The Diligent team

GRC trends and insights

Mind the gap: How to create a cyber risk framework for your public board

Conscientious school and college boards are moving cyber risk management to the rank of a board-level priority. Since the Covid-19 pandemic brought attention to new risks associated with virtual board meetings and remote work, responsible school boards should get serious about implementing a cyber risk framework that bolsters their cyber defenses. But where to begin?

Suites of costly consultants stand at the ready to guide you through the process, but few school or community college boards can afford them. Even for-profit sectors have stopped short of full implementation as consultants walk them through such popular schema as the National Institute of Standards and Technology (NIST)'s Cybersecurity Framework (a.k.a., CSF). More than 50% of respondents to a 300-person, multi-industry survey by Tenable, Inc. cited cost as the prohibitive barrier to completing the processes dictated by CSF.

Using top board portal software, a school or college board can apply the principles underlying such lauded protocols to its own cyber risk framework, creating a repeatable, adaptable series of actions to stay a step ahead of hackers:

1. Conduct a cyber risk gap analysis
2. Itemize actions needed to close that gap
3. Implement the actions.

Leveraging the capacities of top board management software, a school board's cyber risk framework can customize those measures as follows:

1. Perform a Gap Analysis

If you asked any school board member just how securely board business is protected from cybercriminals, you would undoubtedly elicit a blank stare. If you don't know how bad the problem is, there is no way to address it. Conducting a security audit is therefore a non-negotiable first step.

Not just any technology professional is qualified to conduct such an audit. The complexity of the job calls for an IS or IT executive ' perhaps the CIO or a member of the Risk Committee. Some outside consultants also have the credentials required.

Many states and state school board associations offer grants to offset the cost of a high-level risk audit. Some school boards tap state and regional networks to share costs with peer districts.

The audit should cover more than penetration testing of hardware. Since human error causes more data leaks than any other source, the auditors should also spend time monitoring board communication habits. If the board makes common mistakes like attaching sensitive documents to emails, they can eradicate that considerable risk by directing the board to store and edit documents through the secure board portal.

The gap analysis will result in an objective report of present cybersecurity vulnerabilities that keep the board from attaining a targeted risk profile. 'Reducing cyber risk' ceases to be a vague and impossible imperative. Even if the gap is large, it becomes a known quantity, the kind that can actually be addressed.

2. Itemize Actions Needed to Close the Gap

No single act ' not even banning board emails ' suffices to bring a school board to a tolerable level of cyber risk exposure. Depending on a district's previous adoption of best practices, the list of actions that must be taken will include some or all of the following:

• Hold paperless meetings. The agenda, preparatory readings and minutes can all be posted and continuously stored on the board portal, increasing security. Paper copies can proliferate without a trace, and they're easy to steal (or to leave behind on an airplane, etc.)
• Conduct board communications exclusively on board management software with full 256-bit encryption. It alone offers the highest level of security for sensitive documents.
• Store data on a private, cloud-based server. While any digital storage method is safer than keeping paper files, not all offer equal protection. Storing documents on 'the cloud,' as most file-sharing apps do, is especially insecure. Board software stores files on a private, cloud-based server, effectively moving it from Grand Central Station to a vault in the basement.
• Ban downloads of board documents onto personal devices and hard drives. The board portal will keep them in one safe, centralized location where any board member can get to them in a matter of minutes.
• Collaborate on editing through the board software. It is hardly a sacrifice to do group editing while keeping the document out of harm's way; the best board software can identify each set of comments by the contributor's name (indicated by color coding), as well as a time stamp. As each set of comments is entered, the shared version presented and refreshed in real time so that everyone now sees them. A designated super-editor can have sole authority to accept any or all of the recommended changes.
• Require multi-factor authentication to gain board access, with complex passwords and biometric scans among the identifying protocols. Be sure your board software is capable of recognizing such inputs.
• Conduct board training two to four times a year. Regular offsite group board training saves your data from the pervasive threat of a user who 'innocently' makes errors.
• Keep sensitive data away from the public through role-based authorizations. School boards must keep agendas and many documents open to the public, but the board needs to see information protected by FERPA and even HIPAA. The only foolproof way to keep them consistently segregated is to use board management software that provides different versions of documents to different audiences, according to a set list that filters users according to their role in the organization.
• Develop and rehearse a technological emergency preparedness plan. The community will look to the school board for leadership in the event of a cyber-emergency. To have the best chance of recovering data, the board needs to have a clear vision of who-does-what after a breach.
• Screen third-party vendors who interact with the network. Different offices in the district interact electronically with outside entities in their supply chain. A virus or bug in one of their networks could infect the district's system. Smart boards, therefore, get security ratings of the other entities with which the district does business.
• Conduct security audits at least twice a year. Once is not enough. The next security audit will bring you up to date on how much of a gap still remains.

3. Create and Follow an Implementation Calendar

One board member should shepherd all these processes through the many steps to full implementation, even if various stages of implementation are delegated to others. Not all measures can be taken at once. The board should create a road map of when and how each needed step will be completed. To keep the board accountable, a part of each school board meeting should be devoted to a cybersecurity update that reports on adherence to the plan.

With a fully secure board portal like Diligent Community, school boards can reduce their cyber risk with a rigorous framework of measurements and corrections. It doesn't take a rocket scientist, but it does take a bold plan, consultation with experts and strong leadership.