In K–12 school districts, cybersecurity is not just the responsibility of the IT team. Teachers, staff and students all have a responsibility to help keep student and district data out of the hands of cybercriminals. At FETC 2026, IT leaders shared examples of processes and technology that help create an overall culture of cybersecurity in their districts.
“You have to create security within the culture,” said Ozzie Vargas, manager of security solutions at CDW. “You have to make sure the processes, people and technology are blended. They go hand in hand. You can’t have one without the others. Build strong partnerships, internally and externally — students, staff, administration. Everybody has to be part of the process so that we can win the battle.”
Cybersecurity is everyone’s job, Vargas said, and that means IT teams must support inclusive, continual, districtwide behavior and governance best practices buttressed by cohesive frameworks and trusted partners. Having the right tools in place also helps.
“It’s about creating efficiency,” he said. “It’s about rationalizing your portfolio so that you can do more with less. What are some things that we can do more efficiently, that we can do better at a lesser cost?”
Click the banner below for the tools you need for your K–12 environment.
Identity and Access Management Tools Secure User Credentials
Identity and access management (IAM) is one tool that goes a long way toward securing a district’s network. According to Neeraj Kapur, executive director IT of infrastructure operations at the Orange County Public School District in Florida, 90% of cyberattacks on K–12 districts come from phishing attacks.
“When you think you’ve closed all of the security gaps, your employee clicks that one phishing email and they can bring down the entire district,” he said. This is why securing identities is vital.
“We’re no longer protecting the perimeter with firewalls and different security products,” Kapur said. “We are we are protecting identities. Identity is the new perimeter.”
Because of this, tools such as IAM, single sign-on, multifactor authentication and privileged access management should all work together to ensure users are who they say they are and are accessing only the data they have permission to access. These tools also streamline the sign-in process for users, so maintaining this identity security is as user-friendly as possible. Education is also a crucial element.
WATCH: Four security trends to pay attention to in 2026.
“I can’t stress how important training and awareness is,” Kapur said. “You want to educate on phishing and social engineering risks. Educate on strong password practices and the importance of protecting privileged accounts.”
Talking about cyberattacks in other districts with the school board and other officials can also be eye-opening, he said. Pointing out how holes in your district are similar to those at a district that was compromised can be persuasive in getting board approval to implement new safeguards. Working with trusted vendors is also important.
“Do your due diligence and make sure that you’re getting a reputable company who specializes in your industry vertical,” Kapur said.
Click the banner below to subscribe to our newsletter keep up with our FETC coverage.
Software Policies Protect Student Data
Free and subscription-based software can be tempting for teachers, staff or students to install on their district-issued devices, but it’s not always as simple or secure as they might think. Many of these tools require some level of personally identifiable information, said Phil Hintz, CTO of Niles Township High School District 219 in Illinois — and if that’s the case, the IT department needs to be involved.
“My general rule of thumb in our district is if it involves any more than a student’s first name, you’re not allowed to use that platform or that software until we get the data privacy agreement,” he said. “If there’s a last name or an email address, that’s personally identifiable information. It can all be tracked back to someone to identify them, so anything more than a first name is too much information.”
DISCOVER: Social engineering compromises district identities.
Niles Township requires a data privacy agreement from all software vendors to ensure student data is protected. Hintz also mentioned statewide initiatives and resources in Illinois that aim to help districts protect student data within ed tech products. The Illinois-National Data Privacy Agreement, for example, is a resource that helps districts set expectations with vendors. And the Student Online Personal Protection Act regulates how these vendors use student data.
Data privacy risks might be common knowledge to the IT team, but teachers and students might not understand what’s at stake, which is why education is vital, Hintz said.
“It’s quite common for students to find apps on their own that they wish to use to be creative,” he said. “But it becomes a teachable moment for the student about the risks that must be taken into account. It’s a chance to educate the parents too. Maybe the parents weren’t aware that little Johnny found this wonderful app and has already given his personally identifiable information to that company so that he could use it. Maybe the parents don’t realize that their kid’s data is out there.”
Teachers should also understand why there might be roadblocks to installing something that they might find beneficial for their classroom, whether it’s a teaching and learning tool or something to help with assessments, Hintz said.
“Teachers always say, ‘You tech people are always the no people. You’re always saying no, no, no. How are we supposed to do our job?’” he said. “I try to be a ‘Yes, and,’ or a ‘No, but,’ person to be able to get to a workable solution in any way possible. But teachers need to be educated about why this is important.” IT teams should provide clear explanations of their decisions and provide alternative tools to use in the meantime, if possible, Hintz said.
This all comes down to digital citizenship, a core professional practice for teachers, he said. Ensuring that teachers are aware of federal and state privacy laws and their importance and are able to pass those lessons along to their students will go a long way toward establishing a data privacy culture in a district.
Hintz provided some questions for teachers to pose to students to get the conversation started: Did you have to make an account to start using the app? If so, did you have to provide personal information? Does the app require parental permission? Who has access to your email and other information now that you’ve created this account? Does the app collect additional information, such as location or content? All of this information can be found in an app’s privacy policy.
Solid data privacy practices are required in school districts, but they’re also good practices for everyone to apply to their lives, inside or outside of a school setting, Hintz said.
“Student data privacy matters for a number of reasons, but it’s also not just student data privacy,” he said. “It’s employee data privacy. It's human data privacy."
Visit this page to see all of our coverage of FETC 2026.
