Skip to main content

Cyber safety begins with the Board

The past 12 months has seen an uptake in digital technology like never before across all industries.  The COVID-19 pandemic required us all to find new ways of going about our professional and personal lives, and this has often meant embracing online ways of teaching, working, spending, and connecting.

Unfortunately, our increased use of online technology has been accompanied by a rise in cybercrime. The number of online scams continues to increase as criminals prey on our worries, our fears and our often time-poor, stressed employees. This means good cyber hygiene is critical to ensure your teams, your students and your school does not fall victim to these fraudulent schemes.

Julienne Price, CommBank’s Executive ManagerSchools, Not-for-Profits and Women in Focus, shares her thoughts on the steps school boards could be taking when it comes to cyber-security and safety.

What needs protecting?

The school environment is often large and complex, and this means cyber-safety needs to be considered from a variety of angles, such as the security of the school and its infrastructure, as well as the need to advocate for and support secure online behaviours by your teachers, staff and students.

A good place to start is to understand what you want to protect and why. This will usually involve an audit of your current technology and systems, your procedures and processes, as well as the training programs you have in place for your staff and students.

Risk Analysis and Mitigation

Once you have identified what needs protecting, the next step is to review the priority of the risks that have been identified. Not every item on your list will need the same level of attention.

Once you are clear on the key priority areas for your school, you can then start addressing what needs to change, to mitigate the identified risks. Generally, risk mitigations fall into three broad categories:

Technology-based risk controls

Your technical solutions, for example, Wi-Fi passwords, firewalls, and blocking access to dangerous/inappropriate websites.

When looking at your technology-based risks you might, as a Board, decide to seek specialist advice from external parties, or from well-informed internal parties (such as your IT department) about the suitability and efficacy of technical controls currently in place, as well as additional controls that may be appropriate. You might find the Federal Government’s Essential Eight of use when looking at this area.

Process-based risk controls

These include the business operating procedures for your school, and your school policies. For example, check invoice details before making payments, and ensuring only certain staff have access to sensitive systems and information.

As a Board, it is important that you review your school’s administration processes, especially around payments and data handling. While this review will include the security of your financial data, it is just as important to develop an understanding of the processes and policies you have in place for handling the personal data of your students and staff.

In addition, review your school’s policies on the safe use of technology by staff and students. Some questions that you may consider are:

  • What rules do we currently have in place?
  • Are they enforceable?
  • What are the consequences of breaching policies?
  • Have policy breaches happened in the past and what were the outcomes?

People-based risk controls

These focus on the training and culture of everyone in your school: whether staff are encouraged to speak up about cyber-security risks; and whether you are providing staff and students with cyber-security training and cyber safety skills.

As a board member, you play a vital role in defining not only your school’s culture but also the importance that is placed on cyber-security as well as adherence to internal processes and procedures.

Consider the following questions when reflecting on your school's people-based risk controls:

  • Is cyber-security and safety given appropriate focus by teachers?
  • Is cyber-security and safety part of your school’s curriculum?
  • Is your school leveraging free resources available to uplift your cyber safety culture?

Tools and Resources

There are free resources available to help you, your fellow school board members, your teachers, and your students to stay safe online including:

It is important to remember that it is easy to feel overwhelmed and under-equipped when it comes to assessing and proactively dealing with the many cyber risks your school is likely to face. However, this should not dissuade you from engaging in this issue. Doing something, even if it is simply trying to understand all the things you don’t yet know, is better than doing nothing at all.

Julienne Price
Executive Manager Schools, Not-for-Profits and Women in Focus
Commonwealth Bank

Independent Schools Queensland Gold Plus Alliance Partner

Register for the Cyber Safety Begins with the Board Webinar

Cyber safety begins with the Board: Webinar

Today’s school environment is often large and complex, with an ever-growing use of online technology by teachers, administrative staff and students. With cyber crime on the rise, good cyber hygiene has become even more critical to help ensure the safety of your school, your people and your infrastructure.

Join us for this one-hour webinar as Theo Anton, Information Security Manager from CommBank’s Cyber Education Assessment & Protection Team, shares his thoughts and insights on some high-level cyber security concepts. Topics we’ll be exploring include:

  • Understanding the confidentiality, integrity and availability triad
  • Exploring the overlap of technical, process and people-based controls
  • Highlighting sources of government cyber security guidance
  • Questions to consider when it comes to understanding your school’s risk posture
  • The importance of embedding cyber security and safety as part of your school’s curriculum.


Date: Tuesday, 27 July 2021
Time: 1.00–2.00pm (AEST)

Register Now 

Regulatory Update: Director Identification Numbers

School boards incorporated under the Corporations Act 2001 or the Corporations (Aboriginal and Torres Strait Islander) Act 2006 should note the upcoming introduction of the Director Identification Number (DIN).

The Commonwealth has introduced the Treasury Laws Amendment (Registries Modernisation and Other Measures) Act 2020 which is designed to centralise 32 different Australian business registers into a single platform administered by the ATO. The Act introduces a requirement for all current and future directors of Australian corporations to apply for and permanently hold their own unique DIN.

The Act aims to increase director accountability and traceability, limiting the potential for fraudulent activity and 'phoenixing' where directors wind up a company to avoid paying liabilities only to incorporate a new company to carry on substantially the same business. It will also prevent the use of fictitious identities. It is anticipated that the public will be able to search the registry and view a director's profile, including any prior relationships with corporations.

The application date, procedures and identity documents required to obtain a DIN are expected to be set out in the coming months. It is likely that directors and alternate directors of Australian corporations will need to obtain a DIN during 2022.

School boards can expect communication by the ACNC to advise once action needs to be taken.

Elevating stakeholder voices to the board

A growing trend in board governance is the engagement of stakeholders at the board level.

Within schools, boards generally appreciate the importance of key stakeholders such as parents, staff and students, and engagement with these groups has traditionally been led by the principal and executive team, with regular updates of engagement provided in board papers.

While this provides the board with a structured stakeholder engagement reporting system, is there value to be gained from school boards directly engaging with these groups?

Module 10 of the ISQ School Governance Course engages boards with the question of stakeholder engagement. The Australian Institute of Company Directors’ (AICD) “Guide to effective governance – elevating stakeholder voices to the board”, outlines the benefits of an approach to direct engagement. It increases the levels of interaction, providing an opportunity for two-way dialogue. Overall, this supplies boards with additional insights into the school and its operations, resulting in a broader view of risk, improved decision-making, increased accountability, enhanced culture and an engendering of mutual trust and respect. 

Considering the potential benefits to schools surrounding stakeholder engagement, boards may like to consider a review of their engagement practices. The following 5-step model towards effective stakeholder governance is a useful tool for schools.

Step 1: Identify and prioritise stakeholders

While schools have a range of stakeholders, parents, staff and students are arguably on top of the list. If a board is considering enhancing its stakeholder engagement, these groups may be the most beneficial to prioritise.

Step 2: Develop a written stakeholder engagement framework

Activities may include:

  • holding a board planning meeting to develop an overarching vision for stakeholder engagement
  • tasking a board or staff member to draft a stakeholder engagement policy
  • consulting with stakeholders and senior management when drafting the policy
  • presenting the policy to the board for discussion and approval.

Step 3: Implement stakeholder engagement policy

Activities may include:

  • formation of a board committee focusing on stakeholder engagement. Membership may include the P&F and SRC presidents. This committee may coordinate activities such as:
    • conducting one-on-one interviews or holding focus groups
    • written questionnaires or surveys
    • online polling
    • social media monitoring to identifying social and forum mentions
    • undertaking a deep dive into unexpected feedback results.
  • General board activities such as:
    • providing opportunities for informal conversations between board members, parents, staff and students
    • stakeholder engagement training as part of new board member induction.

Step 4: Consider stakeholder voices as part of the board’s decision-making process


  • involving parents in the board’s strategic planning sessions
  • including a stakeholder consultation process in major decisions such as:
    • an invitation to parents and/or students for written submissions
    • holding round-table discussions with stakeholders
    • survey to all stakeholders.
  • ensuring commentary within board papers regarding the alignment of a proposed decision with parent and/or student views
  • reporting back to the P&F and SRC, or for larger matters through school community meetings, following important decisions
  • giving stakeholders the opportunity to ask questions following a decision.

Step 5: Monitor and evaluate the ongoing effectiveness of the board’s role in engagement


  • engaging an external party to undertake a review, providing a baseline from which future performance can be measured
  • developing KPIs to monitor initial and ongoing performance. They may include:
    • stakeholder survey results
    • customer satisfaction scores (satisfaction after interaction)
    • net promoter scores (likelihood of a positive recommendation)
    • aggregate data on complaints received
    • customer effort score (effort required by customers to get their problem solved)
    • customer retention rate
    • rate of customer turnover
    • aggregate data on exit interview results.

For school boards considering enhancing their stakeholder engagement, in addition to the 5-step model, ISQ can provide a number of templates including a stakeholder communication policy, stakeholder mapping tools and stakeholder engagement evaluation documents.

Board members can also undertake ISQ’s School Governance Course. Module 10: Stakeholder Engagement and Networking further explores the stakeholder engagement process.

Advertise board vacancies

Every issue of ISQ's Your Guide to Good Governance is read by hundreds of school board members, each one of them with their own personal and professional networks. Boards may now submit their board member vacancies to ISQ to be published in the next edition of this newsletter. Readers will be encouraged to share this information with people in their networks who may be interested in taking up such an important role.

To submit your board vacancy details, please use this form.

Board Chair Interview

Kevin Gordon

Chair, Calvary Christian College
On the board since 2020  |  Chair since 2020


On a personal level, I am excited about the way our youngest daughter has grown in confidence since she joined Calvary. More generally, I love the fact that Calvary is fearlessly authentic with a focus on educating the whole child, helping each one to unleash their potential and become confident young adults who are secure in God's love for them. I believe innovative learning design is a Calvary distinctive and we have two spacious campuses for our community of life-long learners who are led by a highly capable and committed leadership team.


My daughters attended an independent school in the UK which closed in 2012 due to insolvency. This came out of the blue for us as parents and it was this shock that galvanised me to volunteer my corporate finance and governance experience to prevent this from happening again. I joined the board of my daughters' new school in 2014 and have been involved in school governance since then. I was honoured to be asked to join the Calvary Christian College Council and then assume the Chair, after completing my term on another board in May 2020.


An effective board is one where every member comes to meetings prepared and contributes; where opinions are heard and conversations are respectful; where there is a clear distinction between governance and operations, including regarding governors who are also parents; where a skills and diversity matrix is used to recruit new board members; and where board members want to be there because they have bought into the mission of their organisation.


Whether they are an experienced director or not, it is always useful for new school board members to have a more experienced director as a mentor. They should also engage deeply in the board's induction program. First-time directors should spend enough time learning what the role entails. This can be done through professional reading or engaging in ISQ's School Governance Course.


Given my background, I believe that financial sustainability should permanently be high on any board's agenda. Existing and increasing risks in the child protection and cybersecurity space need to be closely monitored. Culture starts at the top and boards should keep an eye on it constantly. They also need to spend sufficient time thinking strategically and developing plans for business continuity, including plans for succession on board and executive levels. School boards should monitor their school’s learning outcomes (both academic and personal development for each child) and keep up to date on developments impacting the sector as a whole, such as the proposed new Australian Curriculum.

Back to top