What school boards need to know — and do — about cyberthreats today
As a school board leader, you know that cybersecurity is important. But you might not realize just how bad the problem is—or how urgently your board needs to stay up to speed on the situation.
Cybercrime is a $6 trillion-with-a-t global enterprise — bigger than the international drug trade and big enough to be a member of the G7 if it were a country. And these criminals are targeting public education to a disturbing, and increasing, degree. In a 2023 survey by cybersecurity company Sophos, 80 percent of school IT professionals reported that their schools had experienced a ransomware attack in the past year — up from 56 percent in the 2022 survey.
Guess who’s responsible when student data is held hostage, or ends up on the dark web, as happened after the Los Angeles Unified School District experienced a data leak in 2022?
If you’re looking in the mirror, you answered this question correctly.
What do superintendents, board members and secretaries like you need to know? Even more importantly, what do they need to do to stay ahead of threats and be ready for the next threat?
“There are several calls that we do not want to get first thing on a Monday morning, and hearing that your entire computer system has shut down is certainly one of them,” said Diana Baker Freeman, sharing her dual perspective as a school board member and Diligent’s Senior Manager of Governance and Policy Initiatives.
She joined Policy Manager Sarah Gutierrez and Diligent Institute Executive Director Dottie Schindlinger in a recent webinar. Their conversation covered:
- Today’s increasingly complicated cybersecurity landscape
- Board-specific ways to be prepared
- What’s next for policy management
Watch the full 30-minute discussion here, and read on for some of the highlights.
Escalating risks, from software patches to sanctions lists
Schindlinger talked through why cybersecurity should be a regular item on a school board’s agenda and ways to know if your school district is cyber-ready, starting with everyday awareness, education and behavior.
“The number one way that these attempts begin isn’t someone hacking into your system. It's when there’s a poorly patched piece of software or somebody in the district clicks on a link,” she said. “Or, it’s a social engineering attempt where they make a phone call. You call them back. They now engage with you, and they find out your username and password. That's very, very common.”
The good news: “With education and patching and just really minimal maintenance, you can avoid 95 percent of this,” Schindlinger said.
But cyber policies and practices are just the start of what school board members need to know. Take the many complications of ransomware, for example. A district can implement training for staff and students to be aware of suspicious emails, but what happens when someone inevitably clicks on one?
There can be a significant financial impact, from legal fines to data recovery fees, Schindlinger reminded listeners, plus huge consequences for board decisions. “You only get data back less than half of the time if you pay a ransom, and doing so could invalidate your cyber insurance,” she explained. “A lot of attackers are using that money to fund terrorism and they are on a sanctions list.”
Established resources for effective oversight
Diligent has covered many of the actions boards and school districts can take to cyber-proof their operations, from holding paperless meetings to safeguarding sensitive data with encryption and multifactor authentication, to getting certified in cyber risk themselves.
But how can they extend this vigilance across their entire district?
“We're not anticipating that the governing board will jump into a management role and put out fires on site in person, but it is the board's role as the governing arm to set the direction and ensure there are adequate plans and staff in place to protect the district,” Freeman said.
One resource is the National Institute of Standards and Technology (NIST) Cybersecurity Risk Management Framework. “It’s written in plain language, and it is absolutely easy to follow,” Schindlinger commented. Another is the CISA Situation Manual for K-12 Public Schools.
Maintaining and sharing school policy
Another key step is codifying this knowledge and these practices. Cyber policy makes expectations explicit and official about important things, like sharing sensitive documents, storing information in the cloud, using email for board business, and having a recovery plan for when (not if) things go wrong.
“It’s important to know who the players are and the legal requirements you’re required to meet,” noted Gutierrez. And when this plan gets set into action, “does everyone know what they’re supposed to do? Make sure you have that training.”
Given the complexities of schools and cybersecurity, there’s a lot to train on: communications plans for informing parents, regulatory requirements for sensitive data, the list goes on — and these details are always changing.
This is where Policy Publisher comes in. It’s a new add-on to Diligent Community — you can see it in action by scheduling a demo today — and Gutierrez shared highlights with the webinar audience.
Policy Publisher was created with the needs of busy school boards and the many members of the school community in mind. In response to rising threats, scrutiny, and today’s ever-evolving cybersecurity and regulatory landscape, the Diligent Community team designed it to be a place where information is easy to store, secure, update, and find, then share.
“It has a private site where you can see your plan, and a public site where your stakeholders can see what your policy on emergency management is specific to cyber security,” Gutierrez said.
Want more tips and insights from Diligent’s experts? Watch the full webinar.
