Security

K-12 cybersecurity essentials: a leader's checklist for 2026

Sam Rivera · Security & Compliance Lead, Borderset

Schools sit on student records, payment data, and parent contacts—an attractive target with limited IT staff. The fixes that move the needle are unglamorous: identity, vendor review, and a written incident plan that people have actually rehearsed.

A district can spend six figures on tooling and still get phished into a payroll diversion. The hard part of K-12 security is not buying products; it is making sure the basics—identity, access scope, and incident response—stay tight while staff turn over and vendors come and go.

Identity is the new perimeter

Mandate MFA for every staff account, including substitutes and contractors. Disable shared logins for "the front office computer." When teachers leave, deprovision the same day—not the same quarter. Pair this with role-based access so a curious admin assistant cannot pull district-wide grades. Least privilege is cheaper than a breach notification.

Vendor risk: read before you click "agree"

Every "free" classroom app is a potential data processor. Maintain a one-page vendor inventory: what data each tool sees, where it is stored, and who at the school owns the relationship. Refuse vendors that cannot show a SOC 2 report, a sub-processor list, or a data deletion process. Borderset publishes its security posture under security & compliance; expect the same from anyone touching your SIS.

Backups you have actually restored

A backup you have never tested is a backup you do not have. Pair the patterns in school data backups and continuity planning with quarterly restore drills—pick a random table, restore it, and time the operation. Document the runbook so a different admin can execute it under stress.

Breach response that respects FERPA

Write the incident playbook before you need it: who declares an incident, who notifies counsel, what evidence to preserve, and which families get told and when. FERPA and state breach laws do not pause for the school year. Treat communications with the same rigor as the technical response—families forgive a security incident; they do not forgive silence about one.

What to revisit every term

Review staff offboarding logs, MFA enrollment coverage, and your vendor inventory at the start of each term. Run one tabletop exercise per year—pick a realistic scenario like a phished business office account. The goal is not to ace it; the goal is to know who freezes and where the playbook is unclear before a real attacker tells you.

Related on Borderset

See the product

Book a walkthrough or talk to our team.

Book a demo

Back to all posts