top of page

Cyber Incidents

Tabletop Exercise #4
New Flowers

Cyber Incidents

Tabletop Exercise #4

When: June, Thursday evening

Where: Administrative office

Scenario 1 | Phishing Incident:
The day following the district’s normal payday after receiving several angry phone calls, the business office staff discovered that multiple district employees had fallen victim to a phishing scheme that redirected their direct deposit paychecks.
Several weeks earlier, an email was sent out to all district employee email addresses directing employees to click on a link in the email to update their payroll passwords or they would lose access to their accounts. The email used the district’s logo and appeared to come from the IT department. Multiple employees clicked the link in the email and changed their passwords.
Unfortunately, this email was a common phishing scheme that tricks employees into clicking on a link that prompts them to enter their password, often under the guise of preventing them from being locked out, updating their account information, or resetting a password about to expire. In many cases, both the initial email and the website the link leads to are designed to look legitimate. Once the cybercriminals have the employee’s real password, they login to the self-serve portal and change the employees direct deposit account to one they have access to. Many employees only learn that they were tricked once their paychecks fail to show up in their accounts on the next payday. What are your next steps?

Scenario 2 | Ransomware Incident:
At around 4:00 PM the special education director’s laptop suddenly displays a message that states all files have been encrypted and demands payment in exchange for the decryption key. The message states that the ransom, currently $5,000, will double to $10,000 if payment is not sent in bitcoin in the next 48 hours. If you refuse to send payment after 96 hours all the encrypted files will be deleted and therefore become completely unrecoverable. The laptop contains evaluation and progress monitoring data on numerous students as well as the evaluations of several employees. How do you proceed?

Critical Thinking Questions

1. What current policies and procedures are necessary in this scenario?
2. Was the response adequate to the magnitude of the incident?
3. Are all staff trained on who to report to in a similar scenario?
4. Can one or more operational changes be made to mitigate the risk or damage in the future?
5. What lessons can be learned from this scenario?


Cybercrimes can be devastating to any district and recovery can be difficult. Having an
effective plan in place can drastically change the outcome of a situation. Please reach out to CSDSIP to
talk through this tabletop exercise or to answer any questions that may arise out of the completing this

bottom of page