As education companies continue to be ravaged by cyber attacks, new data from an EdWeek Market Brief survey show vendors need to be prepared to explain to their school district customers just how securely they protect school districts' troves of sensitive data.
The survey finds that districts are ramping up their scrutiny of vendors' cybersecurity protections, and that the vast majority of K-12 leaders expect to ask more questions of their ed-tech providers about the safeguards they have in place in the coming years.
According to the nationally representative survey of 206 district and 104 school leaders, which was conducted by the Education Week Research Center in January and February of 2025, 74 percent of respondents said they expect the information they collect about vendors' cybersecurity protections will increase.
More than a third, 35 percent, said they expect the amount of information they require to grow by a lot, while slightly more, 39 percent, indicate that it will likely increase a little.
The survey comes at a time when districts are facing threats from bad actors looking to steal their data and hold it for ransom until they agree to pay to release it.
Many cyber criminals are trying to get at school data through the platforms operated by K-12 companies. Student information system giant PowerSchool was recently the target of a large data breach, through a community support portal known as PowerSource.
The company said the breach resulted in "unauthorized exfiltration" of current and former students' and educators' personal information, including names, contact information, dates of birth, limited medical alert information, and Social Security numbers.
PowerSchool said in a statement that it had worked with third-party cybersecurity experts in addressing the problem, and that it had no evidence that its other products it offers were affected.
With such prominent vendors as targets, it isn't surprising to see district and school leaders plan to look more closely at education companies' cybersecurity protocols and protections, said Doug Levin, co-founder and national director of the K12 Security Information eXchange.
He was, however, intrigued by just how strongly the respondents felt about the topic. Just 3 percent saying they expect to decrease how much information on vendors' cybersecurity protections they plan to collect.
"This is an enormously clear signal to ed-tech vendors that this is something that is now an expectation of them," Levin said.
He believes theK-12 market is on the cusp of a new onrush of cybersecurity requirements, similar to a decade ago when student data privacy protections came into new focusing the industry.
"This is a tidal wave coming for the ed-tech vendor community," he said.
What kind of security protections will school systems demand of vendors moving forward? The results suggest a broad focus on up-front guarantees, risk mitigation, and communication with school system clients.
The majority of respondents, 56 percent, said they will be requiring tech-related vendors to provide assurances of product security features like encryption, single sign-on support, and multi-factor authentication.
More than four in 10 respondents, or 44 percent, said they will demand require periodic risk assessment and cybersecurity check-ins with district tech leaders and staff.
The same percentage of K-12 leaders said they would also require allowing the district to vet all product features, including those offered to individual teachers.
District and school leaders are also concerned about what happens to their data if an ed-tech company is shut down or acquired, which has been an increasingly common event in recent years as consolidation in the K-12 industry accelerates.
Forty percent of respondents said they will require guarantees from ed-tech vendors that their data will be protected when those deals occur.
And a third of the district and school administrators surveyed said they want to see proof of industry-recognized cybersecurity certifications.
A March report from the Center for Internet Security, a nonprofit focused on cybersecurity, and CoSN, a professional association for district ed-tech leaders, found that 82 percent of K-12 schools experienced the impact of a cyber threat over a recent 18-month period.
There were more than 9,300 confirmed cyber threat incidents affecting K-12 schools during that period, from July 2023 to December 2024, which can have a widespread effect.
Cyber attacks "ripple throughout the community," the report said, "A parent missing work to care for a child during a school closure creates economic impact. A student missing meals due to cafeteria system outages affects their health and ability to learn. The loss of access to counseling services during critical times can have lasting effects on student well-being,"
EdWeek Market Brief's survey data show differences in how school systems with different demographics view cybersecurity protections.
Leaders of impoverished school systems — those with more than 50 percent or more students qualifying for free or reduced-price meals — are less likely to expect to outline cybersecurity requirements in requests for proposals they put forward in the coming years, the survey finds.
According to the data, just under a quarter of respondents from high-poverty districts said they would expect vendors to meet specific cybersecurity requirements they outline in their RFPs, compared to 43 percent of schools with fewer than 50 percent of students qualifying.
The results could indicate that school systems with higher levels of poverty are choosing to focus more on what they see as an immediate need — directing funds toward academic supports — over cybersecurity and technology issues, said Levin.
"It feels like a capacity issue," he said. Impoverished districts probably have less capacity to do procurement reform, particularly, and [may not] have the IT expertise."
The "vast majority" of school systems do not have a dedicated cybersecurity person on staff, he added, and that makes it "very hard to know what to ask" of ed-tech companies about cybersecurity practices.
The range of different third-party cybersecurity certifications, pledges, and guidelines adds up to a "messy time" for school vendors looking to getting a better understanding of student data privacy and cybersecurity concerns, Levin said.
But it also presents an opening for players in the market to stand out by demonstrating their commitment to the effort and their willingness to help school systems navigate a complex landscape.
"It presents a clear opportunity for the tech industry to come together and help education their customers [find consensus] on what they should be asking about," Levin said, so that districts can "determine who is taking cybersecurity seriously and protecting student data."
Takeaways:
- Ed-tech companies that want to win the trust of school systems anxious about cyber attacks would be wise to focus on a number of key steps.
- They need to offer assurances of different types of product security features, such as encryption, single sign-on support, and multifactor authentication.
- And they also need to be proactive partners by conducting periodic risk assessments and checking in with district tech staff on cyber threats. They also need to allow K-12 leaders to vet their products features, and offer assurances that cyber protections will remain in place in the event of M&A.
©2025 Education Week (Bethesda, Md.). Distributed by Tribune Content Agency, LLC.
