Operational Security (OPSEC) is the practice of protecting sensitive information and school systems from unauthorized access, misuse, or data leaks. In a K–12 environment, strong OPSEC habits help safeguard students’ personal information, maintain trust, and ensure uninterrupted learning.
This guide outlines practical steps teachers, staff, and students can take to enhance their security awareness and daily practices.
Understanding OPSEC in Schools
OPSEC isn’t just for IT professionals, it is everyone’s responsibility. For schools, OPSEC means:
- Protecting personal data (student records, grades, and contact info)
- Securing logins and online classroom platforms
- Preventing phishing and social engineering attacks
- Ensuring safe use of school-issued devices and networks
Password and Account Security
For Staff:
- Use strong, unique passwords for every account (minimum 8 characters; include a mix of lowercase and capital letters, numbers, and symbols).
- Enable Multi-Factor Authentication (MFA) wherever possible, especially for SIS, LMS, and email systems.
- Never share login credentials with students or colleagues.
- *Change passwords immediately if you suspect a compromise.
*Note: If you do not know how to change your password, please refer to the following article: https://support.highlandschools.org/knowledge-base/change-your-password/)
For Students:
- Keep your password private; never share it with friends.
- Log out of shared devices when finished.
- If you forget your password, contact the help desk, don’t try to reset someone else’s for them.
Email and Phishing Awareness
Phishing is one of the most common cyber threats in education. Please refer to the following article to learn more about phishing in-depth: https://support.highlandschools.org/knowledge-base/phishing-101/
Below are some general tips and practices to follow to avoid phishing attempts.
Best Practices:
- Don’t click suspicious links or attachments in emails.
- Verify unexpected messages that request sensitive information.
- Report suspicious emails to the help desk or IT department.
- Remind students not to respond to strangers via school email.
Example Red Flags:
- Misspelled sender names (e.g., “admin@sch00l.net”)
- Urgent language (“Your account will be locked!”)
- Unusual requests for passwords or payment
Device and Data Protection
For School Devices:
- Lock devices when away from your desk or computer.
- Keep devices updated, have your IT department install system and browser updates if not done automatically.
- Use only approved software and apps.
- Try not to store sensitive documents or data on USB drives or local desktops. Instead, use cloud storage approved by the district when possible. (e.g, Google Drive)
For Students Using School Devices:
- Only access approved educational websites.
- Report any strange pop-ups or system messages to a teacher or tech support.
- Handle devices carefully, as physical damage can lead to security issues.
Safe Internet and Social Media Use
- Think before posting: Avoid sharing school schedules, student information, or personal contact details online.
- It is recommended for staff to keep personal and professional social media separate.
- Students should avoid sharing identifiable school information (like ID numbers or locations) on social media.
Incident Reporting
Prompt incident reporting will help prevent further damage. If you notice:
- Suspicious emails
- Unexpected logouts or password changes
- Lost or stolen devices
- Data that seems altered or missing
Contact the IT department or let a staff member know as soon as possible, as early reporting helps contain threats and protect the entire school community.
Ongoing Training and Awareness
- Participate in annual cybersecurity and OPSEC training.
- Share real-world examples with students to build awareness.
- Encourage a “see something, say something” culture for digital safety.
Finishing Thoughts
Security isn’t a one-time action; it’s a habit that needs to be practiced. By doing so, we can ensure a safer, more secure learning environment for everyone.