Cybercrime strains educational institutions. Security control mandates, licensing and regular audits may prevent some of it.

As schools started the new academic year, their growing dependence on digital technologies has opened doors to ongoing security and privacy risks for students and their learning. With cybercrime growing in frequency and magnitude, a radical (yet familiar in other sectors) proposition transpires: Can the enforcement of minimum cybersecurity controls in the edtech sector and licensing its engineers change things for the better?

Between 2021 and 2022, around 41% of primary schools and 70% of secondary schools in the UK experienced cyber breaches. In the US, Illuminate, software for K12 education, has gone through an avalanche of cyberattacks affecting the personal information of millions of current and former students. In 2020 around 44% of educational institutions, globally, have been victims of malware attacks. But what does that mean for children, institutions and society and why is there no legislation and enforcement to prevent such crime?

Cybersecurity attacks in education lead to all kinds of risks. They disrupt educational processes, lead to loss of sensitive information about children and teachers, and leave systems unusable. They incur costly repairs. Some estimate that an outage or downtime caused by malware attack costs around $8,662 (£7,500) per minute. As schools grapple with ‘summer slump’ or Covid-19 learning loss and growing expenses, the resources needed to protect against potentially destructive malware can be overwhelming.

We need to take a different tack, challenging political decision-makers, edtech businesses, shareholders and investors to step away from an unhelpful focus on what schools do or don’t do to protect themselves from cybercrime. It is pointless to try to protect your house from burning if the forest around you may already be up in flames. Everyone has a role to play.

Here is what the forest looks like now: the edtech sector doesn’t impose any cybersecurity standards on operators. There are no sector-specific benchmarks, no mandates on what security controls must be in place. Anyone with an idea can build an edtech app and sell it to schools. Legal provisions such as the GDPR and COPPA don’t mandate any cybersecurity controls. Edtech operators can choose non-mandatory security frameworks to follow, but nothing forces them to embed minimum security practices. So, the forest is tinder dry and there is no firewarden.  

Implementing and maintaining secure systems comes with time, resource and cost implications – often impossible for an edtech startup to afford. Cybersecurity is an ongoing process. An edtech company focused on the bottom line may not see immediate returns because end-users may not understand or appreciate the issues enough to pay a premium – proper cybersecurity controls being installed – for what should be a basic requirement. This reality creates a vulnerable market open to exploitation and crime.

To reverse that, at least three things must happen. First, policy must mandate that edtech vendors set appropriate cybersecurity controls. This may disgruntle the sector: higher barriers to entry may stop many ideas getting off ground. But if this were food and not an app, would we serve children something that hasn’t passed minimum hygiene controls? Even with standards, businesses falter. In the UK, a food standards investigation found that some soft drinks contain the poisonous benzene. Cybersecurity threats can be as life-threatening as drinking benzene. Theft of personal and sensitive information through malware and ransomware attacks can lead to the risk of exposing children and teachers to a range of harms – from embarrassment and emotional distress to loss of reputation, jobs and prospects.

Second, more transparency on the part of industry is also needed. Who is making the edtech software? What is their work ethos? If edtech companies have access to granular information about children and teachers, why shouldn’t the reverse be available? Moreover, to ensure good security practice, we should consider registering the ‘engineers’. Many professions like nursing and accountancy require a license (renewed annually) and ongoing training. Data privacy officers, too, are increasingly required to become certified. Depending on the region, a certified information privacy professional (CIPP) certification costs around $650 per exam, renewable annually. So, who are the edtech software engineers and what are they licensed to engineer? Who makes decisions about how their technology is secured? Who are they accountable to? Transparency around such questions can hopefully transform companies’ cultures and the sector itself.

The third proposal addresses shareholders and investors and their commitment to the cost of edtech organizations’ cybersecurity hygiene. While shareholders cannot wait to see their dividends and investors – their returns –  these two key stakeholders must consider the price of cybersecurity vulnerabilities. The monetization of data harvested from users of digital technologies has propelled the lucrative business model of ‘surveillance capitalism’. It has led to normalizing highly unethical data practices (such as selling children’s data to commercial parties). Investors should withdraw from such ruthless practices and, keeping in mind the cost of cyber insurance, demand appropriate security standards from companies they consider investing in. As many larger players can attest, failing to secure data can result in reputation damage and massive fines. If investors only follow the money, then enforcement of standards and controls – proposal one above – can substantially reduce risky investment in unethical business practices.

The good news is, as research shows, people are likely to pay more for technologies that are labelled as “secure”. To use the food analogy again, producers today must display labels that clearly show salt, fat and sugar content. Similarly, edtech companies should label the state of their products’ cybersecurity. Without this assurance, no one – neither school nor individual - should be signing up to edtech which could be used against them.