Cyber Security Is a Board Governance Issue - Not Just an IT Problem
Cyber security is no longer a technical issue delegated solely to IT teams or external providers. For schools, it is a core governance risk that sits alongside health and safety, financial stewardship, and student wellbeing.
School boards are not expected to manage firewalls or monitor systems day to day. However, they are responsible for governance oversight , ensuring that cyber risks are understood, prioritised, and appropriately managed (ref 1).
Why cybersecurity matters for boards
Schools hold large volumes of sensitive information: student and whānau data, staff records, payroll information, wellbeing notes, and community communications. At the same time, schools are increasingly reliant on digital platforms to operate and engage their communities. Internationally, education is one of the most targeted sectors for cyber incidents.
The reasons are simple: valuable personal data, limited resources, and complex ecosystems of third-party suppliers.
Compounding this risk is the reality that some education technology providers operate outdated systems and demonstrate poor data governance practices — creating exposure for schools well beyond their direct control.
From a governance perspective, cyber incidents can result in disruption to learning and school operations, privacy breaches involving students and staff, reputational damage within the community, regulatory and reporting obligations, and loss of trust in systems and providers. These impacts sit squarely within a board’s risk oversight mandate.
What “board responsibility” really means
It is important to be clear: boards are not responsible for implementing cyber controls. That responsibility sits with management and technology providers.
Boards are responsible for:
Ensuring cyber security is recognised as a material organisational risk and that appropriate mitigation strategies are in place (for example, using independently assessed providers such as those aligned with ST4S).
Setting expectations through policy and resourcing.
Seeking assurance that controls are in place and effective.
Understanding how incidents would be managed if they occur.
This approach aligns with guidance from organisations such as the Institute of Directors and the Ministry of Education, which consistently position cyber security as a governance issue rather than a purely technical one (ref 2).
Questions boards should be asking.
Boards do not need technical reports. They need clear answers to practical questions. The following six questions provide a basic framework for boards to assess the cyber security at the school:
What are our most likely cyber risk scenarios, and what would the impact be?
Do staff and administrators use strong authentication, such as multi-factor authentication?
Are backups in place, tested, and recoverable within an acceptable timeframe?
Do we have a clear incident response plan for the first 24–48 hours?
How do we assess and select digital vendors that handle school data?
What independent assurance do we rely on when evaluating suppliers?
If these questions cannot be answered confidently, that is a signal for further work — not a failure.
Hang on - we use SchoolDocs - isn't this covered?
Many New Zealand schools already have a formal cyber security policy in place, commonly through SchoolDocs, which provides boards with a solid policy framework. However, having a policy is only the starting point. Boards also need assurance that the policy is being implemented effectively and that cyber risks are being actively managed in practice. The six board questions above are designed to complement existing policies by translating policy requirements into practical oversight — helping boards move from policy compliance to evidence-based assurance.
Turning governance into action - we want to help.
To support this, we have created a School Cyber Security Board Question Sheet that lists the 6 questions above and provides examples of the responses to assess the security posture of the school.
👉️ Question Sheet can be found at the end of the article.
How to use these questions:
Review the attached Cyber Security Board Questions.
Ask the School to complete these questions with reference to the information provided.
Assess responses and any gaps or remedial actions that can be taken.
Add to Risk Register.
Repeat Annually
We aim to provide a practical way to understand key risks, test preparedness, and strengthen confidence in how cyber security is being managed across the school.
Why independent assurance matters.
One of the challenges for boards is knowing who to trust.
Schools rely on a wide range of digital service providers, many of whom handle sensitive student and staff data. Independent assurance frameworks help boards move beyond vendor self-attestation and provide confidence that suppliers meet sector-appropriate expectations.
The Safer Technologies 4 Schools (ST4S) program is used across Australia and New Zealand to evaluate digital products used in schools. ST4S focuses on areas boards care about, including data protection and privacy practices, cyber security controls, online safety considerations, and transparency.
Alongside this, the Aotearoa EdTech Data Privacy Pledge provides a sector-led commitment by education technology providers to strong privacy, responsible data use, and alignment with education-specific expectations. For many providers, the Privacy Pledge acts as a gateway or stepping stone toward ST4S assessment. More information here.
For boards, the presence of ST4S assessment and/or the EdTech Data Privacy Pledge provides a practical and credible assurance signal when evaluating third-party providers — particularly during procurement, contract renewal, and risk review discussions.
Final thought
Cyber security is no longer optional, and it is no longer “just an IT issue.” For schools, it is a governance responsibility that requires informed oversight, trusted partners, and clear assurance.
Author: Stuart Dillon-Roberts, Founder of Hail and Careerwise. stuart@hail.to
Stuart is a cyber security and privacy specialist with international experience leading security teams and delivering ISO/IEC 27000 aligned services. Across his career, Stuart has worked closely with organisations responding to real-world cyber incidents and data breaches, bringing practical, governance-focused insight into cyber crime, risk management, and resilience in education settings.
At Hail, we see our role as supporting schools — and their boards — to communicate confidently, securely, and responsibly in an increasingly complex digital world. Hail and Careerwise leads the way in security and privacy. Hail information here.
Resources and References.
These resources reflect current best practice in school cyber security governance and are intended to support boards in understanding their oversight role and third-party risk responsibilities.
New Zealand governance and education guidance | International education and cyber risk context | Supplier assurance and third-party risk |
|---|---|---|
Ministry of Education https://www.education.govt.nz/education-professionals/schools-year-0-13/digital-technology | UK National Cyber Security Centre (NCSC) | Safer Technologies 4 Schools (ST4S) |
Office of the Privacy Commissioner | UK Department for Science Innovation and Technology https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025 | EdTechNZ |
Institute of Directors (IoD NZ) | Center for Internet Security |
References in the article:
IOD Cyber Security Guide 2025. Link Here.
Ministry of Education: Creating a Cyber Security Policy and Roles and Responsibilities. Link Here