The state of cybersecurity in education: the responsibilities of EdTech for children
Cybersecurity in education is understood as a highly technical requirement that doesn’t immediately sit well with the typical (and ever-growing) responsibilities of schools. Yet, much public debate and policies call for teachers’ and students' upskilling to prevent the mounting cybercrime in education.
With her recent research, Velislava Hillman, shifts the focus on the EdTech industry in an attempt to call for a balance of responsibilities across all stakeholders in an educational ecosystem.
This study was an effort to take a step back and ask what is the foundation upon which EdTech platforms and applications are developed? Do they demonstrate robust security controls and ethical practices that prioritise children’s best interests?
Between 2021 and 2022 around 41% of primary schools and 70% of secondary schools in the UK experienced cyber breaches (Department for Digital, Culture, Media & Sport, 2022).
Increasingly, government policies are including the role of EdTech in K-12 education. At the same time, however, there is no government intervention in monitoring a growing industry. Market forces alone don’t incentivise the sector to satisfy the security demands of end-users. An alternative is to directly address the industry and collectively find the means to drive towards improvement that prioritises children and their education as soon as possible.
The Department for Education recently updated their ‘digital and technology standards’ for schools and colleges. But as schools grapple with rising costs, much of these standards require substantial resources and capacity from the side of schools. Requirements such as “train all staff with access to school” and “have at least 3 backup copies of important data on at least 2 separate devices, at least 1 must be off-site” are standards that DfE expects schools to meet “as soon as possible”, which sounds as complicated as it is. This can easily be seen as yet another responsibility (a burden?) on schools. And this is where the responsibility and priorities of the EdTech industry needs to show.
Questions that guided the research included
What cybersecurity frameworks do EdTech providers adhere to and what controls do they implement to secure and protect student data
What cybersecurity challenges do EdTech providers experience with specific frameworks and controls, and (how) are these challenges addressed?
Who are the teams or individuals responsible for meeting cybersecurity standards, what is the organisational ethos, and what capacity building is provided for employees?
What would be an ideal scenario for EdTech providers to meet appropriate cybersecurity standards that ensure student data privacy?
Summary of findings:
There is a lack of clear guidance for EdTech businesses about what, how, when, and why they should implement cybersecurity controls that ensure children’s data safety and privacy.
The existing generic cybersecurity frameworks tend to be “tedious” and “bureaucratic” – difficult to implement for most EdTech start-ups.
There are generally no mandates and monitoring imposed on EdTech businesses to implement any cybersecurity controls.
The costs and resources required to meet cybersecurity standards are typically high, which makes it near impossible for start-ups to level up. This only increases the risks for children.
Some start-ups have a limited understanding of the nature and extent of harm from cybersecurity risks. Some small vendors see security around education data as “not close to the bone” as, say, health data.
There is willingness among EdTech companies to have a dedicated cybersecurity standard and (a) dedicated independent body that can guide them to maturity.
An ideal scenario for a cybersecurity standard is that it is tailored to address the needs and vulnerabilities of K-12 education. However, for the EdTech sector to lead towards maturity and good practice such standard should be mandated.
Investors don’t see cybersecurity controls and validation as a deal breaker. Most of the time, investor’s don’t ask questions about cybersecurity risks (and the costs of that). If they do, it is something “little on the side”, not a factor influencing investment decisions.
There is growing awareness about cybersecurity matters among K-12 education community. School leaders, teachers, and EdTech procurement demand to see some sort of external validation that EdTech providers have what it takes to protect students’ data.
There is substantial gap in literature about cybersecurity and the K-12 EdTech sector. Most existing literature addresses what the education community should do about cybersecurity matters; little is said about the role of the EdTech sector or governments.
From lax regulation to self-regulation is not the way to govern the growing EdTech industry – “trust but verify”, as one vendor put it, “marking one’s own homework is not ideal”.
The report is published by Media@LSE, London School of Economics and Political Science.