A school district’s guide to vendor risk management

Vendor security is an important concern for school districts as students become digitally native at young ages. Educators can use this technological proficiency to maximize students’ learning potential when harnessed correctly. However, the dark side of increased internet access raises concerns about the safety of third-party-provided applications.

Districts are often scrambling for ways to ensure the integrity of the apps kids are using. While TikTok may be touted as having education-enhancing properties, America hasn’t imposed guardrails on the application’s ability to increase the classroom as some other countries have. The BBC reports that Douyin, China’s equivalent to TikTok, boasts an in-app design that limits a child’s presence on the app to 40 minutes per day. While we’re not there yet, there’s no doubt many educators would appreciate a little self-regulation from the vendor-provided platforms showing up in their classrooms.

They’re not the only ones expressing concern. Worrying over data breaches, account takeovers, cyber attacks, and exposure to apps like OnlyFans and Chaturbate have left many district administrators pacing their offices while vendor app audit results load on their workstations.

Although there’s no easy answer, vendor risk management is a hot-button topic in K-12. Here we will provide insight into how you can mitigate the risk and streamline your vetting and monitoring processes.

What is vendor risk management?

Put, third-party risk management addresses the data above security and student safety concerns created by access to third-party applications. According to K12 SIX, the most significant threat to school data comes from third-party vendors responsible for the majority of cyber incidents and data breaches in 2021.

The Record reports of case studies like the Battelle for Kids incident — a ransomware attack targeting 500,000 students and 60,000 teachers in the Chicago area — led to cybersecurity policies like StateRAMP. The nonprofit aims to standardize cybersecurity efforts in the education space, focusing on K-12 entities.

School districts must implement best practice guidelines to effectively manage and reduce their potential attack surface. The basic tenets of a solid third-party risk management program will ensure that:

• Managing future risks takes less time and fewer resources
• School-vendor relationships are fully understood on both sides
• The quality of service isn’t damaged
• Critical applications are available when you need them
• You can focus on more essential operations of the school

Before we discuss identifying threats and implementing risk management protocols, let’s take time to make a distinction.

Despite the need for vigilance about third-party applications, it’s important to note that most apps accessible to students aren’t malicious. On the contrary, they’re often designed with the best intentions to further their intended audience’s education and entertainment.

However, malicious actors may use these apps to infiltrate networks and devices. By taking advantage of user permissions that administrators have authorized, cybercriminals have backdoor access to a district’s systems and are free to operate within your monitoring radar.

So, how do you identify where the risks lie?

6 types of third party-vendor risks

Let’s examine the types of risks commonly associated with third-party cloud vendors.

1. Privacy risks
   Unauthorized student data exposure ranks highly among district administrators’ leading concerns. For example, the U.S. Securities and Exchange Commission (SEC) reports of companies like Pearson plc, a London-based educational publishing company that misled investors about a cyber intrusion that resulted in the theft of millions of student records. The attack exposed student birth dates and email addresses, amongst other private information.
2. Data security risks
   Data breaches were amongst the top cybersecurity incidents reported among educators in 2021. According to Tech Reformers, 62 K-12 districts across 24 states reported ransomware cybersecurity incidents. In addition, third-party vendor ransomware was the top threat for the first time in 2021, followed by common occurrences such as data breaches and class meeting invasions.
3. Regulatory compliance risks
   The CDC lists the Family Educational Rights and Privacy Act (FERPA) as prohibiting disclosure of personally identifiable information (PII) in education records without the written consent of an eligible student or their parents. Cyberattacks that expose PII put school districts at risk of losing federal funding resulting from compliance violations.
4. Legal risks
   K-12 school districts are also exposed to legal liabilities and lawsuits from data breaches and PII violations. Vendor risk management is an essential component of reducing these possibilities. A thorough vetting process for third-party apps is the best defense against potential legal action resulting from cyberattacks.
5. Reputational risks
   In addition to the impact on the safety and privacy of student and employee information and the risk of financial penalties and lawsuits, a district’s reputation may be irrevocably damaged following a cybersecurity breach. For example, the Los Angeles Unified School District, the second
   largest in the U.S., was subject to nationwide media exposure following a CNN report that detailed the release of student data procured in a ransomware attack. While the report highlights the importance of vendor risk management, the district now has an unfortunate reputation for being unable to protect its information systems, students, and staff.
6. Operational risks
   According to Cybersecurity Dive, a significant ransomware attack caused Albuquerque Public Schools, the largest K-12 district in New Mexico, to close for two days in mid-January 2022. Dubbed cybersecurity snow days, students are forced to make up the days later in the school term. Attacks place hardships on affected students and parents, who must now pivot to accommodate unforeseen closures. Halting curriculums and impacting students in the K-12 space with abrupt disruptions to learning affects the quality of education a district can provide.

The Infrastructure Investment and Jobs Act is set to provide $1 billion in federal grants to improve state and local government cybersecurity between 2022 and 2025. Aimed at enforcing monitoring and restriction capabilities to protect against students using unwanted apps, malicious cloud services, and poor security practices, the Act is an example of America’s recognition of the dangers associated with cybersecurity.

Vendor risk management best practices

While oversight from developing federal policy will undoubtedly help, schools can take action immediately by creating a vendor risk management program.

Here’s how your district can implement measures to target and reduce their vulnerable attack surface:

1. Create a formal policy: Set your evaluation criteria and cybersecurity standards for all third-party applications and your assets that will access your network.
2. Establish a vendor assessment process: Before authorizing the use of a third-party app, evaluate the company and the product itself by asking the following questions:
   Is the software secure?
   What is the learning curve associated with its implementation?
   What are the cost factors?
   How does the app comply with data privacy laws?
3. Maintain a list of approved vendors: Sourcing apps from a shortlist of approved vendors helps to reduce access to your networks and infrastructure. Whitelisted providers are trusted resources, so using a reputable vendor for education apps and tools is always a good idea. In addition, a little “fear of the unknown” is healthy regarding vendor relationships and potential risks.
4. Conduct ongoing monitoring: Your vetting process shouldn’t stop with the go-live use of an app in the classroom. Just like your curriculum, vendors evolve constantly. For example, an unknown entity could purchase a trusted provider, altering its systems and processes. If their new vision for the app doesn’t align with your standards, conducting a regular assessment will root out any of these change factors. Depending on the vendor, you may want to perform monthly or yearly audits or periodic evaluations over and above an annual risk assessment.
5. Perform an internal audit: You’ll want to audit your Google and/or Microsoft domain periodically to see if any unauthorized apps have been granted permission by any users and remove any that aren’t sanctioned. It’s also a good idea to take things further when evaluating third-party presence in your district. Staying up to date with new laws, regulations, and legislation needs to be part of your audit process. Remember to source the latest information regarding privacy laws with your efforts to modify your policies and procedures. Extending this scrutiny to your vendors ensures you’re covered from both sides. Finally, don’t be afraid to cut ties with vendors lagging on updating their apps per the latest regulatory revisions. Their delay carries the inherent risk of exposing your organization to potential attacks.
6. When in doubt, automate: You may be surprised to learn how many of these monitoring and compliance-check processes can be handled by automation. The right solution can establish and execute consistent monitoring of third-party applications on your network and help screen vendors against their possible threat levels. In addition, an automated solution saves district tech admins time and effort trying to whack a mole of risky and/or unsanctioned apps.

ManagedMethods is a cloud security platform built specifically for K-12 school districts, which can help audit, monitor, and automate your district’s third-party apps. In addition, the platform makes securing data and detecting student safety signals in Google, Microsoft 365, and Zoom easy and affordable.

Let’s examine how implementing a cloud access security broker (CASB) for your schools can reduce the attack surface and aid your vendor risk management efforts.

Simplify vendor risk management with a CASB

We understand the appeal of cloud computing in the education sector and how applications like Google Workspace and Microsoft 365 are beneficial for many reasons. However, a CASB offers an additional layer of security for your connected apps and devices by providing visibility and control beyond where your firewall, native phishing filters, and content filter can go.

Vendor risk management software, like a CASB, can make the difference between a heightened risk level and a cloud-based architecture that is protected from attacks riding piggyback on your third-party apps.

To save your district from the operational risk associated with data privacy leaks and data breaches, consider deploying a CASB solution. Not only will you reduce your cyber risk, but you’ll take comfort in knowing your district is free to pursue an education-enhancing third-party relationship with reduced worry.

With the aid of ManagedMethods, your IT team can overcome the challenges of managing and monitoring apps with the support of a cloud security platform that makes these processes easier to perform.

How ManagedMethods protects your infrastructure:

ManagedMethods offers an API-based cloud security platform that doesn’t require a browser extension, proxy, agent, gateway, or virtual appliance.

We give your IT team visibility into what apps are connected to your Google and/or Microsoft 365 domain, assess their risks and/or educational appropriateness, and revoke access with the click of a button. Admins can also automate this process with a sanctioned/unsanctioned apps list and the use of policies.

Further, the auto-discovery of threats will immediately alert your administrators and IT teams of potential attacks so that you can take a proactive approach before your data and PII are exposed. By providing continuous visibility and control over the data stored on-cloud and vigilant monitoring of activity on the cloud, your teams can mitigate threats and effectively protect your students and educators.

ManagedMethods is certified FERPA, COPPA, and CSPC compliant by iKeepSafe. We’re also a Student Data Privacy Consortium member, a Student Privacy Pledge signatory, and a Consortium for School Networking (CoSN) cybersecurity initiative sponsor.

Simply put, we take the safety and security of your third-party applications seriously. To learn how ManagedMethods can assess your risk factor and protect your data and PII, take advantage of our free 30-day audit. Then, within minutes (well, a little longer for Microsoft 365 domains), you’ll be up and running without impacting your domain, data, or network.

Fair warning: ManagedMethods is hard to quit once you’ve started. Over 70% of school districts who take advantage of our 30-day free audit become active users. Book your free audit today to boost your operational resilience and see for yourself.