Campus Security Guide

The K-12 IT lead's first week: what to lock down.

A short, opinionated guide. What vendor-email-compromise actually looks like in your district, a six-step checklist that lands before the next board meeting, and the compliance facts (FERPA, COPPA, data residency) you need on one page so procurement does not become the bottleneck.

~ 8 minute read
Part 1 · The threats your district actually faces
01

Vendor email compromise on AP

An email that looks like Pearson, an athletics vendor, or a transportation contractor lands in your AP inbox asking to update banking details on a 'past-due' invoice. The sender domain looks right at a glance, the cadence matches the real vendor, and the dollar amount is small enough to feel routine.

  • Watch the language: 'urgent', 'past due', 'updated remittance' on a familiar vendor name.
  • Banking changes should always be confirmed by phone on a number you already have on file.
  • If the AP staffer is new, attackers know it. Pair newer staff with a verification routine they can lean on.
02

Edtech impersonation

Fake quotes, license renewals, and proposal requests that mimic the curriculum or platform vendors your district already pays. The attacker wants either an outbound payment or an attached file opened.

  • Attachments and links from 'known vendors' deserve the same scrutiny as cold outreach.
  • Procurement should confirm contract numbers with the vendor's account team directly, not via reply.
03

Manufactured urgency on the superintendent's name

A 'forwarded' message from the superintendent or business officer landing on someone with authority and visibility. The attacker has read the district's website, picked the right names, and timed the email to a window when verification is hard (Friday afternoon, board-meeting day).

  • Display names are not authentication. Hover-and-check the actual sender address.
  • If anyone you don't normally hear from is asking for a wire or gift cards, that is the signal.
04

Student-facing scams that pull staff in

FAFSA phishing, fake scholarships, housing-deposit fraud — these target students, but they often turn into staff workload (counseling, IT, financial-aid recovery). Protecting students is protecting the institution's time.

  • A surge of 'aid status' emails in the same week is the signal of an active scam campaign hitting your students.
  • Counselor and registrar inboxes are the early-warning system; brief them every term.
Part 2 · First-week checklist

Six items, in this order, starting Monday.

  1. 01
    Inventory the email surface
    List every group inbox that authorizes spend or accesses student records: AP, athletics, food service, transportation, financial aid, principal's office, board secretary. These are the surfaces attackers research.
  2. 02
    Lock down banking-change procedure
    Write it down in one paragraph: any vendor banking change requires a phone call to a number from your existing contract, made by a second staff member, on a different day. Post it in the AP team's workspace.
  3. 03
    Turn on display-name spoofing protection in Microsoft 365
    Exchange Online Protection has a 'spoof intelligence' setting. Enable it. Add board members and the superintendent to impersonation protection. Free with most M365 plans.
  4. 04
    Run a shadow period before flipping verdicts on
    Whatever message-scoring tool you use (suss. or otherwise), let it run alongside production for 30 to 60 days with verdicts hidden from end users. Use the shadow window to tune to your vendor list, your seasonal cadence, and your false-positive tolerance.
  5. 05
    Get HECVAT-ready answers in one folder
    When you procure any vendor, you will need HECVAT Lite at minimum. Keep a single folder of pre-filled responses for: data residency, FERPA stance, sub-processor list, breach notification, insurance certificates.
  6. 06
    Brief board, AP, and athletics on one slide
    Three sentences each. What an attack looks like, what you do when you suspect one, who to call. The point isn't training; it's a shared muscle memory that the second-look is the policy.
Part 3 · Compliance facts

Keep this list in one place.

FERPA
Anything that touches student records is FERPA. If you use a third-party tool, confirm in writing that student PII is not stored, not used for training, and not shared. 'FERPA-aware' is acceptable; 'FERPA-certified' does not exist.
COPPA (if K-8)
Tools used by under-13 students need verifiable parental consent or a school-as-agent provision. Confirm with district counsel.
Data residency
Many districts require US-hosted processing. Ask vendors where data is stored and processed, and where sub-processors operate.
Breach notification
Get the SLA in writing. 24 hours from discovery is becoming standard. State law may require district notice within a specific window.

Want this running inside your district's inbox?

suss. catches the patterns in this guide before they turn into a wire. Native to Microsoft 365, FERPA-aware, US-hosted, deployable in shadow first.

Read the K-12 page