SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Learn
checklist

10-Point School Cybersecurity Checklist

A printable, actionable checklist covering the 10 most critical cybersecurity measures every Philippine school should implement today.

5 min readchecklist, cybersecurity, actionable

The 10-Point School Cybersecurity Checklist

Print this out, post it in your IT office, and check off each item. These are the 10 most impactful security measures a Philippine school can implement.


1. Enable Multi-Factor Authentication (MFA) on All Accounts

Why: 80% of breaches involve compromised credentials (Verizon DBIR). MFA blocks most of these attacks.

How:

  • Enable MFA on Google Workspace / Microsoft 365 admin
  • Require it for all teacher and admin accounts
  • Use authenticator apps (not SMS) when possible

Priority: CRITICAL — Do this first


2. Update and Patch All Systems

Why: Unpatched systems are the easiest targets for attackers.

How:

  • Enable automatic updates on all computers
  • Update your website CMS (WordPress, etc.) and plugins monthly
  • Update your Student Information System regularly
  • Replace systems that no longer receive security updates

Priority: CRITICAL


3. Implement Regular Backups (3-2-1 Rule)

Why: Ransomware can encrypt all your data. Backups are your insurance policy.

The 3-2-1 Rule:

  • 3 copies of your data
  • 2 different storage types (cloud + external drive)
  • 1 copy offsite/offline

How:

  • Set up daily automated backups of your SIS database
  • Keep at least one backup disconnected from the network
  • Test restoring from backups quarterly

Priority: CRITICAL


4. Train Staff on Phishing Recognition

Why: Phishing is the #1 attack vector against Philippine schools (see our breach tracker).

How:

  • Conduct quarterly phishing awareness sessions
  • Try the Phishing Awareness Quiz
  • Share examples of real phishing emails targeting schools
  • Establish a simple reporting procedure for suspicious emails

Priority: HIGH


5. Secure Your School Website

Why: Your website is your most visible attack surface.

How:

  • Install an SSL certificate (HTTPS)
  • Remove default admin URLs (/wp-admin, /administrator)
  • Use strong, unique passwords for CMS accounts
  • Install a web application firewall
  • See the Site Scanner

Priority: HIGH


6. Control Access to Student Data

Why: Not everyone needs access to everything.

How:

  • Implement role-based access controls
  • Teachers see only their students' data
  • Review access permissions quarterly
  • Remove access immediately when staff leave
  • Log who accesses sensitive records

Priority: HIGH


7. Secure Your Email Domain

Why: Attackers can spoof your school's email to send phishing emails to parents.

How:

  • Configure SPF records for your domain
  • Set up DKIM email signing
  • Implement a DMARC policy
  • See the Email Security Checklist

Priority: MEDIUM


8. Appoint a Data Protection Officer

Why: Required by the Data Privacy Act. Someone must be responsible.

How:

  • Designate a DPO (can be IT coordinator, registrar, etc.)
  • Provide DPO training (NPC offers free resources)
  • Register with the NPC
  • Give the DPO authority to enforce privacy policies

Priority: MEDIUM (legally required)


9. Create an Incident Response Plan

Why: You don't want to figure out what to do during an actual breach.

How:

  • Document who does what when a breach occurs
  • Include NPC notification procedures (72-hour deadline)
  • Prepare parent notification templates
  • Practice the plan with a tabletop exercise annually
  • See our Incident Response Plan Template

Priority: MEDIUM


10. Vet Your Third-Party Vendors

Why: Your school's data is only as secure as your weakest vendor.

How:

  • Ask vendors about their security practices
  • Require Data Processing Agreements
  • Check if vendors are NPC-registered
  • Ask about data encryption and access controls
  • Verify where data is stored (Philippines vs. overseas)

Priority: MEDIUM


How to Use This Checklist

  1. 1Start with items 1-3 — they prevent the most damage
  2. 2Score your school — take the Security Scorecard self-assessment
  3. 3Set deadlines — assign each item to a person with a due date
  4. 4Review quarterly — cybersecurity is ongoing, not a one-time project
  5. 5Report to leadership — show progress to your school board
More ArticlesTry the School Security Scorecard →