A vetted, strategic cybersecurity plan helped one school district successfully push back against cyberattackers.
The annual back-to-school superintendent conference day on Sept. 3, 2019, at New York’s Monroe-Woodbury Central School District should have been one of excitement and reconnection for staff and administrators. But that wasn’t the case for Bhargav Vyas, who serves as the district’s assistant superintendent for compliance and information systems as well as its data protection officer. Instead, the night before, his team got a system failure warning that caused them to start troubleshooting early in the morning.
It started at 7:30 a.m. When bringing up the domain controllers, one of the leading techs called and said, “Our biggest nightmare is here.” Vyas knew then that a cyberattack was underway.
Cybersecurity Incidents Spike During the Pandemic
According to “The State of K-12 Cybersecurity: 2020 Year in Review” from the K-12 Cybersecurity Resource Center and the K12 Security Information Exchange, what happened at Monroe-Woodbury is becoming increasingly common. The 2020 calendar year saw a record-setting 408 publicly disclosed cybersecurity incidents. These attacks, which affected 377 school districts across 40 states, resulted in temporary school closures, millions of stolen taxpayer dollars and student data breaches linked to identity theft and credit card fraud.
Schools moving to remote and online learning environments in March 2020 only exacerbated the problem. With the rapid shift to remote learning putting more devices into students’ and teachers’ hands, a lack of cybersecurity training, and plenty of enticing free apps to download, cracks in schools’ cybersecurity were almost inevitable.
IBM’s Education Ransomware Study, released in October 2020, surveyed 1,000 K–12 and college educators and 200 K–12 and college administrators. It found that “while administrators are 20 percent more likely to receive cybersecurity training than educators, they are still unaware of critical information relevant to protecting their schools.”
Pre-Emptive Protocols Lead to Faster Recovery
When Monroe-Woodbury faced down its cyberattackers in 2019, it was ready. Well before the attack, the district had established both internal protocols and a disaster recovery plan.
As soon as the IT team became aware of the attack, it notified Superintendent Elsie Rodriguez and the other assistant superintendents. Once Rodriguez informed the Monroe-Woodbury board of education of the situation, the communications team and the public relations specialist contacted all key stakeholders, including the business office, the district attorney and the insurance company.
Within an hour, the district had an incident response team working with Vyas to contain the attack, assess the damage, and develop a mitigation plan. The attackers had just started targeting the servers when the storage area network was shut down, so there was nowhere to go to do more damage.
We had an updated disaster recovery plan that identified the location of our data in all systems, as well as a robust redundancy system. This strategic move mitigated any further damage and communication.”
Bhargav Vyas Assistant Superintendent for Compliance and Information Systems, Monroe-Woodbury Central School District
Once the IT team finished restoring data from the snapshots cleared by the incident response team, it took a few days to build up a Microsoft infrastructure. By the end of the first week, 70 percent of the district’s mobile devices were back up and running, including those for transportation services. At the end of the second week, the IT team had all systems up and was able to bring Wi-Fi back online to connect mobile devices for 3,000 students and staff.
Plug the Holes with Internal Security Lessons
Looking back, Vyas says, “it was strategic on the district’s part, not from the ransomware perspective but from a resources perspective, that we had an updated disaster recovery plan that identified the location of our data in all systems, as well as a robust redundancy system. This strategic move mitigated any further damage and communication.”
The district made another strategic move that may have hindered the attack. It signed up for a National Institute of Standards and Technology cybersecurity assessment that reviewed risks and threats to the district’s entire network.
Months before the attack, the IT team used the assessment’s recommendations to “plug the holes,” which, in hindsight, could have been a factor in a much more significant cyberattack. It was essential for the district’s IT team to build up goodwill and support, so staff and teachers were educated on cybersecurity and best practices for keeping their data safe. While not everyone understood the technology, they recognized the importance of cybersecurity and trusted the process.
Finally, the team placed great emphasis internally on implementing an electronic inventory and ensuring that record-keeping was accurate and secure. As a result, when reimaging all devices and computers after the cyberattack, the IT team knew the device location and count within 5 percent.
Training Ensures Everyone Stays Educated
After the attack, the Monroe-Woodbury IT team focused on lessons learned. The district changed its policies so that only school devices could access the network, and guest networks were eliminated. Noting that “security is not just a technology concern, it’s a district concern,” Superintendent Rodriguez established scenario-based cybersecurity tabletop training.
Critical stakeholders such as the disaster response team, IT department, business office, and support staff continue working together to ensure they’re well prepared for the future. Because people forget, Vyas continues to educate the school community, including the school board, about developments in cybersecurity. He adds that, even in a cyberattack or pandemic, with the right people on your team and a willingness to do what is best for students, you can work together to give technology back to the school community.