training exercise to reveal how vulnerable your staff might be. Invite Hofstra’s cybersecurity students to take part in a summer internship in your School District with your IT Teams, gaining hands-on experience while bolstering and hardening your infrastructure. The center’s co-directors Dr. Hak Kim or Dr. Xiang Fu can work with districts to explore how Hofstra can help.
“All too often, this discussion is all about technology,” said Jeffreys as he concluded his talk. “I want to challenge you to go to your central business offices and have a different discussion about asset value: how much is it worth to avoid having your servers down for a day, a week, a month? Once you know the value of the asset and the risk you’re willing to assume, you can understand how much insurance you need. You may balk at writing a $100,000 check for system protection, but if you consider the price you are willing to insure it at – five percent, ten percent, whatever your number – now you can budget a number for security software rather than just taking a guess. That’s the kind of thinking that can get your district to open the purse strings for protection.”