To Make Ed Tech More Secure, Software Companies Need to Step Up

Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter

Last month it was revealed that student information system provider PowerSchool suffered the largest known hack of K-12 student records in history, as stolen credentials were used to expose and steal sensitive data belonging to over 60 million students and teachers. In 2024, K-12 schools have become the most targeted industry for ransomware, with recovery costs averaging over $3.7 million this past year alone — more than double the figure for 2023. 

Education technology – or edtech – software is often the entry point for these cybercriminals, accounting for 55% of K-12 school data breaches between 2016 and 2021. As one can imagine, the COVID-19 pandemic forced school districts across the country to shift to remote learning; they received significant federal and state funding to support this transition, much of which was spent on acquiring new software.

The average district now uses 2,591 edtech products – nearly triple the number from 2018 – increasing the attack surface for cybersecurity threats at a time when only one in three school districts employ a full-time IT staff member.

To further complicate the matter, K-12 school districts are chronically understaffed and underfunded on the this front, with the average school spending less than 8% of its IT budget on cybersecurity, and one in five schools dedicating less than 1%. 

Schools are not equipped to secure all of the edtech products they depend on, but these software products are critical to running a modern school. Most critical school functions – including attendance, bus routing, lunch information, learning and grading systems, staff management and finance – all rely on edtech products to operate. 

That puts edtech software manufacturers in a unique position to improve cybersecurity outcomes for K-12 schools by integrating more security features into their products, shifting the burden from schools to industry.  

A forum held last October by UC Berkeley’s Center for Long-Term Cybersecurity, conducted in partnership with the U.S. Department of Education, convened representatives from 12 software manufacturers serving a large portion of U.S. school districts to discuss measures to help strengthen K-12 cybersecurity. Two key themes emerged again and again during the discussion, which are top of mind for industry as we go into 2025.

First, edtech software manufacturers need to take a greater responsibility for improving security outcomes for their K-12 customers.

The use of multi-factor authentication (MFA), an essential security feature in edtech products, is seldom enforced as a mandatory requirement, even for privileged users. However, some software manufacturer participants demonstrated industry leadership by requiring it for all administrative accounts. 

One provider, inspired by Microsoft’s forthcoming requirements in Azure and 365, implemented mandatory MFA for administrative accounts and financial staff and adopted phishing-resistant authentication. But the rollout was difficult; despite many advance notifications of the change, the provider described the transition as disruptive for customers, even though the change ultimately provided better security. 

Software manufacturers who have implemented mandatory MFA recommended other providers try a phased approach, such as extending authentication prompt intervals to once every one to two weeks to allow school administrators, IT staff, and teachers adequate time to adapt to the new requirements. They also recommended deploying changes during the summertime when school districts’ IT demands are at their lowest. 

Some are experimenting with new MFA tactics and security features, like authentication based on suspicious account activity and tracking data changes in their systems. Other solutions discussed include monitoring the dark web to identify stolen passwords and systems that prompt users to choose stronger alternatives, as well as solutions tailored for schoolchildren and parents, such printable QR code badges that students can scan to authenticate during login.

Second, vendors must overcome obstacles to integrating basic security controls into their products.

One of the biggest obstacles software manufacturers face in launching mandatory security features is balancing security with user convenience. They cite feeling pressured to prioritize ease of use, fearing that customers would switch to competitors with “simpler” but less secure solutions. 

Vendors shared case studies of schools that resisted platform changes that introduced friction into their operations or student learning, such as requiring an additional step to log on. For example, some providers observed that K-12 users prefer less secure authentication methods, such as email and text messaging services, over more phishing-resistant methods, such as app-based tokens or hardware keys.

Technical hurdles pose another barrier. Providers noted that some school districts rely on legacy software for HR, payroll, and bus routing that may be incompatible with modern authentication protocols such as SAML or OAuth. Some systems lack support for these protocols altogether or only offer them as paid features, especially for mobile applications. This makes integration challenging, requiring extensive testing to resolve compatibility issues, making the process resource- and time-intensive for software manufacturers. 

What’s Next

Incidents like the PowerSchool breach demonstrate the urgent need for edtech software vendors to do more to protect K-12 student and teacher data. Fortunately, the federal government has made headway on the issue in recent years.

For example, the Cybersecurity and Infrastructure Security (CISA) agency’s Secure by Design initiative, launched in September 2023, expanded from a K-12 specific pledge with 12 signatories into an enterprise-wide pledge by May 2024, with over 260 industry signatories. CISA also recently released a Product Security Bad Practices guidance for software manufacturers.

The growing industry interest in prioritizing cybersecurity is encouraging. Evidence from our roundtable conveys that there’s an appetite from K-12 and companies to do more to relieve the burden on schools and secure edtech products. It is critical to continue this momentum; the edtech industry must pursue product changes that improve security, and federal agencies like CISA should continue building a coalition of companies who do so. 

Secure products benefit everyone, from teachers, to parents, to school children. Let’s double down on our progress before the next breach happens.

Get stories like these delivered straight to your inbox. Sign up for The 74 Newsletter