From compliance checkboxes to K-12 cybersecurity champions

Bedford Central School District knows the challenge every K-12 district faces: cybercriminals see schools as easy targets. Building a strong security culture means training everyone — but doing it right takes strategy. Between New York compliance standards, union contracts and already-packed schedules, Bedford Central needed an approach that worked with their reality, not against it.

Turning compliance into momentum

New York's Education Law 2-D establishes strict requirements for safeguarding student data. Bedford Central saw an opportunity — using this law as a catalyst to launch a formal security awareness training program that went beyond mere compliance.

"Every public school district in New York has to comply with that law," says David Gee, Bedford Central's CIO, Data Protection Officer and Director of Technology. "It's our guiding force." The law requires awareness training, incident response plans and business continuity plans that follow the Federal NIST Cybersecurity Framework guidelines.

Gee used that North Star to build momentum behind creating Bedford's security awareness program. To implement it effectively, the district needed a training platform that laid the foundation — one that felt authentic and could demonstrate genuine learning.

When evaluating platforms, Infosec IQ stood apart. "It's not just a talking head with a PowerPoint," Gee says. "Having the assessments attached to each training is another way of confirming that people have engaged with the content and gotten some value."

Building commitment through accountability

Mojeed Oyeniyi, Bedford Central's Information Systems Security Analyst, uses Infosec IQ's content to establish mandatory 40-minute training sessions for all employees at the start of each school year. But how do you ensure participation when staff is already stretched thin?

Bedford Central took a bold approach. After securing buy-in from union representatives and district leadership, they established clear expectations: complete the training within the first month, or technology access gets paused. "That becomes really difficult for a teacher who has to take attendance," Gee says. “But we stuck with it, and it’s gotten much better.”

The policy wasn't about punishment — it was about demonstrating how seriously the district takes data protection. "The first year, people thought it was a bluff," Gee recalls. After following through, the message was clear. Now, staff members proactively check in with Gee about their progress, eager to complete training before the deadline.

Completion rates improved dramatically, giving the district the foundation it needed to expand its program.

Growing into phishing: Strategic simulations 

With foundational training established, Oyeniyi saw the next opportunity. "We needed to make sure there was more awareness within the staff," he explains. "It's clear that attackers are continually seeking to exploit the human elements of cybersecurity. So we felt phishing simulations were a good way to educate them frequently without violating any union or contract provisions."

Working with Infosec's support team, Oyeniyi began customizing phishing campaigns based on Bedford Central's specific threat landscape. He built a phishing site resembling the district's domain with just a few letters rearranged — mirroring tactics real attackers use.

Oyeniyi’s campaigns target actual threats the district faces, creating realistic scenarios Bedford Central has seen or knows target education:

• Fake Google share requests appearing to come from building principals (Oyeniyi varies the names based on which principal leads each building)
• "ChatGPT now approved for staff use" emails with sign-up links (it wasn't actually approved)
• "Upload your classroom photos" requests appearing from the curriculum office
• Benefits and payroll updates using the district treasurer's name during contract negotiations
• Tax service announcements timed to tax season, when employees expect legitimate communications

After each campaign, the IT team receives reports showing who clicked and who entered credentials. "We're analyzing which type of campaign people fall for," Gee says. "And we're also talking about real phishing emails that got through our system that somebody clicked on."

This analysis helps them refine future training — but notably, they don't assign remedial training for employees who fall for simulations. "I don't want it to be too much of a 'Got you,'" Gee explains. "I want employees to feel comfortable enough to come to us if they actually fall for a real phishing attack." This balance between measurement and trust ensures employees report genuine threats without fear.

The district schedules campaigns strategically throughout the year — around holidays, tax season and other times when employees expect certain communications. Currently, they're focusing on phishing attacks that leverage tools like Google. This type of attack is common since districts use these platforms to share curriculum, assignments and resources.

Building momentum and expanding reach

The security awareness program is leading to tangible cultural shifts. The IT team notices more employees pausing to ask, "Is this real?" when encountering suspicious emails — either taking screenshots to verify with IT or reporting suspicious messages directly.

With this foundation in place, Bedford Central continues expanding its approach. The IT team is rolling out role-based training for employees with remote access credentials, including vendors who connect to district systems. Given their elevated security risks, these users receive specialized training before credentials are activated.

Infosec IQ has training specific to individual roles and different industries, including education.

The district is also evaluating how to maintain security awareness year-round, exploring resources like Infosec IQ's Cybersecurity Awareness Month toolkit and Digital Citizenship content from the partnership with Common Sense Media. These tools could help reinforce training messages and extend security education to students.

Advice for other districts: Three keys to success

When asked about lessons learned, Oyeniyi and Gee identify three strategic approaches that drove Bedford Central's transformation — principles any district can apply to build their own security awareness program.

Start strengthening your K-12 cybersecurity awareness

Bedford Central's journey shows what's possible when you combine the right tools with a progressive, people-first approach. They started with compliance requirements and built a culture where employees actively defend student data.

Your district can do the same. Infosec IQ provides everything you need to start simple and scale strategically — from engaging video content and customizable phishing simulations to assessments that prove learning and resources for year-round awareness.

Ready to transform your security awareness program? Book a meeting to see how Infosec IQ can support your district's journey from compliance to commitment.