10-Point School Cybersecurity Checklist

The 10-Point School Cybersecurity Checklist

Print this out, post it in your IT office, and check off each item. These are the 10 most impactful security measures a Philippine school can implement.

1. Enable Multi-Factor Authentication (MFA) on All Accounts

Why: 80% of breaches involve compromised credentials (Verizon DBIR). MFA blocks most of these attacks.

How:

• Enable MFA on Google Workspace / Microsoft 365 admin
• Require it for all teacher and admin accounts
• Use authenticator apps (not SMS) when possible

Priority: CRITICAL — Do this first

2. Update and Patch All Systems

Why: Unpatched systems are the easiest targets for attackers.

How:

• Enable automatic updates on all computers
• Update your website CMS (WordPress, etc.) and plugins monthly
• Update your Student Information System regularly
• Replace systems that no longer receive security updates

Priority: CRITICAL

3. Implement Regular Backups (3-2-1 Rule)

Why: Ransomware can encrypt all your data. Backups are your insurance policy.

The 3-2-1 Rule:

• 3 copies of your data
• 2 different storage types (cloud + external drive)
• 1 copy offsite/offline

How:

• Set up daily automated backups of your SIS database
• Keep at least one backup disconnected from the network
• Test restoring from backups quarterly

Priority: CRITICAL

4. Train Staff on Phishing Recognition

Why: Phishing is the #1 attack vector against Philippine schools (see our breach tracker).

How:

• Conduct quarterly phishing awareness sessions
• Try the Phishing Awareness Quiz
• Share examples of real phishing emails targeting schools
• Establish a simple reporting procedure for suspicious emails

Priority: HIGH

5. Secure Your School Website

Why: Your website is your most visible attack surface.

How:

• Install an SSL certificate (HTTPS)
• Remove default admin URLs (/wp-admin, /administrator)
• Use strong, unique passwords for CMS accounts
• Install a web application firewall
• See the Site Scanner

Priority: HIGH

6. Control Access to Student Data

Why: Not everyone needs access to everything.

How:

• Implement role-based access controls
• Teachers see only their students' data
• Review access permissions quarterly
• Remove access immediately when staff leave
• Log who accesses sensitive records

Priority: HIGH

7. Secure Your Email Domain

Why: Attackers can spoof your school's email to send phishing emails to parents.

How:

• Configure SPF records for your domain
• Set up DKIM email signing
• Implement a DMARC policy
• See the Email Security Checklist

Priority: MEDIUM

8. Appoint a Data Protection Officer

Why: Required by the Data Privacy Act. Someone must be responsible.

How:

• Designate a DPO (can be IT coordinator, registrar, etc.)
• Provide DPO training (NPC offers free resources)
• Register with the NPC
• Give the DPO authority to enforce privacy policies

Priority: MEDIUM (legally required)

9. Create an Incident Response Plan

Why: You don't want to figure out what to do during an actual breach.

How:

• Document who does what when a breach occurs
• Include NPC notification procedures (72-hour deadline)
• Prepare parent notification templates
• Practice the plan with a tabletop exercise annually
• See our Incident Response Plan Generator

Priority: MEDIUM

10. Vet Your Third-Party Vendors

Why: Your school's data is only as secure as your weakest vendor.

How:

• Ask vendors about their security practices
• Require Data Processing Agreements
• Check if vendors are NPC-registered
• Ask about data encryption and access controls
• Verify where data is stored (Philippines vs. overseas)

Priority: MEDIUM

How to Use This Checklist

1. 1Start with items 1-3 — they prevent the most damage
2. 2Score your school — take the Security Scorecard self-assessment
3. 3Set deadlines — assign each item to a person with a due date
4. 4Review quarterly — cybersecurity is ongoing, not a one-time project
5. 5Report to leadership — show progress to your school board