Skip to main content

Navigation

Catalogue

Security Awareness Privacy & Compliance AI & LLM Security Real-World Incidents
Application Security Soon
API Security Soon
Cloud Security Soon

Features

Interactive 3D Training SCORM Cloud LMS Human Risk Score Risk-Based Automation All features

Simulations

Phishing Simulations Smishing Simulations
Vishing Simulations Soon

Company

Partners About Us Blog

Legal

Security & Compliance Privacy Policy Terms of Service
English Українська
Book a Demo

Security Awareness Training for Education

FERPA-aligned interactive simulations for K-12 districts, higher-ed institutions, and ed-tech teams. Phishing, ransomware, BEC, smishing, and student-data handling, mapped to FERPA, GLBA, and state student-privacy laws.

Why Schools Need More Than A Once-A-Year FERPA Slide Deck

Education has been the most-targeted public sector for ransomware in the United States for three years running, behind only healthcare overall. The K12 SIX cyber incident map records hundreds of publicly disclosed K-12 ransomware events since 2016, and EDUCAUSE tracks similar pressure on higher-ed networks. Most incidents start with a phishing email to a teacher, IT admin, or financial-aid officer.

FERPA does not name a training requirement word-for-word, but the U.S. Department of Education guidance and most accreditors expect schools to train staff on protecting personally identifiable information from education records. Higher-ed institutions handling federal student aid fall under the GLBA Safeguards Rule, which mandates a written information-security program with documented workforce training. State laws (SOPIPA in California, similar K-12 laws in 30+ states) add specific obligations.

RansomLeak delivers training that satisfies FERPA expectations, the GLBA Safeguards Rule, NIST 800-171 controls for federal-grant research, COPPA for K-12 under-13 services, and state student-privacy laws. Interactive 3D simulations rehearse the decisions school staff actually face: a tuition-redirect BEC, a "free textbook" smishing scam, a ransomware foothold from a teacher mailbox, an MFA bypass attempt on a grade portal.

Education-Specific Threat Patterns

1

Ransomware on K-12 districts

K12 SIX records district-level ransomware events in nearly every state. Most start with a phishing email opened by a teacher or office staff member. Training that rehearses report-before-open behavior pays back the program cost after a single avoided incident.

2

Phishing for SIS and grade-portal credentials

Student Information Systems (PowerSchool, Infinite Campus, Banner, Workday Student) hold complete student records and grade data. Attackers phish faculty and registrars to harvest credentials. Staff need pattern recognition specific to these systems.

3

BEC for tuition and financial-aid redirection

Higher-ed bursars and financial-aid offices process millions in tuition, refunds, and federal aid. BEC actors impersonate students requesting refund-account changes, or vendors changing wire instructions. Finance staff need scenario practice, not generic anti-phishing reminders.

4

Smishing scams targeting students and parents

Fake textbook offers, fake tuition payment notices, and fake scholarship awards arrive by SMS to students and parents. Customer-service and admissions teams need a verification habit and a clear escalation path when families report scams.

5

Research-data theft and MFA bypass

Research universities holding federal-grant data face nation-state reconnaissance and credential-theft attempts. Faculty and graduate research staff need MFA fatigue training, not a one-time MFA-setup walkthrough.

Compliance Frameworks This Page Covers

Mapping to the regulations that drive most education buying decisions.

FERPA

The Family Educational Rights and Privacy Act protects student education records. The Department of Education and most accreditors expect schools to train staff who access PII from education records on confidentiality, access controls, and disclosure rules.

GLBA Safeguards Rule (higher ed)

Higher-ed institutions participating in federal student aid programs are GLBA financial institutions. The Safeguards Rule under 16 CFR § 314 requires a written information-security program with named workforce-training elements.

State student-privacy laws

SOPIPA (California), New York Education Law 2-d, Connecticut PA 16-189, Colorado HB 16-1423, and 30+ similar laws layer specific training, contracting, and breach-response duties on top of FERPA.

COPPA (K-12 under 13)

Schools acting as agents for parental consent under COPPA must train staff who configure ed-tech vendor relationships, evaluate privacy policies, and handle under-13 student data.

NIST 800-171 (research data)

Universities receiving federal research grants with controlled unclassified information (CUI) follow NIST 800-171, which requires security awareness training for personnel handling CUI under control 3.2.

Featured Exercises for Education

Pulled from the 100+ exercise catalogue, prioritized for this industry.

Phishing Email Detection

Most education ransomware and credential-theft incidents start with phishing. This is the highest-leverage exercise across faculty, staff, and student workers.

Read the guide

Ransomware First-Hour Response

Walks IT staff and district-office leaders through containment decisions, reporting paths, and how to avoid the wrong actions during an active K-12 or campus incident.

Read the guide

Business Email Compromise

Tailored for bursars, financial-aid officers, AP staff, and vendor-management roles where tuition-redirect and refund fraud lands.

Read the guide

Smishing (SMS Phishing)

Admissions, registrar, and customer-service teams field reports of fake textbook, tuition, and scholarship texts targeting students and parents. Builds a clear escalation path.

Read the guide

Social Engineering Defense

Front-desk, advising, and IT help-desk roles need scenario practice for in-person and phone-based pretexting from fake parents, students, and auditors.

Read the guide

MFA Setup and Resistance

Covers MFA fatigue, push-bombing, and SIM-swap risks. Important for research faculty, IT, and any role with elevated access to SIS or research data.

Read the guide
See the full 100+ exercise catalogue

Threats this program covers

Read the pillar guide for each attack type and the exercises that train against it.

Phishing

Ransomware

AI Prompt Injection

Frequently Asked Questions

Does FERPA require security awareness training?

FERPA does not name a training requirement in the statute, but Department of Education guidance and most accreditors expect schools to train staff with access to education records on confidentiality, disclosure, and access-control rules. RansomLeak provides FERPA-mapped exercises and completion records for accreditation evidence.

How does this satisfy the GLBA Safeguards Rule for higher ed?

Higher-ed institutions participating in federal student aid programs are GLBA financial institutions. The Safeguards Rule at 16 CFR § 314.4(e) requires a documented training program. RansomLeak exercises map to GLBA Safeguards elements, including phishing, BEC, incident response, and access management.

How often does FERPA or GLBA training need to happen?

GLBA expects training at hire and ongoing reinforcement; the FTC has cited insufficient training in enforcement actions. FERPA does not specify a frequency. Most schools run at least one full refresh per year with monthly micro-modules and quarterly phishing simulations. RansomLeak supports all three rhythms.

Who in a school needs this training?

Every staff member with access to student PII. That includes teachers, IT and IS, registrars, bursars, financial aid, admissions, advising, athletics records, contractors with system access, and student workers in offices that touch SIS or financial data. K-12 districts often include school-board members and substitute teachers.

Can K-12 districts and universities use the same platform?

Yes. The catalogue is shared, but assignment templates differ by audience. K-12 templates emphasize ransomware response, phishing, smishing, and FERPA disclosure; higher-ed templates add GLBA, research-data MFA, COPPA-as-agent, and tuition-redirect BEC. Both run on the same platform with the same SCORM exports.

Does the platform integrate with our LMS?

Every exercise exports as SCORM 1.2 and 2004, tested with 50+ LMSes including Canvas, Blackboard, Moodle, D2L Brightspace, Schoology, and Workday. For institutions without a central LMS, the standalone cloud platform offers SSO, MFA, real-time analytics, and audit-ready reporting.

What does the audit evidence look like for accreditors?

Per-employee completion records, scores, time-to-complete, role assignments, and topic coverage maps. Reports export as PDF, CSV, and Excel for accreditor and FSA program-review evidence. The compliance-mapping page links each exercise to its specific FERPA, GLBA, or NIST 800-171 control.

References

Primary sources cited above.

Related Reading

Ransomware Awareness Training for Employees

Read article

Phishing Simulation Training Guide

Read article

Security Awareness Training Guide

Read article

Compliance Training for Regulated Industries

Read article

Free Security Awareness Training Options

Read article

See RansomLeak in Action

Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.

Request Demo Try Free Exercises