Imagine: Hackers steal records containing the medical records, bank account numbers, grades, and employment files of 500,000 students and staff over a 10-year period. The San Diego Unified School District awoke to that nightmare one morning in December 2018. In November of the previous year, school boards of districts subscribing to SchoolDesk learned that hackers had hijacked over 800 school websites, blocking the content and sending users directly to a YouTube recruitment video for ISIS instead.
Such chilling cautionary tales have led more and more school boards to cite cybersecurity as a board-level priority. Nevertheless, cybersecurity remains conspicuous in its absence on most school board meeting agendas. It’s time to put cybersecurity on the agenda. Here’s how.
Agendas serve not only to map out the proceedings of the meeting, but also to signal that business is being conducted responsibly. Thus, they often contain assurance that the meeting complies with the requirements of the ADA and with open meeting laws, sometimes citing verbatim the regulatory text in question. Placing the district’s technology policy prominently on the agenda provides further reassurance of conscientious conduct.
Many districts have not created a technology policy. In that case, now is the time to create one. The technology policy should specify measurable standards; it is not enough to say that the school board is “making every effort to keep confidential information safe.” A technology policy with teeth might look like this:
Technology Policy: To protect the confidential information of constituents from cybercrime, School District #26 holds entirely paperless meetings, conducts board communications only on board portal software with full 256-bit encryption, stores data only on a private cloud-based server, prohibits downloads of district documents onto personal devices, limits board texting to a secured app, requires multi-factor authentication - including complex passwords and biometric scans - for portal access, conducts board training four times a year, automates the segregation of sensitive documents necessary for board decision-making, and commissions two security audits per year.
Such a comprehensive technology policy would indicate full compliance with all of the best practices in the industry. (See the BoardDocs blog post “Best Practices for School Board Cybersecurity.”) Few districts have come that far. Those that have not can re-work the policy template to indicate which practices are presently followed and which of the others will become standard practice by a stated deadline.
Every board designates a secretary and a treasurer. Why not a cybersecurity officer? Aon Consulting recommends integrating all technological security issues from across the organization at the board level, much as finances are. For the sake of the meeting agenda, such a board officer can report on the state of cybersecurity at school board meetings.
Ideally, the cybersecurity officer would be a senior-level technology professional, such as a CIO or an IS/IT executive. Since school boards are elected, not appointed, though, it is impossible to count on the availability of such expertise. Bigger districts are increasingly hiring a Chief Technology Officer (CTO), who reports to the board.
A less credentialed cybersecurity officer would serve as a coordinator. Such an arrangement often suits smaller districts, which typically lack a high-level cybersecurity professional on the board or on the full-time district payroll. The board officer might hire and liaise with hired consultants, reserve a fraction of the time of top-level IT/IS staff employed by the state for assignment to specified tasks, or arrange to share knowledge and networks with peer districts in the region or the state. Writing in the New York Times, ICMA Research Director Tad McGilliard recommends inter-organizational cooperation to pool modest budgets so small entities can afford expert services.
If the board cybersecurity officer is an expert, he can do much of the work needed and issue a report at every board meeting, much as the superintendent does. If that officer serves as a coordinator, he could line up reports throughout the year from the various experts who work on behalf of the district in differing capacities.
On the agenda, then, a regular time slot could be designated for cybersecurity reporting. Perhaps it would always top the list of “New Business” matters. Each month (or quarter), a different topic would rotate through on a regular schedule throughout the year. The specific items to be reported on should include:
Present practice does not reflect that urgency. In the NSBA survey, 62% of respondents did not ever have to undergo cybersecurity training. Only four percent sat on school boards that required training. No less than 26% had no idea if their school board offered training. Schliedinger recommends quarterly board training, with two trainings per year a bare minimum.
Such training must include not only the best practices for managing documents, say, but also the reasons for the rules. A July, 2017 NSBA/Diligent survey of 482 representative school board members showed that such reasons are not widely understood. Only 22% of respondents, for instance, realized that digitizing board documents increases the security of information and only 35% knew that file-storage sites such as Google Docs increase risk.
Working cybersecurity into the school board meeting agenda is an opportunity to showcase board-level oversight of data protection. To prepare for the routinized reporting that results, most districts will need to first get their house in order, planning the implementation of a deliberate strategy guided by a well developed technology policy. Board accountability and transparency will increase. More importantly, boards who rise to the occasion will drastically reduce their risk of cyberattack.
IMD (International Institute of Management Development), “Board of Directors Training: Want to Optimize the Effectiveness of Your Board?”
McGalliard, Tad, “How Local Governments Can Prevent Cyberattacks,” The New York Times March 30, 2018
Schindlinger, Dottie, “A Cyber Perception Gap? What Directors Want to Believe about Cyber Security vs. Real Cyber Risk”, posted by ISACA News (Information Systems Audit and Control Association)
NSBA, School Board Member Survey, July, 2017