This article was originally published in EdTech Magazine on 2.24.23 by Rebecca Torchia
Between the federal government’s push for cybersecurity in K–12 schools and ongoing high-profile cyberattacks against districts, the spotlight is on protecting student data. In response, IT teams are employing more measures to keep student data safe.
A LearnPlatform survey recently found that, despite concerns about known risks, districts accessed an average of 1,417 ed tech tools every month during the 2021-2022 school year. The top tools in many of the categories examined in LearnPlatform’s “EdTech Top 40: Fall 2022 Report” were Software as a Service applications. While many of these applications greatly advance teaching and learning in the modern classroom, they can also pose a threat to schools that don’t know what to look for.
District leaders and IT admins need to develop a third-party risk management program to ensure their networks are properly protected. To evaluate third-party risk and what it means for their students’ data, school leaders must first understand what it is, why it makes them vulnerable, and how to mitigate it.
Third-party risk is the risk facing a school or organization from any external parties or systems.
There are two primary avenues of third-party risk for school districts, says David Waugh, chief revenue officer of ManagedMethods: “There are third-party risks with known vendors, meaning those that schools know about and have a signed agreement with. Then there are the third-party applications and vendors that have access to a school’s system that they don’t know about.”
Whether the vendors are known or flying under the radar, schools need to understand how these vendors use data and how much access they have to schools’ networks — and when districts are managing upward of 1,400 edtech tools in their ecosystems, that adds an additional layer of risk.
“Complexity is its own risk,” says Jim Siegl, a senior technologist for the Future of Privacy Forum. “Sharing data with more places increases the risk exponentially. Schools need to look at the way data is collected, used, protected, shared, retained, and deleted.”
The number of applications being used isn’t the only factor putting K–12 institutions at risk of a third-party breach. Many districts, especially small ones, also must deal with a lack of security expertise on their IT teams…