How school boards can best mitigate cyber risks
School board members may not be experts in cybersecurity issues, but these leaders are still responsible for developing the policies and procedures related to cyber risk management and the ever-changing issues that come with technological advancement, especially as districts and boards begin to utilize new tools to advance efficiency and effectiveness.
School districts have become major targets for cyber attackers throughout the United States. But despite the very real threats that lurk in today’s cyber landscape — from ransom demands to million-dollar scams to compromised information — the seriousness of cybersecurity issues still evades many school boards.
School board members must understand that mitigating cyber risks is not an option, but a necessity that districts need to prioritize. By developing policies, procedures and standards for mitigating cyber risks, school boards can establish and cultivate a culture that promotes strong cybersecurity practices.
Mitigating Risks Through Cybersecurity Standards
There is a lot that local school boards can learn from the experiences of other districts that have been attacked or hacked, and these examples can educate them on how to make proactive decisions regarding cybersecurity standards.
By establishing standards for the district to adhere to, the school board can mitigate risks related to sensitive data. Boards can take actions to prevent, mitigate and respond to cybersecurity threats while empowering and educating members of the district.
1. Do not utilize public cloud-based storage platforms for sensitive data.
School boards may see cloud-based file-sharing platforms as an efficient way to exchange or share documents. However, use of these platforms makes boards and districts vulnerable to cybersecurity risks, such as malware, viruses, data loss, phishing scams or the exposure of sensitive information.
Storage on a public cloud (like Google) is easy, but it is bad cybersecurity practice. When it comes to sensitive data, the information should be stored on a private secure server and on sites with high-level encryption.
2. Prepare for data loss and recovery.
Data loss may not seem like a major concern; it can appear relatively harmless when compared to a serious hack. However, data loss can be just as devastating as any other cyberattack for a school district.
Having a backup system in place to restore full performance and function in the event of sensitive data exposure or loss is imperative to protecting and maintaining information related to the students and district business.
3. Set up a procedure for reporting cybersecurity threats.
Create a flow chart of the relevant individuals or agencies that need to be brought in on these issues. Be sure that this information is available to all district staff and board members through pertinent training materials, and that it is accessible at any time. The faster individuals can report these incidents, the sooner the issue can be mitigated.
4. Transition from paper documents to digital records.
While utilizing physical copies of records and information may be a force of habit, it is far less secure than maintaining digital records. If someone attaches or downloads a digital document, there is some digital trace of that information and the transaction.
If your school board shares a hard copy of sensitive information to each board member and someone takes that physical paper home with them, there are limitless scenarios in which that information can be unintentionally exposed. More importantly, that information is then completely untraceable once that hard copy is lost. This careless action, while inadvertent on the part of the board member, can put student and district confidential information at great risk.
5. Do not use e-mail for school board business.
Yes, email is technically 'digital communication,' but it is the least effective and least secure form of digital communication for school boards. Emails and their attachments are not encrypted or entirely secure. Additionally, email discussions between school board members and administrators regarding board work can be a violation of sunshine laws, so it is crucial that school board members exercise caution when it comes to communicating via email.
Be sure to include detailed language in the district's cybersecurity standards regarding email communication to confirm that staff, students and administrators are aware of what information should never be shared through email.
Preventing Cyber Risks Through Training and Educating
Cybersecurity standards set the expectations for members of the district (board members, staff, administrators, students, etc.) to abide by. However, cybersecurity training is equally important to be sure that these same members of the district community are fully aware of the standards and their importance.
Cybersecurity training can help district members better understand cybersecurity standards and how they impact the board’s ability to mitigate cyber risks. Training should cover the necessary response to attacks or threats. Students, staff and other members of the community should know how to respond to a suspected or confirmed cyberattack.
Remember that large, district-wide plans are designed and implemented one step at a time. Your district may even find that pieces of the plan do not work in certain schools or for other parts of the district. Be flexible and willing to explore other options to achieve the goals established for the district.
Keep the students, teachers and community in mind when developing a cybersecurity plan for school districts. Establishing standards and a training process will take time, but even the smallest actions lead to achieving the largest goals.
Board Technology That Promotes Strong Cybersecurity Practices
The investment in software that effectively and efficiently secures sensitive data related to the district and its students pays for itself in protecting from damages suffered from cyberattacks. When it comes to sensitive data the information should be stored on a private secure server and on sites with high-level encryption (256-bit encryption is the strongest level of security currently available).
Community, a Diligent brand, is a secure board management software. Unlike many board portal services, Community boasts physically secure servers (that are video monitored) and 256-bit encryption, the strongest level of encryption currently available. These elements ensure privacy and security for your board's most confidential and sensitive data. Additionally, board portal users can securely access information from anywhere and any device.
Community's board management software encrypts all data and has a daily backup service to help mitigate risks related to sensitive data loss or exposure. Ensuring that your board's information is protected and secure means that your board has more time and energy to spend on other important issues.
Leveraging a board management software like Community helps school boards mitigate the risks associated with other insecure platforms. The right security features support and promote practices that protect the sensitive information of your district and your students, while still providing the school board with a seamless and streamlined tool to share and access pertinent district information.
Developing and implementing cybersecurity standards and trainings for school districts can be an overwhelming responsibility, but with the right technology resources it can be simplified and streamlined. Keep in mind the vision and goals for your district, and consider how cybersecurity and technology can be integrated to more effectively and efficiently work towards those achievements.
