Cyber Planning for the Coming School Year
Texas school districts face one of the most challenging cyber risk environments. In 2026 alone, districts experienced disruptive ransomware attacks, vendor data breaches, and social engineering campaigns targeting both staff and students. Strengthening cybersecurity is essential for operational continuity, student privacy, and state compliance.
The beginning of a new school year is an ideal time for school districts to review cybersecurity practices.
Phishing and Social Engineering
Phishing is one of the leading causes of school cybersecurity incidents. Attackers frequently impersonate IT Help desks, principals and administrators, HR or finance departments, and EdTech vendors. Many schools support email, payroll, benefits, and student information, making staff more susceptible to carefully crafted messages.
Top priorities for the coming school year:
- Adopt mandatory annual cyber awareness and phishing training for all staff.
- Run ongoing phishing simulations and share the results with leadership.
- Implement multifactor authentication (MFA) for all district email accounts.
Improve Ransomware Readiness
Ransomware remains one of the most disruptive threats to school operations. In the last three years, multiple Texas districts have experienced financial losses, multi-day closures, locked student information systems (SIS), and compromised special education and health records.
Review and test backup strategies
- Keep backups offline or on a separate network segment to limit the spread of ransomware.
- Evaluate restoration procedures at least twice a year.
Update incident response plans to include:
- Communication roles
- Decision making authority
- TEA and legal reporting processes
- Parent notification protocols
- Recovery priorities (SIS, LMS, HR/payroll, network services)
Protect Student Data
Between SIS platforms, LMS, and classroom apps, student data can flow through many systems each day. Increased digital learning comes with many risks and district priorities should include:
- Creating a centralized software review process before teachers adopt new tools.
- Limiting data sharing to the minimum necessary for educational purposes.
- Requiring data privacy agreements (DPAs) for all vendors.
- Conducting regularly scheduled audits of access permissions for staff, substitute teachers, and contractors.
Strengthen Vendor Risk Management
Many breaches are caused by vendor vulnerabilities rather than the district’s own systems. With more EdTech tools introduced each year, vendor risk should be a top priority and districts should:
- Maintain a district-wide inventory of all apps and platforms used by staff and students.
- Require vendors to disclose how they store, encrypt, and protect district data.
- Select vendors with SOC2 independent security certifications.
- Ensure Data Privacy Agreements include:
- breach notification timelines
- limited access to student data
- strong security controls
Resource: The Texas Student Privacy Alliance offers a DPA template for reference.
Address Resource Constraints
Small IT teams are responsible for everything from device distribution to network security. There are ways to strengthen capacity:
- Participate in ESC cybersecurity training and tabletop exercises.
- Leverage TEA’s cybersecurity resources and guidance.
- Consider TASB Risk Management Fund (Fund) Cyber Liability and Security coverage.
Build a Culture of Cyber Awareness
Cybersecurity is not just an IT responsibility. It is a districtwide culture. Districts should provide clear, simple guidance for cyber safety and aim to communicate cyber reminders during staff meetings and in newsletters. Staff should be encouraged to report suspicious emails and strange device behaviors. When leadership, staff, teachers, and contractors understand their role, the district becomes increasingly safer.
Cybersecurity is not about perfection. It is about being proactive and prepared. Start today with one step and build from there. The Fund is here to help!
Explore cybersecurity support exclusively available to Fund members at no additional cost.

Ana Luevano
Ana Luevano joined TASB Risk Management Services in 2026. She brings 25 years of regulatory and cybersecurity experience from her roles in state government organizations. Her expertise provides school districts with guidance to strengthen their security posture by evaluating information security practices, establishing privacy and cybersecurity procedures, delivering cyber risk training, offering risk‑mitigation support, and helping foster a strong culture of cyber awareness.