As cyber threats against educational institutions continue to escalate, K–12 schools are being urged to strengthen their defenses against potential data breaches and cyberattacks. Experts at the 2025 TCEA Convention & Exposition in Austin, Texas, underscored the urgency of securing cloud-based collaboration tools such as Microsoft 365 and Google Workspace for Education.
During a panel discussion, Tom Schmidt, senior account executive at ManagedMethods, led a session alongside Steve Messinger, systems and network manager at Belton Independent School District, and Toni McPherson, director of network services and infrastructure at Humble Independent School District. The experts emphasized the risks associated with poor security configurations and provided actionable solutions to mitigate vulnerabilities.
Cybersecurity risks for schools extend beyond sophisticated hacking techniques. Many breaches occur due to simple, preventable security lapses that expose sensitive student and staff data. These risks include weak passwords, unmonitored third-party applications, and improperly shared files, making schools susceptible to phishing scams and unauthorized data access.
One of the primary recommendations from the panel was for schools to conduct regular cloud security risk and safety audits. Schmidt pointed out that such audits help uncover vulnerabilities, such as unauthorized third-party applications, exposed personally identifiable information (PII), and compromised accounts. With Google now restricting app authorizations for students under 18, IT administrators need to closely monitor which applications staff members are approving, as unregulated access could lead to security breaches.
Schools must also prioritize strong password policies to prevent cybercriminals from easily accessing their networks. Schmidt cited a real-world example in which a school was hacked because it had published a predictable password format online. Experts recommend frequent password updates, the use of complex passwords, and avoiding personal details like birthdates or graduation years.
A crucial but often overlooked security measure is enforcing multifactor authentication (MFA) for all users, including students. While many schools mandate MFA for staff, students often remain unprotected. McPherson and Messinger revealed that although MFA is enabled for students in their districts, it has yet to be made mandatory. Some institutions delay implementation due to cost concerns or resistance from parents, but several have reversed their stance following student account breaches. For staff members hesitant to use personal phones for authentication, districts have implemented alternative solutions like YubiKeys.
Another critical step in fortifying school networks is activating location-based access control. This feature alerts IT administrators when suspicious login attempts originate from outside the district or country. According to Schmidt, large-scale breaches often occur following a third-party data leak, making geofencing and location-based tracking essential for securing user accounts. McPherson shared how her district successfully used location tracking to detect VPN misuse and policy violations among students.
One of the biggest security gaps in educational institutions stems from unregulated third-party applications. Schools must closely monitor and restrict access to external apps, which can introduce security risks. McPherson warned against teachers and students using their school credentials to sign up for unauthorized software, as this exposes sensitive data. Her district enforces a third-party application policy tool to vet and prohibit apps that compromise security.
A simple yet effective cybersecurity measure is enabling external email warning messages. Phishing attacks frequently target school communities, and alerting users when they are interacting with external email addresses can prevent accidental data leaks. Schmidt emphasized that a small notification can be enough to make users think twice before responding to a fraudulent request.
Schmidt also recommended enabling confidential mode for emails, which prevents sensitive information from being sent without authorization. Many staff members unknowingly send personal or student information via email, risking compliance violations. Confidential mode restricts external sharing and encourages users to reconsider sending potentially sensitive data.
To combat phishing, Microsoft 365 and Google Workspace provide built-in security tools, but Schmidt stressed that schools should go beyond these features. Comprehensive phishing awareness training helps students and staff identify red flags in suspicious emails. Some districts have successfully implemented gamified cybersecurity training programs to improve engagement and awareness.
Another major security concern is inadequate document-sharing protocols. Schools often struggle with users unintentionally sharing files with unrestricted access, potentially exposing confidential student records. Schmidt advised IT teams to enable data loss prevention (DLP) tools to prevent unauthorized external sharing. Messinger shared that his district uses ManagedMethods’ DLP features to monitor outgoing data and enforce security controls in real time.
Finally, cybersecurity experts stressed the importance of conducting annual security health audits. A third-party security assessment helps schools identify gaps in their cybersecurity strategies and ensure compliance with evolving security standards. Messinger highlighted how previous audits in his district revealed undocumented IT system changes, reinforcing the need for ongoing security evaluations.
The panelists concluded that cybersecurity is not a one-time fix but an ongoing commitment. Schools must continuously adapt to emerging threats, train their staff and students, and implement proactive security measures. With educational institutions increasingly relying on cloud-based collaboration tools, safeguarding Microsoft 365 and Google Workspace environments is more critical than ever.
By adopting these 10 cybersecurity best practices, K–12 schools can fortify their digital infrastructure, protect sensitive student data, and create a safer learning environment in an era of rising cyber threats.
