Data protection for school-issued devices

Why Devices Deserve Better Protection

School-issued devices aren’t “nice-to-have” anymore — they’re the backbone of modern learning. In 1:1 programs, loaner initiatives, libraries, and classroom carts, laptops and Chromebooks have become the primary way students access lessons, complete assignments, join virtual classrooms, and stay connected with teachers. In many districts, a student’s day simply can’t happen without their device.

But the more schools rely on these endpoints, the more exposed they become. In 2025, the education sector faced more attacks than any other industry, averaging 4,388 cyberattacks per institution each week in Q2 alone, according to Check Point.

Combine that scale of exposure with tight budgets, small IT teams, and growing compliance pressure from laws like FERPA, and it becomes clear: devices need stronger, more intentional protection than ever before.

This guide breaks down what schools are really protecting, why student devices are such prime targets, and the practices districts should adopt to safeguard data

What Kind of Data Are We Protecting?

Not all school data is created equal, but much of it is protected. Under FERPA, schools are required to safeguard information that can identify a student or reveal details about their academic life. That includes more than just grades. School-issued devices can store or transmit all kinds of sensitive data, much of which qualifies as protected under the law.

Here’s a closer look at what’s on the line:

• Personally Identifiable Information (PII):
• This includes basic details like full names, home addresses, birthdates, and student ID numbers. PII is the foundation of a student’s digital identity and, when exposed, can open the door to phishing or identity theft.
• Educational Records:
• Think grades, transcripts, attendance logs, discipline notes, or academic evaluations. Under FERPA, these are considered “education records” when they’re maintained by the school or someone acting on its behalf.
• Health-related data:
• For students receiving special accommodations or with Individualized Education Programs (IEPs), devices may store or access medical documentation, diagnoses, or support plans, all of which fall under privacy protections.
• Usage data:
• When monitoring software is installed, devices can collect logs of browsing history, keystrokes, app usage, and more. While useful for safety and accountability, this information still counts as student data and must be handled with care.

Common Threats to School-Issued Device

Every school device handed to a student is a potential doorway for cyber threats, both accidental and intentional. With education being one of the most targeted sectors in 2025, schools are dealing with a steady stream of attacks, human errors, and vulnerabilities. Devices might be small, but the risks they carry are anything but. Here are some of the most common issues schools face today:

• Physical loss or theft
• Devices are easy to forget at a bus stop or leave behind in public places. Lost or stolen laptops can quickly turn into data breach incidents if they aren’t locked down or remotely managed.
• Unauthorized access
• Weak passwords, shared logins, and unattended screens leave the door open to misuse. According to the DBIR 2025, the use of stolen credentials accounted for 24% of hacking-based breaches in education.
• Malware or phishing attacks
• These threats are all too common in school environments. Malware was involved in 42% of breaches, with ransomware alone making up 30% of that group. Phishing still dominates social engineering attacks, 77% of that category, making it a top concern.
• Misuse by students or third parties
• Lending devices to friends or using them inappropriately can lead to both intentional misuse and unintentional exposure of private data. Internal actors accounted for 38% of incidents in the education sector.
• Insecure apps and shadow IT
• Unauthorized Chrome extensions, mobile apps, and browser tools might seem harmless, but they can introduce serious vulnerabilities. Without proper controls, students may unknowingly bypass filters and compromise device integrity.

Core Data Protection Practices for Schools

Protecting school data doesn’t have to be complicated, but it does have to be consistent. A few smart practices go a long way when they’re applied across every device and user. From locking down laptops to managing who can access what, these basics help schools avoid major headaches and stay on top of their data responsibilities.

Device Security

If the device isn’t protected, neither is the data on it. Every school-issued laptop, tablet, or Chromebook should follow a minimum security baseline. That means preventing unauthorized access, encrypting data at rest, and ensuring lost or idle devices don’t become easy targets. These steps are easy to implement and can make a significant difference.

• Require strong passwords or passcodes
• Enforce complexity requirements and prevent default or reused passwords. A simple PIN won’t cut it, especially if the device holds access to student records or school systems.
• Enable device encryption
• Use built-in tools like BitLocker (Windows) or FileVault (macOS) to ensure that if the device is stolen, the data stays unreadable without proper credentials.
• Use MDM (Mobile Device Management)
• MDM solutions let schools remotely configure settings, push updates, enforce policies, and lock or wipe devices if needed, critical for managing a distributed device fleet.
• Set up automatic locking and inactivity timeouts
• Idle devices should lock themselves after a short period. This simple setting prevents walk-by snooping or misuse in shared spaces like libraries or cafeterias.
• Enable device tracking
• With device tracking, IT teams can locate lost or stolen devices, view movement history, and recover them faster, especially when paired with remote lock or wipe tools. It’s one of the most effective ways to protect hardware and the data it carries.

User Access Controls

Not every user needs access to everything. Controlling who can do what on school-issued devices helps minimize risk and prevent accidents. Whether it’s a curious student or an over-permissioned staff account, access should be tailored to the role. These simple controls make a big difference in keeping systems organized and secure.

• Role-based permissions: student, teacher, admin
• Set up access so that each group only sees or interacts with what they need. For example, students shouldn’t have install rights, and teachers shouldn’t access admin tools unless required.
• Single sign-on (SSO) and identity federation
• Let users log in once to access multiple tools securely. SSO makes authentication easier for staff and students, and reduces the chance of password reuse or weak credentials across platforms.
• Multi-factor authentication for staff and privileged users
• Add an extra layer of security for accounts with elevated access, especially for administrators and IT staff. MFA can prevent a stolen password from becoming a full-blown breach.

Monitoring and Auditing

You can’t fix what you can’t see. Monitoring device activity helps schools catch issues early, whether it’s a phishing attempt, a suspicious login, or unauthorized software. It’s also important for compliance: showing that you’ve been keeping tabs on systems goes a long way when questions arise.

• Activity logging for compliance and accountability
• Track logins, file access, and changes to device settings. These logs can help during audits or investigations and give insight into how devices are being used.
• Alerting on suspicious activity
• Set up notifications for things like large downloads, access outside of school hours, or login attempts from unusual locations. These can be signs of compromise or misuse.
• Integration with SIEM or compliance platforms
• For larger school systems, connecting device activity to a security dashboard (SIEM) or compliance tool can help centralize monitoring and make incident response faster.

Data Retention & Deletion

Keeping student data on devices longer than needed increases the chances of exposure—and the consequences that come with it. That’s why schools need clear policies for how long data stays on a device, how it’s removed, and what happens during offboarding. These practices align with FERPA’s requirements around data access, correction, and responsible record management.

• Configure data wipe on lost/stolen devices
• Remote wipe capabilities are a must. If a device goes missing, wiping sensitive data helps prevent breaches and shows good-faith effort to comply with privacy obligations.
• Scheduled deletion of local and cached data
• Regular cleanup of temporary files, browser caches, and downloaded documents reduces the chance that outdated or forgotten data lingers unnecessarily on a device.
• Offboarding workflows for graduated students or ex-employees
• When users leave the system, devices should be reassigned or reset, and any associated records securely removed. This not only protects privacy, it helps keep your fleet organized and compliant.

Compliance Considerations

Schools that issue devices also take on legal responsibilities, starting with FERPA, which grants parents and eligible students the right to access, review, and request corrections to educational records, and restricts how personally identifiable information is shared. On top of that, state laws like SOPIPA (California) and NY Ed Law 2-d add more requirements around data privacy and security for K–12 students.

It’s not just internal systems that matter, third-party vendors also need to comply. Any service or tool that interacts with student data must follow FERPA guidelines and sign Data Processing Agreements (DPAs). Device protection tools like Prey can tailor their software deployments to support privacy compliance, ensuring visibility, control, and protection without overstepping into student monitoring. That balance is critical when data privacy, and compliance, is on the line.

How Prey Helps Protect Student Devices

Managing hundreds, or thousands, of school-issued devices is no small task. Prey helps IT teams keep track of assets, secure sensitive data, and respond quickly when something goes wrong. Its features are built with privacy in mind, supporting compliance with FERPA and relevant state privacy laws, while keeping protection practical and scalable.

Visibility + Responsibility = Protection

You can’t protect what you can’t see. For schools, that means knowing where devices are, who’s using them, and how they’re configured. And while it’s no secret that many schools don’t have the budget for high-end cybersecurity suites, that doesn’t mean they’re out of options. A well-thought-out device policy, paired with scalable tools and basic user training, goes a long way.

With the right setup, even a small IT team can manage hundreds of student devices without losing control. Solutions like Prey help keep eyes on the fleet, while clear policies and ongoing training empower staff and students to play their part. Protection doesn’t have to be expensive, but it does have to be intentional.

‍

‍