Before Baltimore County Public Schools faced a devastating ransomware attack on Nov. 24, 2020, that shut down classes for three school days, the district’s information technology leaders say they had thought the district had strong technology systems in place.

But that cyberattack created catastrophic effects compromising every technology system in the district as the entire foundation of its IT infrastructure vanished, said Jim Corns, executive director of information technology for BCPS, in a recent webinar during the Consortium for School Network conference. The attack is estimated to have cost the district at least $7.7 million, The Baltimore Sun reported.

Corns likened the district’s IT system to a puzzle: Before the cyberattack, all the pieces were in the right place, but afterward everything was in disarray as some parts of the IT system were either missing or lost forever. In fact, he said, the system could not be rebuilt to its previous state due to the ransomware attack.

The district of more than 110,000 students and 25,000 staff members could not send emails to other government agencies, nor could anyone access school systems using single sign-on passwords. 

With districts becoming increasingly susceptible to cybersecurity risks, especially amid the Russian invasion into Ukraine, BCPS officials shared five lessons learned from their major cyberattack for districts to keep in mind when recovering and responding to their own cybersecurity crises. Those lessons include the value of leadership, collaboration with community partners, standardized operating procedures, vetting of technology systems and creation of a software portfolio.

Leadership first

It’s important to have the leadership in place for when — not if — a cyberattack occurs in a district, said David Stovenour, BCPS director of digital safety, education technology and library media department of educational options. 

BCPS already had a process in place before the cyberattack on how to share information with district leaders to quickly make decisions and maintain confidentiality during a cybersecurity crisis. 

“Because of the close nature of that work, and because of the group that had gone through that process together, we found that we already had a high level of trust,” Stovenour said. “We had to make decisions both quickly and often without a lot of time for deliberation or discussion.”

Count on collaboration

It’s key to cast a wide net with community partners and vendors when seeking solutions in the middle of a cybersecurity crisis, Stovenour said.

“Cyberattacks are still a new problem, especially for education, and as such there’s no manual yet on how to prepare and how to respond to such a situation,” he said.

Stovenour said it’s important to solve the issue without judging staff and partners. In BCPS’ case, the ransomware attack was an act of crime and no one’s fault within the division, he said.

When in a cybersecurity crisis, Stovenour suggests reaching out to the FBI, local governments and trusted vendor partners. Much of the district's recovery work could be credited to its strong student data privacy contracts with vendors, he said.

Document standardized operating procedures

Before the cyberattack, BCPS wrote a guide on how to restore practices and how systems should function amid a cybersecurity crisis, said Jeanne Imbriale, BCPS’ director of enterprise applications.

Then when the district employed those technical standards for some systems, administrators could quickly restore those applications and bring students back online, Imbriale said. Overall, this practice helped students and teachers access the online tools needed for learning, she said.

Vetting technology assets

Because all of BCPS’ technology resources are centrally managed, the district is able to put systems through a strong vetting process that looks for applications’ abilities to function from a technical, accessible and privacy standpoint, Imbriale said.

The district also relied on CoSN’s data privacy toolkit to manage its vetting requirements. By centralizing this vetting process, administrators felt comfortable relying on its resources when recovering from the ransomware attack, she said.

Before bringing applications online amid the cyberattack, Imbriale said the district re-vetted its technology systems as it was rebuilding a stronger technology environment. Since then, all technology assets go through an annual vetting process to ensure they meet the district’s standards, she said.

Create a software portfolio

Since the cyberattack, BCPS has formalized its technology portfolio to make sure the district has an exact account of the more than 400 varying applications and many users in its digital ecosystem, Imbriale said. 

If the district ever needs to quickly recreate its digital environment, the portfolio will provide a blueprint for easily doing so.

Considering the importance of partnering with vendors during a cyberattack, it’s critical in this digital portfolio to also keep a list of vendor contacts in one place so the district can alert and work with them in a timely manner, she said.