Recent cybersecurity incidents involving widely used learning management systems (LMS) highlight a growing trend in education: the increasing reliance on third-party platforms, centralized data, and digital communication tools. Schools face a number of challenges, including the risk of exposing sensitive student and faculty data, disruptions to teaching, and the responsibility to safeguard data, even when it’s managed by external providers.
While cyberthreats are concerning, they present an opportunity for schools to rethink how they manage technology risks, data governance, and operational resilience.
Several factors contribute to the risks schools face:
- Daily instruction depends heavily on multiple digital platforms.
- Sensitive student and faculty communications are often centralized and shared.
- Schools remain accountable for data security, even when third parties are involved.
What Schools Should Do Next
K–12 districts and higher education institutions can use incidents such as the recent breach of an educational platform1 as a wake-up call to strengthen their resilience. Focusing on the five key areas below can help schools be more proactive.
| Focus Area | Focus | Question |
|---|---|---|
| 1. Assess Third-Party/SaaS Risk | Prevent/reduce exposure | Where are we structurally vulnerable? |
| 2. Strengthen Identity & Phishing Defenses | Attack surface | How will attackers exploit this? |
| 3. Re-Evaluate Data Sensitivity | Impact | What damage can this cause? |
| 4. Assess Incident Response & Communication Readiness | Crisis handling | Are we ready to respond? |
| 5. Validate Instructional Continuity | Operational continuity | Can we still teach? |
These five focus areas can provide a practical way for schools to do more than just react to breaches.
1. Assess Third-Party/Software as a Service (SaaS) Risk
Most schools maintain vendor inventories and perform periodic reviews, but are they assessing these relationships with teaching and operations in mind?
Schools should consider:
- Are vendor risk reviews focused on how essential the platform is to instruction, and not just data sensitivity?
- Do contracts establish clear expectations for incident notifications, access boundaries, and resilience support?
- Do core platforms create single points of failure, and are there contingency options if they are degraded?
For most schools, the question isn’t whether they rely on third parties, but whether they’ve prepared for that dependence through resilience planning.
2. Strengthen Identity & Phishing Defenses
The type of data exposed in breaches (such as student communications, institutional context, and identity information) can make phishing attacks more effective.
Schools should move beyond awareness training and ask:
- How exposed are staff, student, and parent identities?
- Who has privileged access to LMS and connected systems?
- How effective are phishing defenses in real-world scenarios?
Breaches often lead to a second wave of risks, as attackers use stolen data to craft phishing, impersonation, and account takeover attempts.
3. Re-Evaluate Data Sensitivity
Instructional platforms often contain more sensitive data than schools assume. In addition to basic identifiers, they may store private communications between students and faculty, which could include academic, behavioral, or personal details.
Schools should reassess:
- What types of data are stored in LMS and collaboration tools
- Whether current usage aligns with policy expectations
- Whether sensitive interactions are happening on platforms not designed for confidentiality
Handling operationally material or sensitive data presents a governance challenge. Schools need to define what data belongs on these platforms and what does not.
4. Assess Incident Response & Communication Readiness
When a breach occurs, the speed and clarity of communication between students, parents, faculty, and leadership can make a significant difference.
Schools should consider:
- How quickly they can reach students, parents, and faculty if primary platforms go down
- Whether incident response plans address student data scenarios (not just IT systems)
- Whether leadership, legal, and communications teams are aligned before an event
In education, incident response can become a leadership, communication, and operational challenge, not just a technical one.
5. Validate Instructional Continuity
A breach can cause significant disruption to instruction. If a platform goes down, teaching can slow or stop entirely in some environments.
Schools should ask: If our primary learning platform is unavailable for 48 hours, can we still teach?
Institutions should consider:
- Alternative methods for distributing assignments and materials
- Communication channels independent of primary systems
- Faculty readiness to adapt delivery in real time
The desired outcome is to make sure teaching and communication can continue, even if a core platform is unavailable.
How Forvis Mazars Can Help
As educational systems continue to rely on interconnected technologies, cybersecurity events are unlikely to stop. To help build resilience, institutions should focus on the five areas detailed above. Schools may need help identifying weaknesses and improving policies, controls, and practices.
IT Risk & Compliance at Forvis Mazars can help assess these areas, identify gaps, and strengthen your institution’s approach to cybersecurity and operational resilience. Connect with one of our professionals today.
- 1“Security Incident Update & FAQs,” instructure.com, April 29, 2026.