School board members may not be experts in cybersecurity issues. However, these leaders are still responsible for developing the policies and procedures related to cyber risks and the ever-changing issues that come with technological advancement, especially as districts and boards begin to utilize new tools to advance efficiency and effectiveness. School districts have become major targets for cyber attackers throughout the United States. Ransom demands, districts being scammed out of millions, school computer systems compromised, or student information compromised and potentially sold to identity thieves are a few of the threats districts are facing. However, even with these very real-life examples, the seriousness of cybersecurity issues still evades many school boards. School boards must understand that mitigating cyber risks is not optional, but a necessity that districts need to prioritize. There are steps school boards can take to mitigate cyber risks for their district. Developing policies, procedures, and standards can establish and cultivate a culture that promotes strong cybersecurity practices.

Mitigating Risks Through Cybersecurity Standards

Local school boards are prone to cybersecurity attacks. There is a lot to learn from the various experiences of other districts that have been attacked or hacked, and these examples can educate school boards on how to make proactive decisions regarding cybersecurity standards. By establishing standards for the district to adhere to, the school board can mitigate risks related to protecting sensitive data. Boards can take several actions to prevent, mitigate, and respond to cybersecurity threats while empowering and educating members of the district.

1. Do not utilize public cloud-based storage platforms for sensitive data.

School boards may see cloud-based file-sharing platforms as an efficient way to exchange or share documents. However, use of these platforms makes boards and districts vulnerable to cybersecurity risks, like malware, viruses, data loss, phishing scams, or the exposure of sensitive information. Storage on a public cloud (like Google) is easy, but it is bad cybersecurity practice. When it comes to sensitive data the information should be stored on a private secure server and on sites with high-level encryption (256-bit encryption is the strongest level of security currently available).

2. Preparing for data loss and recovery.

Data loss may not seem like a major concern; it can appear to be harmless or simple compared to being hacked or any other cybersecurity issue. However, data loss can be just as devastating for a school district as any other cyber attack. Having a backup system in place to restore full performance and function in the event of sensitive data exposure or loss is imperative to protecting and maintaining information related to the students and district business.

3. A procedure for reporting cybersecurity threats.

Staff, school board members, and others within the community need to know where a cybersecurity incident, like data loss or a detected virus, should be reported. The district's IT manager or team, district technological and leadership teams, and certain law enforcement agencies may need to be notified. Create a flow chart of the individuals or agencies that need to be brought in on these issues, based upon the incident that occurs, to include in the district's cybersecurity standards. Be sure that this information is available to all district staff and board members through pertinent training materials, accessible at any time. The faster that individuals are able to report these incidents, the more easily the issue can be mitigated.

4. Transition from paper documents to digital records.

While utilizing physical copies of records and information may be a force of habit or seems easier, it is far less secure than maintaining digital records. If someone attaches or downloads a digital document, there is some digital trace of that information and the transaction. If your school board shares a hard copy of sensitive information to each board member and someone takes that physical paper home with them, there are limitless scenarios in which that information can be unintentionally exposed. More importantly, that information is then completely untraceable once that hard copy is lost. This careless action, while inadvertent on the part of the board member, can put student and district confidential information at great risk.

5. Do not use e-mail for school board business.

Yes, e-mail is technically ''digital communication,'' however it is the least effective and secure form of digital communication for school boards. E-mails and their attachments are not encrypted or entirely secure. Additionally, e-mail discussions between school board members or school board members and administrators regarding board work can be a violation of sunshine laws, so it is crucial that school board members exercise caution when it comes to communicating via e-mail. Be sure to include detailed language in the district's cybersecurity standards regarding e-mail communication to confirm that staff, students, and administrators are aware of what information should never be shared through e-mail.

Preventing Cyber Risks By Training and Educating

Cybersecurity standards establish the expectations for members of the district (board members, staff, administrators, students, etc.) to abide by; however, cybersecurity training is equally important to be sure that these same members of the district community are fully aware of the standards and their importance. Cybersecurity training may tackle understanding the standards for the district and the impact they can have on the board mitigating cyber risks. Additionally, training should cover the response to attacks or threats. Students, staff, and other members of the community should know how to respond to a suspected or confirmed cyber attack. Remember that large, district-wide plans are designed and implemented one step at a time. Your district may even find that pieces of the plan do not work in certain schools or for other parts of the district. Be flexible and willing to explore other options to achieve the goals established for the district. Keep in mind the students, teachers, and community when developing a cybersecurity plan for school districts. Establishing standards and a training process will take time, but even the smallest actions lead to achieving the largest goals.

Board Technology That Promotes Strong Cybersecurity Practices

The investment in software that effectively and efficiently secures sensitive data related to the district and its students pays for itself in protecting from damages suffered from cyber attacks. When it comes to sensitive data the information should be stored on a private secure server and on sites with high-level encryption (256-bit encryption is the strongest level of security currently available). Community, a Diligent brand, is a secure board management software. Unlike many board portal services, Community boasts physically secure servers (that are video monitored) and 256-bit encryption, the strongest level of encryption currently available. These elements ensure privacy and security for your board's most confidential and sensitive data. Additionally, board portal users can securely access information from anywhere and any device. Community's board management software encrypts all data and has a daily backup service to help mitigate risks related to sensitive data loss or exposure. Ensuring that your board's information is protected and secure means that your board has more time and energy to spend on other important issues. Leveraging a board management software, like Community, helps school boards mitigate the risks associated with other insecure platforms. The right security features support and promote practices that protect the sensitive information of your district and your students, while still providing the school board with a seamless and streamlined tool to share and access pertinent district information. Developing and implementing cybersecurity standards and trainings for school districts can be an overwhelming responsibility, but utilizing the right technology resources it can be simplified and streamlined. Keep in mind the vision and goals for your district and how cybersecurity and technology can be integrated to more effectively and efficiently work towards those achievements.