How technology can help school boards manage data access and mitigate risks
How common are school district data mishaps? Since we published this post on school data risk and access, a nurse at a district in Texas inadvertently sent vaccination status information to over 200 parents without blind-copying the recipients, exposing students’ medical status to strangers. Meanwhile, schools in Pinal County, Arizona, suffered a ransomware attack on their payroll system, disrupting the scheduled pay for thousands of staff.
In both cases, the initial loss or misuse of data is just the beginning of legal and public relations headaches the school leadership will face. Accidents and crimes like these are happening now — today — and no school or school district is immune. Just take one look at the K-12 Cyber Incident Map, which tracks events across the United States and offers insight into the breadth and scope of the consequences of data mismanagement.
Data is a cornerstone of successful school performance, which makes data governance a priority for school leadership teams. Every school board should be concerned and ready to take action to protect school data and the people who would be most harmed by its misuse.
Fortunately, the right technology tools can help.
How schools can take action against cyber risk
With data as a necessary underpinning of modern schools, the risks of its exposure have only increased. Yes, cybercriminals are getting more sophisticated, but many incidents, like the medical record example above, are the result of simple human error. Whether nefarious or unintentional, data breaches can be minimized and risks mitigated when school boards take key steps to better manage data access.
Stay aware of cybercrime trends and threats. Cybercriminals are not necessarily using the same techniques from five or even two years ago. Social engineering — when perpetrators gain the trust of victims through impersonation and other techniques — plays on the emotions of staff and students.
Cisco describes it this way: “Social engineering is all about the psychology of persuasion: It targets the mind like [a] con man.” Examples might include an email or text persuasively masked as an official work message, which asks the recipient to visit a site and enter login credentials. Many times, the messages convey urgency or implied negative consequences, so busy employees or board members feel pressured to act.
These targeted attacks happen at the individual level, with many individuals targeted at home or through personal channels — which is why educating staff to be cautious of all unexpected activity benefits everyone. Districts can maintain a central repository of updated cybersecurity resources for staff and trustees through their board management portal.
Reduce the risk of insider threats. Large-scale leaks are usually tied to external parties, but smaller exposures due to error or frustrated employees or students can also do significant harm to a district’s reputation and people.
Limit data permissions to the information and data that individuals absolutely need to do their work. Role-based security in your board management software differentiates between the appropriate levels of access for board members, administrators, project teams, staff, committees, the public and others. Limiting access to what’s necessary protects schools, but also helps individuals avoid costly, embarrassing and harmful mistakes.
Ensure your district is staying on the right side of confidentiality regulations. School districts are bound by federal laws, but many states are taking a new look at consumer data protections. While about 11 states have passed consumer data privacy laws, many others are considering implementing similar data privacy laws. Understanding which laws apply, may be in effect in coming months or years, or are being discussed at the legislative level is important for administrators and the boards that budget resources to support compliance. Administrators can share regulatory news updates with the board via a modern board management software, such as Diligent Community.
Prioritize resources needed to maintain data integrity. Finding budget dollars for the entire IT wish list is difficult if not impossible, but resources related to legal compliance and data safety should be at the top of fulfillment priorities. Look for tools that are multitaskers — applications with built-in security that give education leaders the functionality they need without the risk of exposure.
Also, look to the cloud for tools that the board and staff share. In the aftermath of a ransomware attack in early 2023, Lisa Irey, Director of Technology & Printing Services for the Des Moines Public Schools, described changes to the district’s IT environment, noting that they are focusing on “offloading risk.” She added: “If there is an option to move one of our critical application systems to a vendor, we’re taking it.”
Restrict use of insecure platforms — but also provide alternatives. Since the early days of USB flash drives, IT policies have tried to limit individuals’ use of the technology to minimize the likelihood of malware being introduced to a computer or network. (For the record, USB drives are still a threat.) However, limiting a useful tool without providing another option frustrates employees and encourages them to find unauthorized workarounds.
Ensure your IT team is charged with providing robust alternatives that the whole board can use. This can include the board management portal, which includes secure file-sharing, internal notifications, document repositories and more.
How Diligent Community can help
Many of the issues boards face around data management can be helped with board management software. Consider some of Diligent Community’s key features and how they could support your board’s and district’s cybersecurity:
- In-app role-based security: With Diligent Community, districts have the ability to set different levels of privacy to protect information shared only with board members, specific groups or anyone with authorized access.
- Logging and auditing: Diligent Community keeps audits encompassing login history and application-level document-sharing audit trials available upon request.
- Secure data hosting: Diligent Community is hosted in Microsoft Azure with all the protections afforded by a top-tier cloud provider, with secure servers and 256-bit encryption, the strongest currently available.
- Daily backups: Minimize the risks related to data loss or exposure.
Additionally, users can access 24/7 technical support. Cybersecurity is a team effort, and the board should never need to face it alone.
We at Diligent understand that board management software has a key role to play in helping to manage authorized data access, keep sensitive data secure and playing a role in cyberattack prevention. We’ve designed Diligent Community to support school boards in reaching and maintaining smart data governance. Let us know how we can support you.