EdTech Strategies, LLC College of William and Mary Articles & activity 1,700 followers 4 Questions School Board Members Should Ask During National Cybersecurity Awareness Month Douglas’ profile photo Douglas Levin Published on LinkedIn Born in the 20th century, most school board members are not experts in issues of technology, much less cybersecurity. Nonetheless, they are charged with creating policy and performing oversight of schools that are growing increasingly reliant on 21st century technology for teaching, learning, assessment, and school operations. The good news is that in most cases, school board members do not need to be technology experts to perform their policy development and oversight responsibilities. By focusing their work around a small set of key questions, board members–working in partnership with district administrators–can help to establish a culture of risk management that will position their school districts for success over the long-term. (1) How many significant cyber incidents has the district experienced in the last few years? Districts have long managed and tried to protect school communities from online scams, viruses, and other malware. Whether the result of actions of district employees, students, or school vendors, the district that has not managed the response to an incident in recent years is far and away the exception. In fact, claims of absolute security (‘we’ve never had a data breach or cybersecurity incident‘) should be met with considerable skepticism. Related questions here include how district administrators monitor the frequency and severity of these incidents (processes and metrics), what their process for responding to incidents is, and how and under what circumstances the board should be made aware of incidents when they occur. (2) How do we measure the sufficiency and effectiveness of our district’s cybersecurity program? Perhaps the most important question facing board members is how to ensure that district administrators are appropriately managing school cybersecurity risks. This is a question of liability (districts have been sued for negligent security practices), as well as legal compliance under federal and state privacy and data breach laws. Which risks should be mitigated through policy, practice, and/or technology investments? For which risks should insurance coverage be sought? Which risks can be accepted? Has the school district adopted and implemented a cybersecurity risk management framework? Does the district benchmark its practices against other districts? Does the district subject itself to regular third-party, independent security evaluations? School board members should anticipate that when their district experiences a significant data breach or cybersecurity incident, school community members, state agencies and law enforcement, insurance providers, and the media all will come seeking a public answer to this question. (3) How much of our IT budget is being spent on cybersecurity-related activities and risk management? The point of this question is not to suggest that there is a magic dollar figure or percentage of a school IT budget that should be spent on cybersecurity-related activities as evidence of good practice. Instead, it is to suggest that–as part of their fiduciary oversight of school districts–board members should be able to crosswalk cybersecurity risk mitigation strategies to budget expenditures. Districts often seek to maximize technology budgets in ways that can obscure the total cost of ownership of initiatives within and across budget categories (hardware, software, infrastructure, maintenance, support, training/professional development, breakage/obsolescence). In order to ensure that cybersecurity risk mitigation strategies are being carried out, board members should be able to identify those expenditures (and FTEs) in the district budget and to track them over time. In this way, board members can help ensure that their district’s risk mitigation strategies are sufficient or garner the data they need to re-allocate (or seek out) additional investments. "Claims of absolute security (‘we’ve never had a data breach or cybersecurity incident‘) should be met with considerable skepticism." (4) What metrics do we use to evaluate cybersecurity awareness across the district? While the district’s IT department has a key role to play in providing input into district policies and implementing technical cybersecurity controls, everyone associated with the district has a role to play in keeping IT assets and sensitive data safe. In fact, board members would do well to view cybersecurity risk prevention similar to issues of school health and wellness, such as vaccinations or even hand-washing. All it takes is for one member of the school community to make a mistake–click on a phishing link, download a malicious file, or lose control of a sensitive file–and the security of the district could be placed at risk. As such, the district should have an education and awareness program in place (including by providing cybersecurity training to school board members themselves) and board members should know how the district is assessing its effectiveness over time. If these issues are not already on your board's agenda, National Cybersecurity Awareness Month (NCSAM) is the perfect time to tee up this conversation with district administrators (or for district administrators to bring this to their board). For more information and resources about school cybersecurity issues, be sure to visit the K-12 Cybersecurity Resource Center at: https://k12cybersecure.com/ 15 Likes Like Comment Share See all articles No alt text provided for this image Ransomware attacks against school districts and other public agencies have been on the rise this year. Thanks to ProPublica's Renee Dudley we now know one reason why: "The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks" #ransomware #k12cybersecure #edtech Douglas shared this 3 Likes No alt text provided for this image FYI, According to news reports, data were breached due to a malformed database field (i.e., an injection attack was responsible)... Douglas commented See all activity Experience EdTech Strategies, LLC President Company NameEdTech Strategies, LLC Dates EmployedFeb 2015 – Present Employment Duration4 yrs 8 mos LocationWashington D.C. Metro Area State Educational Technology Directors Association (SETDA) Executive Director Company NameState Educational Technology Directors Association (SETDA) Dates EmployedNov 2009 – Feb 2015 Employment Duration5 yrs 4 mos LocationWashington D.C. Metro Area National Association of State Boards of Education (NASBE) Deputy Executive Director and Chief Operating Officer (COO) Company NameNational Association of State Boards of Education (NASBE) Dates EmployedDec 2008 – Nov 2009 Employment Duration1 yr LocationWashington D.C. Metro Area National Cable and Telecommunications Association (NCTA) Senior Director, Education Policy Company NameNational Cable and Telecommunications Association (NCTA) Dates EmployedSep 2004 – Nov 2008 Employment Duration4 yrs 3 mos LocationWashington D.C. Metro Area American Institutes for Research Principal Research Analyst Company NameAmerican Institutes for Research Dates EmployedJan 1995 – Sep 2004 Employment Duration9 yrs 9 mos LocationWashington D.C. Metro Area Institute for Educational Leadership Education Policy Fellow Company NameInstitute for Educational Leadership Dates Employed1998 – 1999 Employment Duration1 yr LocationWashington D.C. Metro Area The Institute for Educational Leadership's Education Policy Fellowship Program (EPFP) equips leaders in public and private organizations to create and implement sound public policy in education and related fields. Chesapeake Institute Research Analyst Company NameChesapeake Institute Dates EmployedOct 1992 – Jan 1995 Employment Duration2 yrs 4 mos LocationWashington D.C. Metro Area Pelavin Associates Research Analyst Company NamePelavin Associates Dates EmployedSep 1991 – Jan 1995 Employment Duration3 yrs 5 mos LocationWashington D.C. Metro Area Show fewer experiences Education College of William and Mary College of William and Mary Degree NameAB Field Of StudyEnglish Dates attended or expected graduation 1986 – 1991 George Washington University George Washington University Degree NameMA Field Of StudySociology (Quantitative) Dates attended or expected graduation 1994 – 1997