Cybersecurity awareness for governors

Why cybersecurity matters to school boards

In this blog, Secure Schools Lead Socio-Technical Auditor and School Governor Paul Armstrong outlines the role of school governors in their schools' cybersecurity. Our newly released School Board Awareness Training expands on his guidance, explaining the threats schools face and practical steps to improve resilience. 

An ongoing threat

Schools remain prime targets for malicious activity in an increasingly sophisticated cyber threat era, and school boards are uniquely positioned to influence the cybersecurity posture of their institutions. While IT teams and school leaders handle day-to-day operations, the responsibility for governance, strategy, and resource allocation lies with the board.

Cybercriminals target schools because they hold vast amounts of sensitive information, including staff, children, and families' personal data, financial records, and safeguarding details. In addition, schools are perceived as vulnerable due to limited budgets, varying levels of digital expertise and well-meaning staff.

Government guidance

Australia's Signals Directorate does not offer specific guidance for schools, but it provides general advice in a Questions for Boards to Ask About Cyber Security resource. 

New Zealand's National Cyber Security Centre recently launched its Cyber Security Framework. The Guide and Govern section introduces key governance points. 

Impacts of a cyber-attack

A successful attack can be devastating for a school and take months to recover from fully. 

• Financial losses
  Recovery costs from cyber-attacks are substantial and rising. Costs to schools aren't documented, but in 2024, the average cost to a medium-sized business is almost $63,000, with schools being much more complicated organisations that use many more devices and systems.
  
  
• Operational disruption
  Cyber-attacks can impact whole school operations, block access to digital systems and their critical data, lead to school closures, and jeopardise student safety.
  
  
• Reputational damage
  A cyber-attack can significantly diminish parents' and the community's confidence in a school's ability to protect its students.

School boards aren’t expected to be cybersecurity experts but must hold school leadership accountable. This is done by understanding the cybersecurity expectations placed on schools and the key questions to ask.

1. Understand the threats
   Recognise why schools are targeted and the potential consequences of cyber incidents.
   
   
2. Identify vulnerabilities
   Understand the common weaknesses cybercriminals exploit in schools.
   
   
3. Oversee risk assessments
   Gain the skills to assess and review cyber risks, ensuring they are adequately managed and recorded.
   
   
4. Implement best practices
   Develop and formalise robust cybersecurity policies and foster a culture of vigilance among staff and students.
   
   
5. Prepare for incidents
   Understand how best to prepare and recover for a cyber incident and the reporting requirements and legislation.
   
   

Key questions to ask
As school board members, it is essential to be actively involved in cybersecurity oversight, ensuring adequate resources are allocated and policies are implemented effectively. Asking the right questions is essential.

Here is a selection of questions from our school board training.

1. Understanding your school or school group

This is essential for making informed decisions, planning for the future, and ensuring that the IT infrastructure effectively supports the school.

Questions you could ask

• What are the most significant cybersecurity risks facing our school or group, and how are they being assessed and managed?
• Has an independent cybersecurity risk assessment been carried out?
• Does the school maintain a record of the various organisations that supply its IT services?

Questions you could ask

• How is cybersecurity awareness being promoted among staff and students?
• What training is provided to staff and students on common cybersecurity threats?

Questions you could ask

• What is our incident response plan in the event of a cybersecurity breach?
• How often do we conduct drills to ensure everyone knows their role in an incident?

A new standard for cybersecurity governance

We’re calling on school boards to take the lead in safeguarding their schools and creating an environment where students, staff, and parents can thrive.

Let’s secure our schools and the future together.

About the Secure Schools School Board Awareness Training

Our School Board Awareness Training ensures school governors are knowledgeable, compliant, and ready to implement the latest expectations in just over 20 minutes.

If you are a Secure Schools platform customer, the training is available on your platform now. If you are not a customer and would like to find out more or see a demonstration, click the link below, and we will contact you.

Find out more about the training

🎬 Secure Schools Cybersecurity for Governors event

Paul Armstrong delivered this webinar on our free cybersecurity community.

Watch the recording to learn.

➡️ The cybersecurity responsibilities placed on  school boards

➡️ The cybersecurity requirements placed on schools
➡️ The questions to ask school and group leaders
➡️ The questions to ask IT support teams

➡️ The need for a strong cybersecurity culture

Click the image to watch the recording and access the presentation slides.

About the Secure Schools Cybersecurity Community

At Secure Schools, we aim to make cybersecurity accessible to as many schools as possible. One way we are doing this is through our cybersecurity community.

Join to

📅 Sign up for free webinars and events

💬 Ask questions of our cybersecurity experts

💕 Share experiences with other community members

🆓 Download free resources to help your cyber resilience

🆕 Hear about our latest product and service releases

Click the image to join