Firestorm GlobalBook a conversation
← All insights
Practical Guide

K-12 Ransomware Preparation: A Practical Checklist.

Tim Femister  ·  7 min read

Ransomware remains one of the most consequential cyber risks a school district faces, and the difference between a difficult week and a lost semester is usually preparation. Most districts can substantially reduce their risk with practical steps that don't require large budgets.

This checklist is designed for K-12 IT directors and technology coordinators. It focuses on what you can verify and improve now.

Backup Verification

Backups determine whether a ransomware incident is a recovery exercise or a negotiation, and attackers know it: backup infrastructure is a primary target in modern ransomware campaigns.

  • Test restore procedures monthly. A backup that has never been restored is unverified. A monthly restore test confirms both the data and the procedure.
  • Maintain offline or immutable copies. If your backups are accessible from the same network as your production systems, ransomware will encrypt them too.
  • Verify backup scope. Confirm that SIS data, financial systems, email, and critical applications are all included.
  • Document recovery time objectives. Know how long a full restore takes. If it's measured in weeks, you need a better strategy.
  • Keep at least one backup generation air-gapped. Cloud backups with immutability flags are good. A physically disconnected copy is better.

Network Segmentation

Flat networks allow attackers to move laterally from any compromised device to every system on the network.

  • Separate student, staff, and IoT networks. Each should be on distinct VLANs with firewall rules controlling cross-traffic.
  • Isolate critical systems. SIS, financial, and HR systems should be on restricted segments with access limited to authorized users and devices.
  • Restrict RDP and remote management. These protocols should never be exposed to the internet. Verify with an external scan.
  • Block SMB between workstations. Workstations rarely need to communicate directly with each other. This blocks a primary lateral movement technique.

Endpoint Protection

Every unmanaged device is a potential entry point.

  • Deploy EDR on 100% of managed endpoints. Antivirus alone is insufficient. EDR provides detection and response capabilities that matter during an active attack.
  • Maintain a complete device inventory. Devices missing from inventory are excluded from every control that follows. Include Chromebooks, tablets, IoT devices, and HVAC controllers.
  • Enforce automatic patching. Critical patches should deploy within 72 hours. Operating system and browser updates are highest priority.
  • Remove local admin rights. Users with admin rights can unknowingly install malware that bypasses security controls.

Email Security

Email remains the primary initial access vector for ransomware targeting education.

  • Implement SPF, DKIM, and DMARC. These protocols prevent attackers from spoofing your domain to send phishing emails to your staff.
  • Enable advanced threat protection. Most enterprise email platforms include attachment sandboxing and link scanning. Make sure they're turned on.
  • Conduct regular phishing simulations. Monthly simulations with just-in-time training change behavior more effectively than annual awareness presentations.

Identity and Access Management

Compromised credentials are among the most common entry points in ransomware incidents.

  • Enforce MFA on all administrative accounts. This includes IT staff, payroll, SIS administrators, and any account with elevated privileges, with no exemptions for convenience.
  • Enforce MFA on email for all staff. Email accounts with access to sensitive student or financial data need MFA protection.
  • Eliminate shared accounts. Every action should be attributable to an individual. Shared accounts prevent forensic investigation and accountability.
  • Review privileged access quarterly. Remove access that's no longer needed. Former employees, role changes, and temporary access should all be caught.

Incident Response Readiness

Ransomware incidents move quickly, and the early response depends on decisions, contacts, and procedures established in advance.

  • Have a written incident response plan. It should include specific roles, communication procedures, and decision authority.
  • Conduct a tabletop exercise annually. Walk through a realistic scenario with your leadership team. Document gaps and update the plan.
  • Know your contacts. Cyber insurance carrier notification requirements, law enforcement contacts, and legal counsel should all be documented and accessible offline.
  • Practice communication. Draft template communications for parents, staff, board, and media. Templates prepared in advance are consistently better than anything drafted mid-incident.

What to Do This Week

If this checklist feels overwhelming, start with three things:

  1. Verify your backups work. Actually restore a system. Time it.
  2. Check MFA coverage. Is it enforced on every administrative account?
  3. Block RDP externally. Run an external scan to confirm port 3389 isn't exposed.

These three actions address the most exploited weaknesses in K-12 ransomware attacks.

Have questions or need support with ransomware readiness? Start a conversation.