TCEA 2025: 10 Ways K–12 Schools Can Secure Their Microsoft and Google Environments

Tip 1: Perform a Cloud Security Risk and Safety Audit

Schmidt said that regular cloud security risk and safety audits would help IT staff better understand and remediate some of the vulnerabilities schools might have in their cloud environments. These audits could help alert IT staff to third-party shadow applications, noncompliance around personally identifiable information, compromised accounts, email phishing, inappropriately shared files and more. He noted that although Google has restricted students under 18 from authorizing certain applications, staff might still be able to, and that can lead to catastrophic results.

“Do you know where those FERPA documents are living that include Social Security numbers?” he asked, referring to the Family Educational Rights and Privacy Act. “Not just where they are living, but who has access to them. And then, how are they being shared, internally and externally, from your environment?”

LEARN MORE: How does the Family Educational Rights and Privacy Act affect cloud data?

Tip 2: Create and Enforce an Effective Password Policy

Schmidt noted that while password policies are a rather basic security step, they are important. Lacking a solid password policy with strong parameters or expiration dates, students might never change their passwords, creating vulnerabilities. He also said that in a recent school hack, one school had placed its password format (birth date and graduation year) on its website, making it easy for hackers to get into student files.

McPherson and Messinger said they were taking a variety of approaches to enforce their password policies among students. Those range from forcing password changes every 180 days to resetting to more complex passwords.

DIG DEEPER: Multifactor identification should no longer be optional in K–12.

Tip 3: Make Multifactor Authentication Mandatory for Everyone

While some schools have made multifactor authentication mandatory for all staff, it’s uncommon to enforce MFA for students. Schmidt said it could help to prevent hacks and called it a second line of defense that works in conjunction with an effective password policy.

McPherson and Messinger said that while MFA is available for students at their schools, they have not yet turned it on. Instead, they have been focusing on rolling it out for staff. Messinger said his team had to devise a YubiKey solution for some staff that did not want to use their personal phones for authentication. One audience member at a private school noted that cost is what makes some schools hesitant to implement MFA for everyone; however, after a few student accounts at that school were breached, parents became supportive of implementing it.

Tip 4: Turn On Location-Based Access Control

Whether schools have 300 students or 100,000 students, they can face logins from multiple locations outside of their geographic region, especially after a third-party breach, Schmidt said, and IT must have a solution. IT teams can set up location-based access controls in their Google and Microsoft environments and set up alerts and remediation plans that could require suspending those accounts or resetting passwords.

McPherson said she has used location-based tracking to determine whether a student has violated the district’s acceptable use policy, as she can see the devices and the IPs from which students have logged in to their Chromebooks. She added that the tool is also useful for combatting student use of VPNs (virtual private network).

Tip 5: Manage Third-Party Application Access and Permissions

Accessing certain third-party applications on school devices can result in a cybersecurity vulnerability or breach the school’s acceptable use policy. This is why school IT must maintain a tight rein on what applications or websites end users can access. Schmidt said that when teachers and students use their personal or district credentials to download certain productivity apps, games, dating sites, etc., they unknowingly expose data, so limiting those websites is crucial.

“Free isn’t free,” McPherson said. “You know that ‘free’ piece of software that you downloaded and put in all of your students' data, such as a name and a birthdate or student ID number? We still have to know about it so we use a third-party app policy tool as a regulation for software control, so we can revoke access and then prohibit it in the future.”

RELATED: How to vet your schools’ apps for student data privacy.

Tip 6: Turn On External Warning Messages

Sometimes, all it takes to prevent students and staff from falling into a phishing trap is a simple message warning them that they are contacting someone outside of the district. There’s not a lot of required training needed, Schmidt said: “It’s just another way to help train that user behavior to double-check things before they go ahead and send those emails out.”

Toni McPherson, Director of Network Services and Infrastructure at Humble Independent School District; Tom Schmidt, Senior Account Executive at ManagedMethods; and Steve Messinger, a Systems and Network Manager at Belton Independent School District, share security tips at TCEA 2025.

Tip 7: Set Up Confidential Mode

Schmidt said that turning on confidential mode for emails goes hand in hand with warning users when they could be unintentionally replying to people outside of the district. Confidential mode restricts sending sensitive information over email. Messinger said staff could be sending sensitive information to their spouses or tax professionals via email without realizing it. When people question why an email isn’t going through, he explains the security risk involved so they don’t repeat the mistake.

Tip 8: Enable Anti-Phishing Protections

“Google and Microsoft have great, built-in anti-phishing tools for free,” Schmidt said. “Being able to have those configurations set up to detect suspicious emails is great.”

However, Schmidt said, schools should still require training so members of the school community can better detect phishing attempts. Some training companies offer virtual, on-demand training, and others even gamify the information to increase engagement.

DISCOVER: How to build a culture of cybersecurity awareness in K–12 schools.

Tip 9: Set External Sharing Standards

Cloud collaboration tools make it easy for people to share documents, but that can sometimes lead to people sharing information that they shouldn’t, such as FERPA-protected data or individualized education program documents.

“People in a rush can share global links that give everyone edit permissions, or post links online to spreadsheets full of data,” Schmidt said.

Turning on native data loss prevention tools in Microsoft and Google that restrict external sharing can help prevent this, he explained. Messinger added that he also uses ManagedMethods’ robust DLP options, which give him visibility into the types of data that users are sending out.

McPherson added that she uses the tool to run reports, alert users, pull emails back, change permissions on certain files and educate users about necessary behavior changes.

Tip 10: Run an Annual Security Health Audit

Schmidt said that engaging a third party to run an annual security health audit is crucial. He said the audit can help IT address concerns that may have been overlooked for years. Messinger said he had done such audits at previous districts and the results were always eye-opening. He said one of the biggest challenges is that different IT team members may make changes over the years that are not documented, leaving later employees in the dark. An audit quickly brings the whole team up to speed on areas that need attention.

To ensure you don’t miss a moment of TCEA event coverage, keep this page bookmarked and follow @EdTech_K12 on the social platform X for live updates and behind-the-scenes content.