Cybersecurity is a critical issue for public education boards and often presents as a major pain point in many school boardrooms. Encompassing the trainings, practices and necessary policies that work to mitigate cyber risk and safeguard sensitive board information, cybersecurity for boards of directors should be a cornerstone of board protocol and operations. School boards are among the most targeted groups for hackers and cyberattacks, largely because their defenses can typically be easily breached and cybercriminals can gain access to sensitive data and information pertaining to students, staff and their family members. Hackers have been known to then leverage these data breaches in ransomware attacks and force schools into paying large sums of money, knowing they will pay the ransom to protect students and stop sensitive information from being released.
If school boards’ attractiveness to cybercriminals weren’t enough, school boards are also among the least prepared groups when it comes to cybersecurity. According to NSBA’s nationwide 2017 survey of 482 school board members, 67% of respondents reported that they sit on boards that require no cybersecurity-related training whatsoever. Only 12% of respondents reported receiving mandatory cybersecurity training. This points to a gaping hole in the typical infrastructure and operations of public education boards. Establishing a sound cybersecurity framework that allows for new board members to get up to speed quickly and effectively on the cybersecurity policies set in place is a vital piece of ensuring the safety of the district’s information and reputation. Without cybersecurity, school boards are low-hanging fruit for cybercriminals, and today’s public education boards should be equipped with the right tools and trainings to overcome cyber threats.
School boards must manage other risks in addition to cyber threats that can often take priority over cybersecurity efforts. However, in the digital age we all live in, cyber risk is everywhere and is likely tied to other risks, like reputational risk, complying with laws and requirements and student safety. School boards that choose to use insecure tools for collaboration and communication are putting themselves and the district at large at serious risk. Public file-sharing apps create many problems for public education boards. While they might save money and store data in an easily accessed forum, they also make your sensitive board information a soft target for cybercriminals.
Already one of the most targeted groups for cyberattacks, school boards can’t afford the added risk that insecure file-sharing apps inevitably present. Finding a way to incorporate cybersecurity into risk management to create a strong cyber risk management framework is an effective way to safeguard district information and bring more efficiency to the boardroom through the right digital tools.
School boards often must work within tight budgets that can restrict their options when it comes to paperless meeting technologies, also known as board management software. While some boards may just decide to live with the bare minimum features and functionality that free board management software affords, they are doing themselves a huge disservice by drastically increasing their risk of cyberattack. There are numerous dangers associated with free board management software and it can end up costing boards more money in the long-run.
School boards are public entities and therefore must readily provide required information to the public on a regular basis, which often includes meeting agendas, meeting minutes, meeting location and details and other public announcements. When operating within an entirely paper-bound system, however, leaving paper trails can be extremely risky and leave room for more private information – like that of students, their families and other sensitive data – to get into the hands of the wrong person. Similarly, when operating within an insecure board management system, while paper trails are eliminated and some aspects of board work are automated, school boards simply do not have enough of a safeguard to protect against any cyber threats that might occur. Going digital is a smart decision for school boards, but ensuring that the digital tools are actually secure and effectively protect the district from cyber risk is even more important.
Towards the end of 2018, the San Diego Unified School District had ten years’ worth of records containing personal identifying information on 500,000 students and staff hacked into and stolen. This incident marks one of the all-time largest data breaches of a school district, and the damage is still running deep. In order to first develop and then comply with an effective, defensive technology policy, school board members need a proper cyber training program. Cybersecurity trainings that align with sound cyber policies position school boards to be more nimble when responding to an attack. Once the right policies are in place, this will also prevent school boards from leveraging any insecure online board meeting tools that don’t meet required cybersecurity standards.