The Role of EdTech Vendors in Strengthening Cybersecurity

Limited education budgets and a sudden transition to online learning left many schools with inadequate security and user training in 2020 and 2021.

Between August and September of 2020 (when many classes were remote), 57% of ransomware attacks targeted public schools, up 29% from earlier in the year.

While the issues of cybersecurity are often due to resource limitations and infrastructure issues within educational institutions, third-party vendors also play a role in the security of schools’ systems and data.

To uncover more about the role EdTech companies play in cybersecurity, we asked EdTech and security professionals about the state of security in the field, as well as how EdTech providers can mitigate threats. Here are the key takeaways:

• What’s at risk in education cyber attacks?
• How EdTech providers support and hinder cybersecurity
• What EdTech companies can do to prevent cyber attacks

What’s at risk in education cyber attacks?

Cyber attacks aren’t just costly in terms of dollars, resources, and time, but in terms of exposing student data. Bill Lawrence, Chief Information Security Officer at SecurityGate.io, explained:

"The worst aspects of these attacks are actually not the financial and reputational damage to the education institutions. Rather, it is the loss of the extremely sensitive personally identifiable information from the students, that has been the combination of social security numbers, birthdates, addresses, and even health information. Criminals can and have used this information to impersonate and cyber stalk students or even obtain credit in their names."

Bill Lawrence, Chief Information Security Officer, SecurityGate.io

How EdTech providers support and hinder cybersecurity

In many ways, EdTech platforms have helped improve accessibility to education, as well as the quality of learning. However, security features vary considerably from company to company—some vendors have even stronger security than the institutions they sell into, while others are far behind in their commitment to security.

Purander Das, Co-Founder and Chief Security Evangelist at Sotero, felt that EdTech providers aren’t focused enough on security:

"EdTech providers are solely focused on building product functionality. Many of them aim to meet a minimal set of security features to be viable. Beyond that, security of data does not get prioritized to the extent that it needs to be."

Purandar Das, Co-Founder and chief security evangelist, Sotero

Keatron Evans, instructor, author and Principal Security Researcher at Infosec Institute, offered a somewhat alternative opinion: that while some vendors have questionable security standards, they’re not any worse than the institutions that employ them. In some cases, a secure EdTech provider can "greatly improve" an institution’s level of security. He shared:

"Some of the larger EdTech providers already have solid security programs in place and this posture is loosely extended to their providing service to schools. In many cases, a school’s cybersecurity posture is greatly improved by bringing in a capable and security-minded EdTech partner. Especially when it comes to EdTech providers who focus on cybersecurity education and training specifically, allowing the entire school to improve their security posture and practices. On the other hand, there are certainly some EdTech partners with bad cybersecurity hygiene, but most are not worse than what already exists in some schools."

Keatron Evans, Instructor & Author, Principal Security Researcher at Infosec Institute

What EdTech companies can do to prevent cyber attacks

EdTech and security experts advised a variety of measures companies can take to improve cybersecurity to protect their customers. On the technical side, Andrew Plato, CEO of Zenaciti, shared:

"The answer for EdTech is to build pre-engineered, standardized, fully managed cloud-based solutions—products that include the patching, updating, and security monitoring necessary to keep the software secure. When systems are standardized, they are easier to configure, easier to secure, and easier to recover if there is an attack."

Andrew Plato, CEO of Zenaciti

Ari Jacoby, CEO of Deduce, said that one of the most useful features to include in EdTech platforms is real-time behavioral data to secure user accounts. He explained:

"As bad guys are shifting the bullseye increasingly to the cloud, we’re seeing a massive need to grow the cloud identity layer that draws on real-time behavioral intelligence—not stale scraped data—to monitor and validate consumer logins and account activity."

Ari Jacoby, CEO of Deduce

On the training side, Keatron Evans suggested that EdTech companies should play a role in supporting internal initiatives to train staff and students.

"EdTech companies really have to step up their own diligence and knowledge in cybersecurity areas. They should be willing cybersecurity partners and advocates of cybersecurity education and awareness for the schools they provide EdTech for. EdTech companies should definitely be involved in regular skills updating in order to make sure they are up to speed and knowledgeable about the latest threats so they can transfer the knowledge and information to the students and schools."

Keatron Evans, Instructor & Author, Principal Security Researcher at Infosec Institute

The Responsibility and Opportunity for EdTech Vendors

As educational institutions look to improve their security measures, EdTech vendors are likely to come under greater scrutiny. Companies who can demonstrate a commitment to cybersecurity, both in their platforms and in supporting training initiatives among staff and students, face a new opportunity to differentiate from the competition.