The education world has absorbed technology in the classroom at a gradual pace in the past few decades. But since 2020, with COVID-19 lockdowns and remote learning, technology in education has risen at an unprecedented pace.
More students than ever before are enrolled in learning management systems, interacting through video classes, submitting exclusively online work, and using several devices in their daily learning. This is exciting change. After roughly 100 years of a system that saw very little structural modification, we are witnessing a revolution in the way children learn.
But with this change comes new responsibilities for the educational institutions and the EdTech vendors providing services to their students.
The challenge of EdTech security
In a world where data leaks and security lapses are commonplace, schools, and the educational technology (EdTech) companies that provide services to them, are faced with concerns about the privacy of student information. These cybersecurity risks are serious enough that an executive order was recently issued to enhance security in any organization that serves the federal government — including EdTech companies with government contracts.
EdTech software houses an array of student information, often including phone numbers addresses, custodial rights, test scores, and even health information. Without appropriate security measures, this sensitive personal information is vulnerable.
Some risks — like phishing, zoombombing, malware, and denial of service — have become so widespread that the media hardly notes them anymore. The alarming incidents below are just a few attacks that are representative of the larger issue of cybersecurity in EdTech.
- In July 2019, Pearson Education experienced a data breach affecting nearly 13,000 school and university accounts. This included millions of student records and all their sensitive information.
- A ransomware attack shut down the largest New Mexico school district for two entire school days in January 2022.
- In 2019, the governor of Louisiana was forced to declare a state of emergency following cyber attacks on multiple government servers. School districts across the state were highly impacted as data became inaccessible.
- According to the K-12 Cybersecurity Resource Center, one school district in 2020 was robbed of a record $9.8 million as a result of a malicious spear phishing attack against a third-party vendor.
Security breaches can be devastating for EdTech companies. If they have failed to live up to the standards of education privacy regulations, their school partners are legally liable and they themselves are open to lawsuits. And, the loss of trust with users and partner organizations can be even more damaging to a company’s future.
Ready to take your EdTech security to the next level? Schedule a demo today to learn how Strike Graph can help.
How do I ensure my company’s EdTech security is up to the task?
This guide will help you understand EdTech-specific data privacy risks, cybersecurity standards and regulations that apply to EdTech, and the best way for EdTech companies to protect against cyberattacks. The more you understand, the better positioned your company will be to build trust with your customers and partners and avoid the negative consequences of a security breach.
Unique data privacy risks in EdTech security
Organizations in the education sphere collect a wide variety of data, which is unique in comparison to other industries. Students’ health, personal, and academic information, as well as parent data and third-party data, all may be stored over the duration of a child’s educational career — and after.
Understanding the risks that are unique to schools and EdTech companies that house this broad personal information and taking active measures to mitigate them builds trust with school partners, student users, and their families.
Risk 1: Insecure data storage and transfer. In EdTech, massive amounts of data need to be stored and transferred between locations or systems, putting your company at risk for data leaks and losses due to carelessness or malicious attacks.
Risk 2: Apps. EdTech apps, like all apps, are vulnerable to malware and phishing aimed at extracting sensitive information.
Risk 3: Third-party vendors. EdTech companies are often third-party vendors to schools, which are responsible for all of their vendors’ handling of personal information. If third-party vendors make inappropriate or harmful use of student data, such as advertising to minors, selling or renting student data, or storing student information for future use, the school is culpable. 70% of security breaches happen as a result of third-party vendor use.
Risk 4: Denial-of-service (DoS) and ransomware attacks. Denial of service (DoS) attacks overwhelm a system with information and prevent users from accessing your company’s systems or data. Ransomware is a type of malware specifically designed to extort money from its targets. At least 25 states reported this type of attack in their education systems in 2020
Data privacy regulations that apply to EdTech companies
Educational organizations take in the data of millions of our most vulnerable citizens — children, or people under 18 years old. In 1974, the Family Educational Rights to Privacy Act (FERPA) federally mandated the privacy of student educational records. Parents are guaranteed certain access to their child’s records, and schools must have written parental consent to share student data with any outside vendor. FERPA does not directly apply to EdTech companies, but schools interacting with third-party vendors are responsible for ensuring that those vendors are compliant with FERPA regulations.
In addition to FERPA, the following data privacy regulations also apply to the education realm:
- Children’s Online Privacy Protection Act (COPPA): This mandates parental consent for user information when the user is 13 years of age or younger on any online platform. When schools are acting as agents for the parents, COPPA applies.
- The Protection of Pupil Rights Amendment (PPRA): This measure gives parents the right to restrict the amount of personal information that a school can collect about their child.
- The Student Privacy Pledge: While not a legal regulation, hundreds of companies have pledged to safeguard student privacy during the maintenance, collection, and handling of personal student information.
- State legislation: Various states, including California, New York, and several more to come, are passing legislation specifically related to student privacy. These measures are in large part connected with how third-party vendors are allowed to deal with student information.
What’s tricky about FERPA and other legislation around education data, is that they are broad, rather vague guidelines, making them both easy and difficult to fulfill. There are no set criteria EdTech companies, schools, or districts must meet. This makes cybersecurity in EdTech feel a little like the Wild West.
Which cybersecurity standards are most likely to apply to EdTech companies?
There is a wide range of risks that companies serving schools have to consider, and a large swath of legislative measures that schools have to abide by. But thankfully, EdTech companies don’t have to be the pioneers of cybersecurity. Widely accepted industry standards already exist: SOC 2 (Systems and Organizations Controls 2), ISO 27001, and HIPAA. And thankfully, they all translate easily into the EdTech realm.
SOC 2 is a way for companies to demonstrate that they implement adequate security controls to prevent security breaches. Achieving SOC 2 compliance helps EdTech companies prove to potential school customers that they have taken all steps necessary to protect student data.
- ISO 27001 is another standard that is likely to apply to EdTech companies. This framework is the international standard for how to manage information within an information security management system (ISMS). ISO 27001 has been used for close to a decade and has been updated over time to adjust to changing market demands. ISO 27701 is a new privacy standard that, along with GDPR, will likely play a large role in EdTech security in the years ahead.
- HIPPA (Health Insurance Portability and Accountability Act) applies to any EdTech company that handles personal health information. Medical conditions, allergies, intellectual needs, insurance — all of this sensitive information may be stored by organizations in the education realm
Implementing EdTech security protections
Knowing all the risks associated with EdTech and the security standards that apply leaves us with the question: what really is the best way for EdTech companies to protect against cyberattacks?
A security compliance platform, like Strike Graph, allows you to identify your company’s unique risks, then implement controls to mitigate those security gaps. And, because Strike Graph takes a multi-framework approach, you can implement controls once and then apply them to SOC 2, ISO 27001, HIPAA, GDPR, and any other framework you determine you need now or in the future.
Strike Graph also eases the burden of managing security compliance long-term by spreading the responsibility across your entire team and automating ongoing evidence collection.
We also offer penetration testing, or pen testing, which simulates a real world cyberattack to identify any weaknesses in your systems.
The future of EdTech security
As cybersecurity regulations and expectations in the education sphere expand, EdTech companies’ success will depend more and more strongly on their ability to prove compliance with accepted cybersecurity standards to the school customers they hope to work with. Strike Graph has already helped many organizations — like NROC, a nonprofit that helps educational institutions meet privacy requirements — achieve SOC 2 compliance and prepare for expansion to future security frameworks. We look forward to helping many more EdTech companies achieve a strong security stance that builds trust and supports growth.