The 10 Best Practices for School Board Cybersecurity

Lena Eisenstein
7 min read
  1. Move from paper copies to digital communication.

Sharing information digitally is far more secure than generating hard copies. Every time someone downloads or attaches a digital document, there is some electronic trace of that transaction. If a school board passes around hard copies of a sensitive document to each of 10 board members, and they each take them home, the possible proliferation is limitless ' and, more important, untrackable. Simply leaving a file on the table while you get a tall latte or forgetting it when you get off an airplane leaves it wide open to anyone at all. More deliberate theft is also comparatively simple; crawling through a window is easier than penetrating a strong firewall.

School boards do not realize that they actually gain security by converting to digital storage. In a 2017 National School Boards Association (NSBA)/Digital survey of 482 school board members, only 22% recognize that they could increase security by converting to digital communication. A full 42% say that using digital technology for communications between the board and the administration has decreased security.

2. Do not use email for board business.
Yes, email is 'digital communication.' It is also the least secure mode of digital communication. Your email address is ridiculously easy to find; most districts list board members' contact information on their websites. Emails and attachments are entirely unencrypted. Phishing scams can access any emails sent to a board member whose system is broken into through a trick that persuades users to open a message with an alluring subject heading. What's more, through email attachments alone, a crook can access the entire network of which that email address is a part. All the employment and medical data that is stored by a district goes straight to bad actors who are adept at identity theft; using a district-provided email address is actually riskier than using one's personal email address. But it doesn't matter, because use of emails should be banned for your board.

Again, misinformation reigns triumphant. In the NSBA survey, a full 61% of respondents report regular use of their personal email accounts to communicate about board business. A cybercriminal doesn't have to work very hard.
3. Do not post material on a generic file-sharing service.
Using a garden-variety file-sharing service such as Google Docs does not solve the problems created by paper copies or emails; it creates new risks all its own. Some such sites provide no encryption, and some provide measly 187-bit encryption. 256-bit encryption provides the strongest protection currently available. Moreover, file-sharing sites store materials posted there on the cloud, not on a cloud; that is, they place them in broad daylight on the cloud that is open to absolutely anybody. IT experts consistently warn against putting sensitive information on the cloud. Using a private cloud is the only shelter from this excessive level of exposure. The average file-sharing service does not store data on a private cloud; only private portals do, and even some of them don't provide the 256-bit encryption

that is the gold standard. Again, many on school boards are misinformed. In the NSBA survey, 13% of respondents use such sites, and 15% of all respondents believe it decreases risk. Twenty-two percent think file-sharing sites have no effect on security, and 17% have no idea how file-sharing sites affect security.

4. Never download board-related documents onto hard drives.
But they're safely isolated from the internet. Right? Sort of. Files on the hard drives of any device can still be accessed by a hacker who infiltrates the system when a user of that same device is using the internet to shop, read the news or research a report. Like the paper copies left on an airplane, hard drives are also lost irretrievably when someone leaves their laptop behind. Hard drives are discoverable in litigation.

Probably unaware of this risk, a full 20% of school board members surveyed reported that they routinely store board-related documents on their hard drives. Some portals actually make it technologically impossible to download materials posted on them. With or without such built-in safeguards, training to the point of indoctrination is a best practice.

5. Demand role-based authorization.
School boards provide different levels of detail to their varied constituencies. When a document contains personal identifying information ' like teachers' salaries and bank account numbers or the medical histories of the staff ' such information absolutely must not be attainable outside the small circle of executives or committee members who need to see it to consider policy options. It's easy to imagine sheer confusion or carelessness leading to the wrong version going to the wrong person. Say an email list included all of the members of a committee, not just those on a particular subcommittee, but the sender didn't look closely enough to notice the difference. With no ability to substitute different versions for different users, an ordinary file-sharing site would make it simply impossible to get a sensitive version of the document to those who need it.

Role-base authorization saves the day. On a top-flight portal, different users actually see different versions of the same document when they log in to the portal. Their designated role determines their level of access, and it's easy to change someone's role. So, the small group that needs to see a detailed account gets it; everyone else sees a scrubbed version.

6. Use a secure board portal.
The sixth best practice follows logically from the first five. A truly secure portal has:

  • Full 256-bit encryption
  • File storage on a private cloud
  • Role-based authorization

Such a portal provides the public-facing site required by sunshine laws, but also the document-level protection from hackers.

Though they provide a one-stop solution to myriad problems created by other modes of board communication, secure board portals are used by only 42% of the school board members surveyed by NSBA.

7. Access documents only with devices that have remote wiping.
Say you lost your laptop in the airport terminal when you made a connection in Sydney. You're now home in Chicago. With remote wiping, you have an ace up your sleeve: You can actually erase your hard drive. This ingenious, quantum-like capacity is the pi?'ce de r?'sistance in your arsenal of cybersecurity. It is a feature of hardware, so look for it when you buy tablets, laptops and phones.

8. Train your board.
Cybersecurity is not ultimately the responsibility of the IT staff. Legally, it's the board that is liable for any breach ' the same people who handle the most sensitive documents. If they think it's somebody else's problem, they won't learn what they need to know to exercise their responsibility.

Sound board training brings in the big guns on a regular basis. The trainer should be an outside consultant or an internal IT/IS leader. A knowledgeable member of the Audit or Risk committee could also lead the training. Furthermore, the training should be held at least twice a year, ideally every quarter. Tabletop exercises make for more frequent refreshers.

Present practices leave board members dangerously uninformed. Of respondents in the NSBA survey, 67% sit on boards that require no cybersecurity training at all. Such training was mandatory for only 12% of all respondents. Of those who do get training, 40% have received it only once ' ever. Sixty percent of those who get training get it only once a year.

9. Conduct a security audit.
A qualified professional should conduct a review of all board communications with cybersecurity in mind. She should create a report identifying any gaps in cybersecurity. The board should then construct and implement a detailed plan with deadlines by which each shortcoming will be remediated.

Here, too, ignorance competes with negligence as the deadliest sin. Forty-seven percent of respondents don't know if experts monitor their board communications. Of those who do know, only 17% report that an IT officer, an IS officer, a security team, a Risk Committee or an Audit Committee monitors the board's compliance.

10. Text only on custom apps with maximum security.
Phones come pre-loaded with texting software that is wholly unsecured. You may as well advertise your private business on a billboard at Grand Central Station. Secure texting services, however, do exist. All board members should be provided with such an app and required to use it if they use texting to discuss anything related to the board.

Enforcing this best practice is essential, as only 27% of respondents to the NSBA survey never use texting, and 19% use it regularly.