Ransomware attacks shut down school districts for days or weeks at a time — costing districts millions in recovery, substitute teachers, and lost instructional days. The entry point is almost always an untrained staff member clicking a phishing email. One session changes that.
In 2023, a Texas school district saw ransomware encrypt student records, food service systems, and building controls for 37,000 students. Classes were cancelled for 6 days. The recovery bill exceeded $3.2M. The attack began with a single phishing email to a school secretary.
Phishing emails impersonating the HR department or payroll vendor harvest teacher login credentials. With access to payroll and HR portals, attackers pull W-2 data for every employee — a goldmine for identity theft and a FERPA violation for any personnel file accessed.
EdTech platforms (Google Workspace for Education, ClassDojo, PowerSchool, Schoology) store student names, grades, IEP data, and in some cases medical notes. When a vendor suffers a breach — as happened with PowerSchool in 2025 affecting millions of students — districts bear the notification burden and parent trust damage even though they had no control over the breach.
FERPA requires all school employees with access to student education records to protect student PII — unauthorized disclosure to an attacker is a FERPA violation even if the breach was caused by a phishing email. The Children’s Internet Protection Act (CIPA) requires schools receiving E-rate funding to maintain an “internet safety policy” that includes technology protection measures AND educational awareness training. Many states have enacted student data privacy laws (SIPA, SOPIPA, and state equivalents) that layer additional requirements on top of FERPA. A documented security awareness training program is your first line of defense — and for E-rate recipients, it’s a compliance requirement.
"A staff member in our tech department received an email that looked like it came from our student information system vendor asking to reset their password. She almost clicked. Two weeks earlier, our entire staff had attended a SecurEveryone session. She flagged it, reported it, and we caught the full thread — six other staff had received it. The training was specific enough that she recognized it."
— Director of Technology, Midwest K-12 School District
"We had a ransomware scare last year — our IT team caught it before encryption started, but it was close. After that, our superintendent was determined to get everyone trained. SecurEveryone did a Business session with our entire central office staff in one afternoon. Every person who touches a computer walked away knowing exactly what to look for."
— Chief Operations Officer, Southeast Regional School District
"Our special education records include IEP data, medical information, and family details. FERPA violations for that data carry serious consequences. The SecurEveryone team walked our special services staff through exactly how phishing and social engineering puts those records at risk — and what each staff member is responsible for protecting. It landed in a way a generic training never would."
— Special Education Director, Large Urban District
FERPA itself doesn’t explicitly mandate security awareness training, but it requires schools to protect student education records from unauthorized disclosure — and that obligation extends to preventing disclosures caused by staff falling for phishing emails or credential theft. An FERPA breach triggered by an untrained staff member is harder to defend in a complaint or investigation than one where documented training was in place. OCR enforcement actions have consistently looked at whether the school had “reasonable safeguards” — and documented training is central to that defense.
Yes — if an EdTech vendor that handles student data suffers a breach, the school is often the entity responsible for breach notification to parents under state student data privacy laws (and sometimes under FERPA if the school is deemed to have authorized the disclosure). Entering into a written agreement with vendors governing data use and security is required under FERPA’s “school official” exception. Our Executive session covers EdTech vendor risk assessment, FERPA agreements with vendors, and what your district is actually liable for if a platform you use is breached.
CIPA requires schools receiving E-rate funding to have an “internet safety policy” that includes technology protection measures and “an educational initiative regarding Internet safety.” The educational initiative must address “access to inappropriate matter,” “safety and security of minors,” “unauthorized access and other unlawful activities,” and “restricting minors’ access to materials harmful to minors.” While the specific form of the educational initiative is flexible, a cybersecurity awareness training program for staff is the most effective and defensible way to satisfy the “responsible use” component — and most state CIPA equivalents go further.
Generally no — and paying doesn’t guarantee recovery. FBI guidance and the education sector Cybersecurity and Infrastructure Security Agency (CISA) guidance both advise against paying ransomware demands. Districts that have paid have been re-extorted. The better investment: clean offline backups, a documented incident response plan, and a trained staff that doesn’t click the initial phishing email. Our Business-tier session includes an incident response planning worksheet specifically for K-12 environments.
The Business-tier session is a live 2-hour webinar with unlimited participants — you can include every staff member across every school in one session, or run it school-by-school on separate dates if your schedule requires. We use role-specific breakout content for teachers, office staff, counselors, IT, and administrators. Post-session, you receive a FERPA documentation package including training completion records you can maintain for compliance purposes. We can also run smaller follow-up sessions for specific roles that need deeper coverage.
Take our free Phishing IQ Quiz to benchmark your team's awareness in 5 minutes — or book a 15-minute consult with one of our instructors.