Cyber risk in education now extends far beyond the school gate

Thousands of schools and universities worldwide were recently disrupted when cybercriminals targeted Instructure, the education technology provider behind the widely used learning management system Canvas. While the full impact is still unfolding, the incident serves as another warning that education institutions are becoming increasingly attractive targets for cyberattacks.

Cyber risk in education is no longer limited to isolated data breaches. Today's threats spread through shared technology providers, digital learning platforms, cloud ecosystems, and trusted third-party relationships that are often not stress-tested under real-world conditions.

Recent research from BlueVoyant found that 99% of Australian organisations experienced negative impacts from a third-party or supply chain breach in the past year. Education is a major target due to the large volumes of sensitive personal information, intellectual property and operational reliance on digital platforms. It consistently ranks among the top sectors reporting data breaches in Australia. 

Securing Education Against Third-Party Threats

Cybersecurity can no longer focus solely on protecting internal systems. Schools and universities must also secure the growing network of external vendors, software providers, online learning tools, and managed service partners that support teaching, administration, and student engagement.

Third-party risk management (TPRM) is the practice of identifying, assessing, and managing risks associated with external providers throughout the full vendor lifecycle, from procurement and onboarding through to monitoring and off-boarding. This means ensuring education vendors meet security, privacy, compliance, and operational resilience requirements while safeguarding sensitive student and staff data.

The education sector's expanding digital footprint has created a broad and highly exposed attack surface. Schools and universities increasingly rely on cloud-based collaboration platforms, student management systems, online assessment tools, learning applications, and outsourced IT services. Every additional supplier creates another potential pathway for attackers, yet many institutions still lack mature oversight of these relationships.

However, only 30% of Australian organisations have established or optimised third-party risk management programs, placing them behind peers in the United States and Canada. Within education, where budgets and cybersecurity resources are often constrained, the maturity gap can be even more pronounced. 

Cyber incidents that begin with a single vendor can quickly escalate into widespread operational disruption, causing prolonged outages, interrupted teaching, inaccessible systems, delayed assessments, and reputational damage. Recovery timelines often stretch from hours into weeks, affecting not only technology teams but also students, teachers, parents, and administrative staff.

Increasingly, education providers are being judged not only on their own security controls, but on their ability to demonstrate continuous visibility into supplier risk. 

AI and deepfakes reshape threat landscape

Rapid adoption of artificial intelligence is changing how cyberattacks are executed and scaled. Deepfake-enabled impersonation attempts, fraudulent vendor communications, synthetic enrolment requests, and AI-generated procurement documentation are becoming more common across organisations globally. 

For schools and universities, where staff regularly manage large volumes of communication, invoices, enrolment activity, and external partnerships, AI-driven deception creates a growing challenge. Attackers no longer need sophisticated technical exploits if they can convincingly impersonate a trusted supplier, staff member, or parent. 

Traditional security models based on periodic reviews and static trust assumptions are becoming increasingly ineffective in this environment. As AI adoption accelerates across education, insecure systems and poor data governance practices will themselves become high-value targets. Emerging risks such as data poisoning and manipulated training datasets also threaten the integrity of decision-making, research, and automated systems. 

A shift toward proactive resilience

Responding effectively to these challenges requires education institutions to return to cybersecurity fundamentals and applying them across the entire digital ecosystem. Organisations can better manage disruption when they adopt a more collaborative, continuous approach to cyber defence. 

Rather than relying solely on annual vendor assessments, leading institutions are investing in continuous monitoring, shared threat intelligence, stronger authentication, software verification, and faster remediation processes across operational partners. This reflects a growing recognition that resilience cannot be achieved in isolation. 

Strong governance, clear ownership of risk, multi-factor authentication, verifiable software supply chains, and better visibility into data lineage will not eliminate cyber risk altogether, but they significantly reduce the likelihood and impact of incidents.

For education leaders, third-party cyber risk can no longer be treated as a procurement or compliance exercise alone. Institutional resilience now depends on the security posture of every connected vendor and service provider. Effective third-party risk management requires continuous oversight across the full vendor lifecycle. Without this shift, the rapid digitisation of education will continue to outpace the sector's ability to secure it.