Cybersecurity in EdTech

By Arnold - SME Vulnerability Assessment

Cybersecurity in EdTech

The exposure of technology to the life of children at a very young age have made the brains of children look for faster and easier ways to learn new things. They get easily bored in a traditional classroom environment.

EdTech has seen tremendous growth in the past few years in all levels of education. The Covid-19 pandemic gave it a booster shot. Even Kindergarten kids now attend school through Zoom classes. Google classrooms have become a staple in multiple schools. University education is becoming slowly digitized through platforms such as Coursera, Udemy etc. Similarly, professionals can now upskill themselves online as per the demands of the job market. Corporates now conduct training programs online facilitating remote work.

This shift towards using digital tools to enhance education has its set of problems. EdTech has become a prime target for frequent and high-intensity cyberattacks which are rising rapidly year after year.

Consider the following cases:

In 2019, the Louisiana governor had to declare a state emergency when ransomware attacks hit multiple school districts in the state. IT networks of the affected school districts went down and files were made inaccessible. Such attacks are not singular incidents.
According to K-12 Cybersecurity Resource Center, a data breach in the 2019-2020 school year to an EdTech vendor’s system exposed the personal information of several thousands of students online. 13,000 school districts and universities were estimated to be affected by this breach.
61 percent of the 7.7 million malware attacks faced by firms in the month prior to June 2020 belonged to the education sector as reported by Microsoft Security Intelligence.

EdTech is becoming increasingly vulnerable to cyberattacks as seen from the above instances. Sometimes, the attacks can be due to lack of cybersecurity implementation. Even a company with robust cybersecurity measures can become vulnerable to attacks. This is due to the involvement of multiple vendors in most EdTech interventions. These vendors may not necessarily follow the same standards. Therefore, it becomes crucial to ensure careful protection against any external cyber-attacks.

Common Threats Faced by EdTech Firms in Recent Times

While EdTech firms are vulnerable to various types of cyberattacks, the following are the most common ones faced by them on a frequent basis:

Cloud security breaches

Most EdTech companies use cloud-based solutions for their interventions. Among other things, this helps them to create a virtual depository of data for easier access, dissemination, and analytics. At the same time, it increases the risk of data breaches concerning the personal information of students and teachers, and any related financial and operational data associated with institutions that deploy these EdTech interventions. This illegally obtained information can be misused to redirect payments to fictitious accounts that hacker's control.

Zoom bombing

It is a recent phenomenon where online video conferencing platforms are interrupted by intruders. Incidents such as hate speech against students during online classrooms, or exposure to unwanted and harmful media during virtual classes impede learning through these platforms and create fear of using technology. This can be prevented by not sharing the invites through open platforms and keeping the passwords and meeting links safe.


This is one of the oldest as well as the most common threats internet users face these days. In this, the cyber attacker masks themselves as a trusted entity and dupes the user into divulging private and sensitive information such as credit card numbers. EdTech platforms frequently face phishing attacks due to children being easy targets.

Denial of Service (DoS)

In this, users are denied access to data or systems they normally use. The cyberattack floods the network with information and disrupts existing services. In the context of EdTech, this means disruption of classes as teachers and students would be unable to access online classrooms or study materials.


This is software installed on a computer or a server without the knowledge of the user. It can be of various types such as adware, worms, ransomware, and so on. Malware is employed to steal information and commit online crimes such as extortion. Recently, Blackbaud, a cloud service provider for education institutions had a major security breach through a ransomware attack affecting millions of individuals.

Data Protection Regulations and Rules for EdTech

EdTech firms should be aware of and in line with concerned regulations such as:

Family Educational Rights and Privacy Act (FERPA)

Family Educational Rights and Privacy Act (FERPA), which is a federal law that protects the privacy of student education records.

Children's Online Privacy Protection Act (COPPA)

Children's Online Privacy Protection Act (COPPA) mandates parental consent for the collection and use of any personal information related to children online.

Protection of Pupil Rights Amendment (PPRA)

Protection of Pupil Rights Amendment (PPRA) focuses on the protection of student information collected through surveys and parental consent regarding the same.

Student Privacy Pledge

Student Privacy Pledge is an industry pledge to protect student privacy in terms of collection, maintenance, and usage of student information. It is voluntary but legally binding.

General Data Protection Regulation (GDPR)

In the EU, General Data Protection Regulation (GDPR) is the regulatory framework for the management of data privacy of individuals. It covers EdTech companies as well where organizations assess and process large volumes of information involving user data.

How to Protect Your EdTech Company and Concerned Stakeholders from Cyberattacks

We have seen that breaches come at unacceptable costs. It is of paramount importance that EdTech companies follow compliance standards and keep cybersecurity protocols in place and regularly review and update them.

Compliance Standards

Federal Information Systems Act (FISMA)

Federal Information Systems Act (FISMA) requires federal agencies to implement an information security program. This also applies to private businesses having a contractual obligation with the government.

National Institute of Standards and Technology (NIST) guidelines

National Institute of Standards and Technology (NIST) guidelines are formulated to meet the regulatory requirements of FISMA. These include risk assessment, documenting baseline controls among others.

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 provides best practices for information security management systems (ISMS) of an organization. These requirements help organizations to secure information entrusted by third parties in addition to organization-specific assets such as Intellectual Property.


Conduct a security audit from time to time.

Educate children and teachers about vulnerabilities and cybersecurity.

Proactively search for vulnerabilities in networks and systems.

Regularly conduct cybersecurity awareness sessions. Employees and users must be made aware of data protection and security protocols in place.

Strong and unique passwords must be made mandatory along with regular notifications to update them periodically.

Implement two-factor authentication particularly in the context of payments.

Consider investing in cybersecurity insurance depending on the needs of the EdTech organization.

Try to ensure lifecycle security when multiple vendors are involved.

Critical IT systems can be moved to specialist hosting providers to increase cloud security.
EdTech is revolutionizing education by making individualized learning scalable. This is a huge step towards digital equity and right to education. To properly harness and secure the compounding effects of EdTech, a proper cybersecurity regime must be made a pivotal aspect of all EdTech companies.