Just like any other organization connected to the internet, your edtech provider is more susceptible to ransomware than you might think. You must ask several questions before purchasing new tools and platforms for your district to keep students’ data safe.
On Dec. 28, the education software platform PowerSchool suffered a data breach that may have put students’ names, addresses, Social Security numbers and medical information at risk. The company, which serves more than 60 million students, announced in an update this week that it’s now notifying individuals who have been impacted.
“PowerSchool will begin to provide notification of the cybersecurity incident to current and former students (or their parents/guardians as applicable and educators whose information was determined to be involved,” the company wrote. You’re missing the other parentheses above.
How to maximize safety with edtech
The event is a wake-up call for district leaders already tasked with protecting their community’s data. When it comes to vetting edtech, leaders have no choice but to trust that student data is safe in the hands of a third party.
However, there is a list of questions you must ask before purchasing edtech that’ll leave you feeling more comfortable—or skeptical—of the product’s safety measures.
James Turgal, vice president of global cyber risk and board relations at Optiv, says when you add a third party to your IT ecosystem, your risk of a cyberattack doubles or even triples. To reduce the threat, educational leaders should ask each edtech vendor how they deploy their third-party risk management program. You can do so by:
- Conducting a thorough security assessment of the product, including all security documents, vulnerability assessments and incident history.
- Ensuring the edtech solution uses data encryption.
- Questioning the solution’s access to controls (role-based, least privilege and a fully functioning multi-factor authentication solution).
- Questioning the vendor’s internal security practices, such as whether they employ a software development lifecycle for coding; who the vendor’s third parties are; whether the vendor has been audited; and if there is an established patch management program.
- Getting it in writing. All the answers to the questions above need to be outlined in the contract between the educational institution and the edtech vendor, including vendor liability in case of a breach, immediate notice of a breach and your right to audit the vendor.
More from DA: FETC puts new CTE advancements in the spotlight
Sometimes, questions alone may not be enough, says Randy Rose, vice president of Security Operations and Intelligence at the Center for Internet Security. You must trust but verify your edtech vendors.
“It is perfectly fine, perhaps even necessary, to ask for proof,” says Rose. “If the organization has had a security audit recently, ask to see the report. If they are SOC II compliant, ask them to prove it with documentation. It is their job to prove to you that they have the ability to keep your data safe and secure.”
How to respond to a third-party breach
If a district edtech provider is attacked, you should scope the impact as quickly as possible, says Rose. Figuring out what was compromised and how it happened can help ensure your response efforts are targeted and resourced appropriately.
“It is not advisable to go in without a plan, so even before an incident occurs, the district should take the time to have both an incident response plan and a disaster recovery plan, and they should do their best to follow it during the incident,” Rose explains.
Incident response may not be an option if a third party is breached. However, Rose argues that it’s critical to do due diligence by determining if you are impacted even if there is a limit to what your systems can analyze.
“Be prepared to engage your legal counsel on the options available to you,” says Rose.
Finally, it’s important to work with incident response professionals who can provide hands-on guidance throughout the process.
“Many schools have cyber insurance policies that will need to be invoked,” says Rose. “Those can sometimes take a little bit of time to activate, however, so leaders may be looking for additional options. Any public school is eligible to receive free support from the Multi-State ISAC in an incident.”
Cybersecurity trends to be on the lookout for
Cybercriminals are engaging in new tactics to get hold of your district’s data, including the use of generative AI. Here are some trends to be on the lookout for as you begin making decisions about network security for the 2025-26 school year:
- Ransomware will be a primary concern as educational institutions are an increasingly attractive target.
- Attackers are lazy, so they’ll likely utilize AI to automate and personalize attacks.
- Ransomware attackers will increase their demand and use of double-extortion ransomware, which involves encrypting files and threatening to leak sensitive data.
- We can expect attacks on large third-party providers because a single successful attack can lead to the collection of data for innumerable organization.
