Online only: Is Your School Board Increasing Your District’s Cyber Risk?

Insights from the 2018 NSBA Cyber Risk Report, School Board Communication at Risk

Today every business and organization faces risks from cyber-attacks.  Schools hold a special appeal for hackers as a school database often contains highly sensitive information on students which fetch high prices on the black market as identify theft from children is far less likely to be discovered, sometimes for many years.  Unfortunately, school board communications can be used by cyber criminals as a gateway to access the sensitive information held by our schools. To assess the current state of cyber security among America’s school districts, in July 2017 the National School Boards Association (NSBA) conducted a nationwide survey; there were 482 respondents with a representative distribution both geographically and among district size.

The findings clearly demonstrate that school boards must take additional steps to protect their board communications from cyber-attack.  And, while there are no fool proof methods to stop cybercrime, there are a number of easy to implement practices that can significantly reduce risk.  This report summarizes the key findings from the survey, provides observations on the significance of the findings and includes some suggested action steps for school boards to improve communication practices.

Should Cybersecurity be a Concern for School Boards? 

The term “cybercrime” might conjure up images of a shadowy group of ‘hacktivists’ attacking those in power, both to showcase their hacking prowess as well as making a political statement.  But cybercrime these days tends to be far more mundane: focusing on easy targets whose cybersecurity defenses are the weakest, and who are the most likely to pay ransom in BitCoin, the value of which has exploded in recent years. 

The survey suggests school officials are less prepared for cyberattack than private-sector companies, though both face formidable threats. The NSBA survey parallels a report called “The Price of Convenience,” a survey of 381 directors of U.S. companies, completed in early 2017 by NYSE Governance Services and Diligent, which showed private company boards to be similarly underprepared. The threat, however, extends beyond the private sector.  According to Dottie Schindlinger, vice president and Governance Technology Evangelist, who collaborated on the “Price of Convenience” report, “At the end of the day, organizations with leaders that don’t have at least a good foundational understanding of cybersecurity are the most at risk. An easy way to gage a school’s preparedness to handle a cyberattack is to look at their board minutes to see if the topic has come up – if it’s never on the board’s agenda, it likely indicates cybersecurity isn’t a high priority for the school, and they are at greater risk.”

Cybercrime is big business, with ransomware alone generating over $5 billion in damages last year, according to CSO Online – the leading magazine covering cybersecurity issues.  It’s true that many criminals target high-level executives of big companies, such as former US Secretary of State and Salesforce board member, Colin Powell, whose personal email account was hacked and a document containing the company’s M&A strategy was leaked to the Wall Street Journal, negatively impacting share price. Yet, many hacking attempts are far more random – according to Symantec’s 2017 Internet Security Threat Report, one in every 131 emails is malicious, and masses of ransomware-laden emails are blanketing organizations and individuals with the least cybersecurity prowess.  The ransom demand is often a relatively small amount averaging about $1,000 (CSO Online), and smaller organizations are more likely to pay to make the nuisance go away.  But paying the ransom only makes the victim more vulnerable to future attacks – partly because once their systems are infected, they are likely to remain so until they are professionally scrubbed or replaced entirely.  With cybercrime damages on pace to hit $6 trillion annually by 2021 (CSO Online), clearly this problem isn’t going away anytime soon.

What Is Ransomware, Anyway?

According to CSO Online, “Ransomware is a form of malicious software (or malware) that, once it's taken over your computer, threatens you with harm, usually by denying you access to your data. The attacker demands a ransom from the victim, promising — not always truthfully — to restore access to the data upon payment.”

Are Schools Really at Risk of Cybercrime?

In October 2017, the US Department of Education warned that cybercriminals were extorting schools for ransom to avoid making stolen student records public.  In the foreseeable future, such attacks could cost not only the ransom payers or the victims of identity theft, but also the district’s leaders themselves – including school board members. Recent EU legislation (General Data Protection Regulation, or GDPR) holds financially and legally responsible any entity that compromises the privacy of EU citizen data with fines of €20 million, or 4% of annual revenue – whichever is greater.  This includes potential direct legal action against directors and officers of these entities. GDPR is considered a high-water mark for data protection legislation, and is actively being considered for replication in the US.  Similar rules now exist in a few US jurisdictions, including recent rulings in New York State by the Department of Financial Services (NYDFS) holding financial service directors (and the vendors who provide services to them) liable for cybersecurity breaches.  Meanwhile, rules taking effect in other states including Virginia and Georgia now include mandatory breach notification in as little as one week after an event is first discovered.  Considering the severity and frequency of the hacks that took place in 2017, additional legislation targeting organizational leadership is expected.

Schools need cyber-protection every bit as much as their for-profit peers.  Small budgets and an educational mission offer no protection. Rather, the schools that are the least prepared are the most likely to become prime targets precisely because of the ease of breaching their defenses. 

The survey sought to determine school boards’ level of preparedness and awareness to handle these challenges.  Below, are the key findings along with observations on the significance of the data and suggested action items for school boards’ consideration.

In September 2017, NSBA – with sponsorship by BoardDocs – surveyed over 480 public school board members to determine how, in this digital age, boards see to the safeguarding of their communications, all the while ensuring a high level of effectiveness.  Below are some of the key findings from the report.

Communication Methods

  • 79% of board members report regularly using email as the primary communication method for board business, making it the second most common method of communication behind face-to-face meetings (81%).
  • Half of the respondents (50%) reported using board portals regularly, with an additional 11% who say they occasionally do so as well.


  • Since the move to digital, 81% of board members maintain they receive the right mix of summary highlights and accompanying detail from administration.
  • 38% of directors acknowledged it is common practice to download board books or company documents onto personal computers and devices, and 20% reported storing these materials onto personal or external drives.

Awareness and Control

  • 47% claimed being unaware of any security audit having been conducted on their board’s communications practices.
  • Two-thirds (62%) of board members reported not being required to undergo cybersecurity training.
  • 35% of the board members agreed the move to digital file sharing has increased the risk of improper handling of sensitive information.

Learn more about BoardDocs board management solutions at or email us at

This article brought to you by

Go to top