Back-to-School Cyber Hygiene Checklist for School IT Teams

New year, new passwords, same threats. As teachers prep their classrooms and students sharpen their pencils, your IT team has an even bigger job: making sure the school year starts safely, securely, and without a tech disaster.
The education sector continues to be a top target for cyberattacks—ransomware, phishing, data breaches, and more. And the start of the school year? That’s when cybercriminals strike hardest.
To help you stay ahead, the team at Pacific IT Support created this simple, proactive Cyber Hygiene Checklist—designed specifically for K–12 and higher education IT teams gearing up for August and beyond.
Let’s lock things down before the first bell rings.
Read also: Is Your School FERPA and GDPR Compliant? What You Need to Know
1. Reset Passwords & Enable MFA
Staff accounts from last year? Still active. Student credentials? Still shared around. This is the perfect time to start fresh.
Action Steps:
- Force password resets for all students, teachers, and admin staff
- Enable Multi-Factor Authentication (MFA) on all critical systems (email, SIS, LMS, HR/payroll tools)
- Review your password policy—longer passphrases > complexity
- Encourage (or require) password managers
Bonus Tip: Disable accounts that haven’t been used in 60+ days or belong to former staff/students.
Read also: IT in Education: Building a Secure and Efficient Learning Environment
2. Patch and Update All Devices
Outdated software is one of the easiest ways in for attackers.
Action Steps:
- Patch all operating systems, applications, browsers, and drivers
- Update firmware on routers, firewalls, access points, and printers
- Schedule weekly automated updates across your environment
- Run vulnerability scans to catch what patching missed
Don’t forget: student devices, tablets, and shared classroom machines.
Read also: How Often Should Your SMB Replace IT Equipment?
3. Audit Permissions and Access
Who can access what? From where? And why?
Action Steps:
- Audit all users for least privilege access
- Clean up shared folders and group permissions
- Restrict admin access to only those who truly need it
- Review and revoke 3rd-party integrations and old app access
Reminder: The more people who have access to student data, the greater the risk.
Read also: A Guide to Cyber Insurance for Businesses
4. Review (and Test) Your Backup System
You have a backup. But is it actually working?
Action Steps:
- Verify all backups are running daily
- Perform a test restore to confirm files are recoverable
- Back up your SIS, LMS, gradebooks, email, and shared drives
- Keep both onsite and offsite (cloud-based) backups
Goal: Be able to recover fully in under 24 hours if ransomware hits.
Read also: The Essential Guide to Business Data Backup
5. Lock Down Endpoints and Wi-Fi
Student and staff devices are entry points. So are guests. Protect them all.
Action Steps:
- Install and update antivirus/endpoint detection (EDR) tools
- Disable USB ports and local admin privileges where possible
- Segment Wi-Fi networks (student, staff, guest, devices)
- Require sign-in for any BYOD access
- Use content filtering and DNS protection
Pro Tip: Review firewall rules for open ports or outdated rules from last year.
6. Prepare for Phishing & Social Engineering
Phishing isn’t going away—it’s evolving.
Action Steps:
- Set up email filtering, SPF/DKIM/DMARC records, and block auto-forwarding
- Run a baseline phishing simulation before school starts
- Provide training for staff on phishing, smishing, and impersonation tactics
- Create a simple “report phishing” workflow that users will actually use
Extra Credit: Simulate a spear phishing attack targeting school leadership. See who bites.
Read also: Don’t Get Hooked: Protect Your SMB from Phishing Attacks
7. Review Your Cybersecurity & Compliance Policies
Start the year with clear expectations for staff, students, and parents.
Action Steps:
- Update your Acceptable Use Policy (AUP)
- Publish cybersecurity rules for remote access, password sharing, and device use
- Train staff on FERPA, COPPA, and data privacy basics
- Distribute an incident response playbook with contact info and protocols
Bonus: Keep signed digital acknowledgments of policy receipt.
Read also: Understanding Regulatory Compliance for Businesses
8. Secure Your School’s Public-Facing Services
Your website, email domain, and public records can be used in attacks.
Action Steps:
- Review website CMS and plugins for vulnerabilities
- Set up domain monitoring for lookalike/spoof domains
- Lock down public directory access
- Enable 2FA on all website/backend logins
Optional: Have an MSP run a Dark Web scan to see if any staff/student credentials have been exposed.
Read Also: What Every School Should Include in Their Back-to-School Tech Checklist
Back-to-school isn’t just about academics—it’s about protecting your students, staff, and reputation.
A strong cybersecurity foundation in August means fewer interruptions, fewer breaches, and less stress when things get busy.
At Pacific IT Support, we partner with schools and districts to provide:
- Managed endpoint protection
- Backup & disaster recovery
- Staff security training
- 24/7 helpdesk and support
Want help checking off your list? Let’s make this your most secure school year yet.