Skip to content

How to protect your school from a cyberattack

Rachel Bishop
Rachel Bishop|Updated December 14, 2023
Security green
Security green

We recently blogged about the top cybersecurity threats to schools — but with limited resources and shrinking budgets, how can you protect your school from a cyberattack? Ultimately, you’ll sleep better at night if you do five things:

  • Educate your end users. 

  • Prioritize patch management. 

  • Develop a strong password policy. 

  • Invest in proactive measures. 

  • Have a strategic backup plan.

The risks of cyberattacks on schools 

In 2021, the K–12 Cyber Incident Map recorded 166 cyber incidents in schools, impacting 162 school districts in 38 states. These figures are humbling by themselves, but the icing on the cake is what threat actors can do through a cyberattack on a school. 

For instance, say a student falls victim to a phishing attack. Without the right defenses in place, a threat actor could weasel their way into the environment and wreak havoc. And that havoc could be anything from launching a ransomware attack to releasing sensitive data that’s ripe and ready for dark web lurkers. 

We see the repercussions of cyberattacks on schools all the time, from a district losing $346,000 to a phishing scam to thousands of user accounts being compromised. Much like cyberattacks launched on businesses, schools face reputation damage and irrecoverable costs. 

Educate your end users through security awareness training 

You know that feeling when you could swear that today's fifth graders are covering skills you didn’t learn until eighth grade? That’s what dealing with threat actors is like these days. 

Sure, you have the occasional script kiddie — but many hackers who launch attacks on schools are part of organized ransomware groups. We’re no longer handling hackers in hoodies; we’re grappling with grifters in groups. As a sysadmin in a K–12 environment, it’s important not to underestimate what hackers are capable of — and education is key. 

Anyone can fall victim to a phishing attempt, even trained professionals. But teaching your users the common signs of a phishing attempt can help curb the threat. Consider giving age-appropriate training to help your end users — faculty, staff, and students — know what to look for. 

For example, at PDQ, we use KnowBe4 to train our employees to be vigilant against cyberthreats. Other companies offer free or low-cost security awareness training for school students and staff. One such company is Fortinet, which offers student- and staff-friendly training modules, quizzes, and other awareness assets. 

Prioritize patch management 

When software vendors unearth a vulnerability in their software, they release a patch to fix it. And vendors do their due diligence to get the word out about the vulnerability and the associated patch. But you know who’s eagerly awaiting those vulnerability announcements? Threat actors. 

Hackers love to exploit vulnerabilities to conduct nasty attacks. Don’t make it easy for them. 

Patch your systems and software frequently and regularly — at least every two to three weeks, or within 24 hours if you’re dealing with a zero-day vulnerability. There are tools out there to help make this otherwise grueling process manageable (although we’re a bit biased here). 

Develop a strong password policy 

We know — we’re talking about passwords again, and you’re already envisioning a million help desk tickets every Monday morning from users who forgot their passwords. But a strong password policy is such a crucial part of preventive cybersecurity that we have to restate its importance here. 

Credential compromise is often low-hanging fruit for threat actors. Verizon’s 2023 Data Breach Investigations Report claims that stolen credentials were present in 31% of breaches in the education sector. And credentials made up 40% of all data compromised in this sector. Once a threat actor cracks the right password, they’re free to lie in wait until the perfect opportunity arises — or strike immediately. 

Creating a password policy doesn’t have to be difficult. You should think about these considerations when developing your password policy: 

  • Password history (only use Ilovemydogawholelot475 once) 

  • Password age (you should love your dog — not your password — as it ages) 

  • Password length (eight characters minimum, but more is better) 

  • Password complexity (a chance to feature your favorite symbol) 

  • Account logout (after five incorrect guesses, lock the user out for half an hour) 

And while a strong password is great, a strong passphrase is even better.

Invest in proactive security measures 

Might we suggest an alternative proverb to Ben Franklin’s “an ounce of prevention is worth a pound of cure”:

“A pinch of proactive security measures is worth a weekend of peaceful sleep.”

Make sure that you don’t overlook proactive security measures when it comes to your school’s security. Proactive security measures are likely things you’ve heard of: multifactor authentication (MFA), firewalls, antivirus, traffic analyzers, etc. 

These common tools can help combat a few of the major cyberthreats schools face, including distributed denial-of-service attacks (DDoS) that can cause major outages on your network.

Have a strategic backup plan 

It’s unfortunate, but hackers can still pwn your environment even if you have the best proactive security measures in place. 

That’s why a disaster recovery plan should be locked in the glass box next to the fire extinguisher in the hallway. One of the most important parts of any disaster recovery plan is a strategic backup plan. How — and where — you back up your data matters. 

For a strong, strategic backup plan, implement at least one immutable backup. Immutable backups ensure that your stored data can’t be changed, deleted, or altered — not even by you, my sysadmin friend who holds the keys to the kingdom. In a ransomware attack, you may be crying — but your immutable backups will be laughing in its ugly, nasty face. 

Keep in mind that there are some types of attack tactics, such as data exfiltration, where even a million immutable backups won’t do much good. A strategic backup plan, while an important part of a disaster recovery plan, shouldn’t be the disaster recovery plan.

Grade-specific cybersecurity tips for sysadmins

Your cybersecurity strategy should evolve as students progress through their educational journey. Cybersecurity best practices for first graders undoubtedly look different from the cyber strategy you put in place for students nearing high school graduation.

Here are some cybersecurity best practices specific to grade levels.

Cybersecurity tips for elementary schools 

Elementary school students need the most limited access among all the grade levels. If students use the internet, teachers are close by to supervise and direct them toward specific websites.

Because elementary school students’ internet usage is so limited, some sysadmins choose to implement a safe browser (like Google’s Kiddle) and restrict all other browsers. Depending on the browser, you can allowlist specific URLs that encourage learning (and discourage cyberattacks and other nefarious activities).

At the elementary school level, you might issue students iPads for use in the classroom. You can lock these down via your management console or mobile device management solution. For example, you can set up these devices to access only one app, such as an app that allows students to read as if their device were an ebook. For Android devices, you can accomplish this through kiosk mode. This gives you greater control over how your students can use their devices.

It’s also important to note that cybersecurity education for students begins now. You can discuss how students should use their devices with their teachers and parents — and teachers can and should make cybersafety part of their lesson plans whenever students use technology. Naturally introducing cyber concepts to children sets the foundation for more in-depth learning later on.

Cybersecurity tips for middle schools 

Middle school students may bring their personal devices to school, warranting the creation a bring your own device (BYOD) policy. Students might also use computer labs more frequently, which is where security awareness training becomes particularly useful. 

You might consider using your device management solution to push out profiles and configurations to issued devices, such as Chromebooks and laptops. This allows you to limit applications and the content visible to students. In some wireless controllers, you can even set a specific rating (e.g., G, PG, PG-13) for content visible to students. 

Middle school students should continue to progress through their cybersecurity education as well. Students at this age should understand the risks of internet usage and learn how to avoid common threats, such as phishing.

Cybersecurity tips for high schools 

Congratulations to those sysadmins who work with high school students — you’re officially dealing with little adults! 😅 The good news is all the prep work you’ve done for your elementary and middle school students will serve you well here. 

Your cybersecurity strategy for high school students should be more sophisticated than those for elementary and middle school students. At this level, we flip the script in a few ways. Instead of allowlisting websites, we denylist far more frequently to meet students’ growing needs to access more internet resources. And you may find that you use your management console a little less frequently. 

High school students should understand the real-world risks and implications of poor cyber hygiene. They should know about phishing, smishing, ransomware, and so on. (And while you’re at it, now is a good time to stress that once something goes live on the internet, it’s never truly gone.)  

The times, they are a-changin'

Today’s high school students face threats we older folks simply didn’t face at their age. Today’s teens are far more tech savvy than we were in our high school years. They’re going viral on TikTok and talking to their friends nonstop. And the unfortunate reality is that while they’re technologically intelligent, they often lack other areas of intelligence that are critical to good cyber hygiene — good judgment, for example, which isn’t fully developed in the brain’s prefrontal cortex until age 25.

In short, teenagers are akin to puppy dogs with ears too big for their bodies. Part of them is fully developed, while an equally important part is not. And that can lead to poor decision-making. 

Educating teenagers on the real-world risks of internet usage is critical. They should know that nothing truly disappears from the internet once it’s out there, and what’s said online can have real-world implications. A good rule for teenagers is to avoid sending anything online or via text that they wouldn’t want to see plastered on the side of their house for everyone to view. 

In fact, this would make a great class for high school students. Teachers may be met with eye rolls and groans, and students may not listen, but as IT professionals … we can dream, right?

A few more general tips 

To wrap up, here are a few tips that can be applied for each grade level — and their nuances. 

While you can establish an acceptable use policy for all grade levels, high schoolers might be more involved with reading and agreeing to the policy themselves versus needing a guardian’s signature. You might also consider penalties, such as suspension or losing their computer privileges, for students who don’t follow the rules. 

You should consider segmenting, isolating, and restricting guest traffic as well, which makes it more difficult for threat actors to gain access to your main environment. These restrictions will likely look different at each grade level. (For example, you might monitor children’s devices differently than you’d monitor a 17-year-old's device). You can put these rules in place on your wireless controller or your firewall. 

It’s never too early to educate students on the internet's inherent risks, and making cybersecurity part of their educational journey puts them well on their way to becoming responsible adults.


We may not be able to stop a cyberattack in its tracks — but we can make it that much harder for hackers to sneak in through vulnerabilities. Level up your patch management process with PDQ Deploy & Inventory — or PDQ Connect if your students are remote. Start a free trial and see how simple patch management can be. 

Rachel Bishop
Rachel Bishop

A professional writer turned cybersecurity nerd, Rachel enjoys making technical concepts accessible through writing. At this very moment, she’s likely playing a video game or getting lost in a good psychological thriller. She enjoys spending time with her husband (a former sysadmin now in cybersecurity) as well as her two cats and three birds.

Related articles