Most school boards still treat cybersecurity like an IT line item.
That’s the mistake.
The National Institute of Standards and Technology (NIST) defines cyber risk as the potential for operational, financial, and reputational harm.
In plain terms: when systems go down, school stops. And when school stops, parents get angry, board members get fired and the school’s image goes down the drain as well as any more funding.
A few things I see misunderstood over and over:
1. “We’re not a big target.”
Threat actors don’t care how big a district is. They care how easy it is.
Schools have valuable data, lots of users, and thin margins for downtime. That’s the formula.
And every hacker knows (as most every hacker went to school) that school networks aren’t traditionally the most secure, especially the public sector.
The fact is, the education sector ranks as the fifth most targeted industry for security breaches in the United States.
2. “We passed an audit.”
Audits check boxes.
Checked boxes don’t stop zero days!
Cyber incidents exploit gaps between those boxes.
NIST treats security as continuous risk management — not something you “finish.”
3. “Our vendor handles that.”
Vendors provide tools.
Any IT professional knows that base vendor tools aren’t full-proof but rather pretty basic and usually extremely lacking when it comes to security.
Boards own risk.
When student data is breached or payroll is locked up, no one asks which vendor failed — they ask who was responsible.
That’s the board! The one who decided which vendor to hire.
4. “This is too technical for the board.”
Boards don’t need to understand firewalls.
They do need to understand:
- What happens if systems go down tomorrow
- How long recovery would take
- What learning, safety, and trust are impacted
That’s governance, not IT.
Cybersecurity isn’t about servers.
It’s about whether a school can operate, pay staff, protect students, and communicate with parents when something breaks.
I’ve spent countless hours reading and writing policies for organizations and not only is it the policy that is the issue, but rather the enforcement of policy.
If that conversation isn’t happening at the board table, the risk is already higher than most realize…
Ben Garcia
Ben Garcia is a Louisiana-based cybersecurity and resilience leader focused on protecting schools, healthcare organizations, and public institutions from modern digital and physical threats. He is the founder of Pelican Cybersecurity, where he works at the intersection of cybersecurity, AI-driven safety systems, and disaster readiness. With over 10 years of relevant experience and a deep understanding of Gulf Coast risk environments—Ben helps organizations strengthen security, maintain compliance, and remain operational during cyber incidents, storms, and emergencies. His work emphasizes proactive protection, continuity planning, and responsible use of advanced technology to support safe learning and care environments.