Security awareness

Cybersecurity Awareness Checklist for Educational Institutions

Beth Osborne
August 27, 2018 by
Beth Osborne

Education has become a growing target for cybercriminals, with breaches up 103 percent in 2017, according to Gemalto. These breaches are mostly motivated by financial gain; Verizon's 2018 Data Breach Investigations Report (DBIR) found this to be true in 70 percent of incidents.

Educational institutions can't afford to think of cybersecurity as an afterthought. The data and systems that comprise a network are essential to keeping schools and universities running as they should. A lot of responsibility has been placed on networks as the infrastructure of data and information, so network protection is paramount.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

While education may seem like a less obvious target than banks, think of the goldmine of data educational institutions have. Student and staff personal information is especially at risk. Thus, preparation and proactive strategies are necessary.

Start by reviewing this security checklist for education and implementing any of these approaches not currently in use.

The Education Checklist for Optimal Cybersecurity

1. Separate student and admin networks. When separate, the network with the most secure information will have stronger security than systems that students use for communication and information.

2. Always update patches so that the system is always using supported software and operating systems. If patches are not updated, these unsupported systems are ripe for compromise. This goes for all devices on the network in addition to PCs — devices like smartphones, tablets and any Internet of Things (IoT)-connected equipment.

3. Establish a backup program. This will be essential if an institution is hit by a ransomware attack. Consider this part of a business continuity plan. A redundant system at an offsite location is critical.

4. Take anything offline that can be. With fewer systems online, attackers have less options to infiltrate. This could include printers, cameras, and TVs.

5. Offer
security awareness training for all staff and users. Make sure they understand how to spot a phishing attempt so that they don't click on things that are bait for introducing malware or ransomware onto the network.

6. Test for vulnerabilities
regularly. At least quarterly, perform an external vulnerability assessment. Find the gaps before a malicious actor does.

7. Document incident response plans. Don't guess at what to do when there is a breach, have a plan of action instead. Keeping a formal plan improves your ability to minimize an attack or breach if it does occur. Also make sure that any employee or user knows what to do in the case of a security incident.

8. Lock down any devices that have access to the network after a certain amount of idle time. This prevents an inside threat from getting into a system they don't have access.

9. Develop a BYOD (Bring Your Own Device) policy for anyone who access to the network, which would include students, faculty, staff, and visitors. While BYOD is great for the classroom — integrating technology into learning — it can leave networks vulnerable. Monitoring and risk assessments should be in place for the Wi-Fi that each of these devices will use.

10. Institute a strong password policy. That policy should include requirements like:

  • Don't use the same passwords for multiple accounts or devices
  • If possible, require that passwords be a minimum of 8-12 characters and include upper and lowercase letters, number and special characters
  • Warn against the use of words that could easily be identified, such as names, addresses, Social Security numbers and birthdates
  • Advise against storing passwords in browsers, as these can be easily revealed once a cybercriminal has access to a device
  • Avoid logging into secure systems on other devices that aren't their own, or unsecured Wi-Fi hotspots without a VPN
  • Change passwords every 90 days or less. Reminders should be sent to parties at least 10 days before
  • Employ two-factor identification if possible
  • Do not share passwords with anyone

11. Maintain antivirus software and ensure it's always up-to-date. Enable automatic updates when possible. Ensure the software scans the network regularly for viruses.


12. Dispose of anything related to information technology — data or equipment — in a secure and proper manner. Devices should be cleaned with any data removed.

13. Build awareness by participating in National Cyber Security Awareness Month (NCSAM) every October. Make this a time to engage users about security concerns. Host online and offline events to educate and inform. Share tips and information via social media and on the institution's website.

14. Ensure compliance with all regulations within your security protocol. As an educational institute, these regulations may include HIPAA, HITECH, FISMA and PCI DDS. When developing your programs for cybersecurity and business continuity, you cannot forget compliance. Depending on the type of institution and the data stored, there is no optional compliance. It's mandatory and must be considered.

15. Measure the effectiveness of network security policies. Simply because there have been no breaches doesn't mean that the policy is foolproof. By paying attention to metrics around how well the network holds up, educational institutions can also measure how well staff are doing to comply with security protocols.

16. Secure physical access to any on-site servers. These should be held in an area with strict access. Make sure this access is by key card and that only those with a need can enter the space.

17. Minimize administrative privileges. If a cybercriminal is able to breach a device with administrative privileges, it will be much easier for them to do damage. IT decision-makers should limit the number of users with admin rights, with only a handful of users having this designation. Regular students and faculty should never be given access to the student's system, as they have no reason to need it. Unless someone really needs such access because it's a function of their job, don't set it up!


Educational institutions have a lot of responsibility when it comes to protecting data and their networks. With appealing data to steal, cybercriminals will continue to take aim, so institutions can't be sitting ducks. With a robust network and this comprehensive checklist, institutions can reduce their weaknesses.

When there are less vulnerable spots, malicious actors may find it too "hard" to break-in and turn their sights somewhere else. Regardless of the threats, having a strategy that focuses on prevention first, mitigation second should work to keep networks safe.


Ransomware still a top threat, warns Verizon 2018 Data Breach Investigations Report, Verizon

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Breach Level Index 2017 Report, Gemalto

Beth Osborne
Beth Osborne