'My company's biggest risk is the board member who doesn't know what he is doing.'
- Executive Education participant, International Institute of Management DevelopmentBoard members see the most highly sensitive information in a district. They bear the ultimate liability for any data breaches or leaks. And human error remains a greater threat to cybersecurity than nefarious outsiders. Yet board members traditionally receive less technology training than staff members with far less responsibility. To get the training they need, boards need only recognize the extent of the problem, initiate a sound training program and provide copious reinforcement of best practices.
Recognize the ProblemA July 2017 National School Boards Association (NSBA) survey of 482 school board members showed that the extent of technological ignorance is greater than expected. Only 22% of respondents, for instance, even knew that digitizing board documents increases the security of information. Only 35% realized that file-storage sites such as Google Docs increase risk.
As a result, these school board members routinely put sensitive district data at high risk of cyberattack. The riskiest behaviors are standard practice: A full 58% store board documents where they're not fully secure, as they would be on a board portal; 61% use email regularly or occasionally for board communications; 73% use texting for board business; and 69% download board documents onto their personal devices. All of these practices make them low-hanging fruit for cybercriminals, who are increasingly seeking out school districts as targets.
What's worse, the board members surveyed didn't know what they didn't know. Few were alarmed. Asked whether their cybersecurity system and practices had been audited, 51% responded, 'I don't know.' It's not their fault: Only 12% had received mandatory security training.
Implement Sound TrainingBoard members need to learn how to store documents, how to handle board communications and how to keep sensitive board business consistently segregated from information made public in accordance with open meeting laws. Some members may even have difficulty accessing meeting agendas and board packets for paperless meetings. And most boards need training from scratch on an emergency plan in the event of a data breach. In the precious moments after a cyberattack, all eyes are on the school board to implement a plan.
Intensive training in a few sessions should be taught by someone with expertise who is up to the task. Outside consultants can be brought in to conduct the training; some boards use their high-level IS or IT officers. Whomever is asked to help, the training should address shortfalls identified by a security audit of the organization, with specific attention devoted to board communications.
Such experts may be available at low cost by the state school board association or the state Department of Education. In states that mandate training for board members (paralleling the continuing education requirements of teachers), technology could be added to the list of topics covered. Arkansas requires six hours of professional development each year for school board members, while Alabama's School Governance Act requires three hours. In Missouri and Idaho, the state currently sends legal and financial staff around the state to offer training in such things as reading audits, but the curriculum could be expanded to include technology training. Alabama's experience suggests that the greatest benefits accrue from the entire board attending a training together, rather than each board member choosing a date to attend a session individually.
The board should also know where to turn as questions arise outside the training. BoardDocs' board portal software provides extensive training webinars and videos, with award-winning customer service that promises a person on the other end of the phone within five minutes, even if it's the middle of the night or on the weekend. Some boards have a buddy system, whereby newcomers to the technology have a point person in the organization who is more adept at simple operations.
Such training should be part of the integration of enterprise-wide integration of all technological security issues at the board level, as recommended by Aon consultants. A tech-savvy person on the board can oversee those efforts. Bigger districts are increasingly hiring a Chief Technology Officer (CTO).
Most boards will find that they have a long way to go to realize that objective: The NSBA survey showed that only 17% of the school board members surveyed reported that they currently have an IT officer, IS officer, data security team, or an Audit or Risk Committee overseeing board communications ' and that's only one link in the chain.
Provide Extensive ReinforcementEducators know that learning something once is never enough. Repetition keeps lessons alive and deepens muscle memory. Ideally, such training occurs four times a year for the board as a group. Even twice-yearly training would create a vast improvement over present practices. Of the paltry 12% of NSBA survey respondents who had received required cybersecurity training, 40% received it only once and 60% got training only once a year. This quarterly or biannual training should be supplemented by tabletop exercises during regularly scheduled board meetings.
School boards can get up-to-speed with new technology by assessing the damage created by maintaining the status quo, getting frequent training by experts and providing constant reinforcement of best practices. Trust the results: No board has regretted being too responsible with district data.
The Rising Tide of ESG – Navigating the Road Ahead
The Board's Role in Leading and Enabling GRC
Board and Executive Collaboration: Components of a Secure Platform for the Evolving Workplace