5 proven cybersecurity practices school boards should adopt
School districts have not been immune to the increase in cyberattacks seen across the globe and in every industry. In fact, schools have become particular targets for a variety of reasons, including the amount and nature of the data they secure, and the perceived lack of resources dedicated to IT.
Consider the recent attack on the Los Angeles Unified School District, the second largest in the United States, that was disclosed in early 2023. In addition to Social Security and driver's license numbers, the ransomware attack revealed 2,000 student assessments and included psychological evaluations, medications and abuse and trauma history — all published to the dark web.
In addition to the harm done to individuals whose information is exposed, these cybercrimes have real costs to school districts, tangible and intangible, from ransomware fees to the costs of reparative work and the drop in community confidence.
Ransomware attacks are just one of many types of cyberthreats. A factsheet on school-related cybersecurity from the Readiness and Emergency Management for Schools Technical Assistance Center outlines the types of threats districts face, including:
- data breaches
- distributed denial of service or DDoS attacks
- spoofing and phishing
- malware and scareware
- unpatched or outdated software vulnerabilities
- removable media
Preventing cybercrime falls on everyone in a school district — not just the IT team, but administrators, staff, students and especially the school board.
The role of the school board in ensuring cybersecurity
School boards have a significant role to play in ensuring district cybersecurity and deterring crime. As the governing body of the district, the board is responsible for setting students up for success. They do this by setting policies for the district, including policies relating to decision-making over technology resources, use of technology tools and more, in schools and district offices.
School boards also model good cybersecurity habits. By using modern, secure digital tools and considering security in every decision, board members lead by example.
Emphasizing security also has an efficiency benefit for the board. When district resources are secure, the board can spend more time on issues that directly impact student success and less time on remediating attacks or lapses in data security and governance.
5 cybersecurity best practices boards should undertake now
Don’t wait until cybercrime hits close to home. Consider these practices now to protect your district, its business and your students.
1. Set smart security policies
Responsible use of technology resources falls on everyone, but it’s on school leadership to ensure these policies are reasonable, clear and enforced. The National Center for Education Statistics defines these types of technology policies:
- Acceptable-use (or appropriate-use) policies
- Restrictions on access to student records
- Technology security policies
- Policies regarding acceptance of commercial advertising on school websites
- Policies regarding acquisition, maintenance or disposal of school equipment or applications
- Policies regarding acceptance of donated equipment and software
- Policies regarding community or after-school access to school or district technology resources
These policies should be regularly reviewed to ensure they still meet district needs. For example, how recently was your district’s responsible-use policy updated?
Districts also need policies that dictate what to do after an attempted or successful data breach. Some states, such as Texas, mandate parental notification, while California recently passed a law requiring schools to report any cyberattack affecting 500 or more students or staff regardless of whether a data breach occurred.
2. Ensure strategic budgeting for technology
Quality IT resources are never cheap, but the security, efficiency and peace of mind they offer are invaluable to education leaders. Investing in IT security also saves the resources districts will have to spend after a breach or other crime. District boards should follow smart strategies for IT budgeting that account for the tension between tight budgets and education priorities.
3. Use secure resources for board business and communication
While open meetings laws already limit many forms of informal communication between board members, trustees should additionally ensure that the tools they use are up to date, secure and designed for governance purposes — avoiding texting, emails and other vulnerable channels.
4. Ensure the entire leadership team is using tools consistently
Beyond avoiding informal, consumer-based tools for communication, the board should self-police to set the expectation that all members use the most secure tools consistently. Take file-sharing, for example. The use of an insecure platform for sharing documents among the board, staff and other audiences can lead to sensitive data exposure and loss and make the district vulnerable to attacks.
5. Listen to IT recommendations
Just as boards should invest in quality technology resources, boards should invest in the staff that manage district IT security — and then listen to them. Staff responsible for maintaining the quality of the IT infrastructure need support from the board in the form of policies but also in supporting recommendations around password protocols, software updates and more.
The role of board management software in cybersecurity
Modern board management software is an important defense districts can employ against cyberattacks. These tools serve as a nexus for board business, administrative workflows and communication. A secure, regularly updated platform that encrypts digital records, such as Diligent Community, reduces risk of data exposure or loss.
Boards should look at platforms with these features:
- Secure data hosting through a top-tier cloud provider
- Ensured data availability through storage redundancies and recovery
- Audits that encompass login history and application-level document-sharing audit trials available upon request
- Robust access controls and in-app role-based security allowing different levels of privacy
Final tips for good cybersecurity
School boards and their districts are increasingly targeted by cybercriminals, but they aren’t alone in managing the risk. Boards can start to address issues by creating a cybersecurity framework for their districts.
Everyone in the district should care about good cybersecurity, and boards should expect no less in their technology partners. Diligent understands the concerns board members have around protecting their data, and Diligent Community is built to encrypt and secure school board business against cyber risk.
