Cybersecurity essentials for private schools

1. Multi-factor authentication everywhere

Priority: CRITICAL - Do this first

MFA stops the majority of credential-based attacks. If attackers steal a password (through phishing, data breaches, or guessing), MFA prevents them from accessing accounts.

Where to enable MFA

• Email (highest priority - this is how most breaches start)
• Student Information System
• HR and payroll systems
• Financial systems
• Network/infrastructure access
• Any system with sensitive data

Implementation tips

• Use authenticator apps (Microsoft Authenticator, Google Authenticator) over SMS when possible
• Provide training before rollout - staff will push back if surprised
• Have backup codes or recovery options ready
• Start with IT and admin staff, then roll out to all employees

Common objections (and responses)

"It's inconvenient." Less inconvenient than a ransomware attack that shuts down the school for two weeks.

"Our staff won't understand it." If they can use a smartphone, they can use MFA. Training helps.

"We don't have budget." Most MFA solutions are included in existing subscriptions (Microsoft 365, Google Workspace). The feature is there - you just need to enable it.

2. Backups that actually work

Priority: CRITICAL

Backups are your last line of defense against ransomware. If attackers encrypt your data, you can restore from backup instead of paying. But backups only work if they're done right.

The 3-2-1 rule

• 3 copies of your data
• 2 different storage types (e.g., disk and cloud)
• 1 copy offsite or offline

Critical: Offline or immutable backups

Modern ransomware actively seeks out and encrypts backups. If your backup system is connected to your network, ransomware can reach it. You need at least one backup that:

• Is physically disconnected (tape, removable drive stored offsite), OR
• Uses immutable storage (can't be modified or deleted for a set period)

Test your backups

A backup you haven't tested is a hope, not a backup. Quarterly, test restoring critical systems from backup. Verify:

• Backups completed successfully
• Data can actually be restored
• Restoration time is acceptable

3. Staff security training

Priority: HIGH

Most successful attacks start with a human clicking something they shouldn't. Training reduces this risk.

What to cover

• Recognizing phishing emails (check sender address, hover over links)
• Reporting suspicious emails (make it easy)
• Password hygiene (don't reuse passwords)
• Social engineering awareness
• Safe handling of sensitive data

How to train effectively

• Short sessions (30 minutes) quarterly, not annual 3-hour compliance videos
• Use real examples, especially attacks targeting schools
• Phishing simulations to reinforce training
• Make reporting easy and rewarded, not punished

4. Keep systems updated

Priority: HIGH

Many attacks exploit known vulnerabilities that have already been patched. If you're not updating, you're leaving the door open.

Automate where possible

• Enable automatic updates for Windows, macOS, Chrome OS
• Configure automatic updates for critical applications
• Use a patch management tool if you have many devices

Prioritize critical patches

Not all updates are equal. Prioritize:

• Security patches for internet-facing systems (firewalls, VPNs, email servers)
• Patches for actively exploited vulnerabilities (check CISA's Known Exploited Vulnerabilities catalog)
• Browser updates

Handle end-of-life systems

Systems that no longer receive updates (Windows 7, older macOS versions) are high risk. Plan to replace them or isolate them from the network.

5. Email security

Priority: HIGH

Email is the #1 attack vector. Secure it properly.

Configure authentication

• SPF: Specifies which servers can send email for your domain
• DKIM: Adds a digital signature to verify email authenticity
• DMARC: Tells receiving servers how to handle authentication failures

These prevent attackers from impersonating your school's email domain.

Enable advanced threat protection

Microsoft Defender for Office 365 and Google Workspace's advanced protection include:

• Safe attachments (sandbox suspicious files)
• Safe links (check URLs at click time)
• Impersonation protection

External email warning

Configure a banner that appears on emails from outside your organization: "CAUTION: This email originated from outside [School Name]." This simple warning reduces phishing success.

6. Principle of least privilege

Priority: MEDIUM

Users should only have access to what they need to do their jobs. This limits damage when an account is compromised.

Admin accounts

• IT staff should have separate admin and daily-use accounts
• Admin accounts should only be used for admin tasks
• Consider just-in-time access for privileged operations

Application access

• Review who has access to sensitive systems (HR, finance, SIS)
• Remove access when roles change or employees leave
• Audit access lists quarterly

7. Network segmentation

Priority: MEDIUM

If an attacker gets into one part of your network, segmentation prevents them from reaching everything else.

Basic segments

• Student devices: Limited access to administrative systems
• Staff/faculty: Access to educational resources, limited admin access
• Administrative: HR, finance, SIS systems
• Guest: Completely isolated, internet only
• IoT/printers: Isolated from sensitive systems

Quick wins

• Put guest WiFi on a completely separate network
• Isolate smart devices (cameras, HVAC) from main network
• Use VLANs to segment if you have managed switches

8. Endpoint protection

Priority: MEDIUM

Every device needs protection against malware.

Antivirus/EDR

Modern endpoint protection goes beyond signature-based antivirus:

• Microsoft Defender (included in Windows) is now quite capable
• Consider EDR (Endpoint Detection and Response) for visibility into threats
• Ensure protection is active on all devices

Encryption

• Enable BitLocker (Windows) or FileVault (Mac) on all staff devices
• Encrypted devices protect data if a laptop is lost or stolen

Mobile device management

If staff access email/data on phones, use MDM to:

• Require device encryption
• Enable remote wipe if device is lost
• Enforce passcode requirements

9. Incident response plan

Priority: MEDIUM

When (not if) something goes wrong, you need to know what to do.

Before an incident

• Document your incident response plan (we have a template)
• Identify who makes decisions during an incident
• Have contact information ready (insurance, legal, vendors)
• Print copies - digital plans aren't helpful if systems are down

Key questions to answer

• Who declares an incident?
• Who communicates with parents/staff?
• Who communicates with law enforcement?
• Who contacts cyber insurance?
• What's the communication chain?

10. Cyber insurance

Priority: MEDIUM

Cyber insurance helps cover costs when things go wrong. And the application process forces you to assess your security.

What cyber insurance covers

• Incident response costs (forensics, legal, notification)
• Business interruption losses
• Ransom payments (though payment is controversial)
• Data breach notification costs
• Legal fees and settlements

Getting coverage

Insurers are increasingly requiring specific security controls:

• MFA (required by almost all insurers now)
• Backup practices
• Endpoint protection
• Email security

If you can't answer their security questions, you may not get coverage - or premiums will be very high.