Education is under attack. The lesson goes far wider.
Read on below for Edition 7 of 3VRM’s cyber briefing newsletter.
Over the past twelve months the education sector has faced a sustained wave of ransomware attacks, data breaches and supply chain compromises. Teaching has been suspended, student records exposed, and in some cases thousands of institutions have been affected at once.
It would be easy to conclude that education simply has weaker security than other sectors. The reality is more complicated, and considerably more relevant to anyone responsible for third party risk.
As we approach the school summer holidays, we’ve taken a closer look at what a year of attacks on education reveals about how attackers now operate, and why it matters far beyond the classroom…
The incidents:
Taken individually, the recent headlines look like a run of bad luck.
The University of Nottingham confirmed unauthorised access to its student record systems, taking them offline while forensic teams investigated. At school level, malware has shut down networks entirely, in some cases sending pupils home.
A single incident affecting multiple schools in Wales showed how shared infrastructure can become one point of failure across many institutions at once.
Considered together, they point to something more significant.
Attackers have found economies of scale
The defining characteristic of these attacks is that threat actors are no longer targeting institutions one by one. They are targeting the platforms those institutions depend on.
The compromise of the Canvas learning management platform earlier this year is the clearest example. Canvas is used by thousands of establishments worldwide, and a single breach exposed user data across an enormous customer base. There is little sense in attacking thousands of universities individually when you can compromise the platform they all share.
The subsequent targeting of Oracle PeopleSoft reinforced the same approach.
This mirrors the logic organisations themselves apply when pursuing digital transformation. Maximum impact through scale. Compromising one strategic supplier is far more efficient than attacking hundreds of separate targets.
The difficulty is that most organisations still assess supplier risk as though each supplier stands alone.
Why education is such a target:
Education combines several characteristics that make it attractive to attackers:
- Vast volumes of personal, financial and research data
- Sprawling, decentralised environments with tens of thousands of users across multiple platforms
- Immovable deadlines around admissions, exams and enrolment, where even short disruption causes real damage
- Heavy reliance on a small number of shared providers, including learning management systems, student record systems, identity providers, cloud services, payment platforms and managed service providers
Each of those providers delivers efficiency. Collectively, they create concentration risk.
What this means for TPRM:
Traditional supplier assurance still matters. Questionnaires, certifications, audit reports and due diligence all have their place. But recent events expose the limits of point in time assessment.
An organisation can have mature internal controls, assess its suppliers diligently and maintain strong governance, and still be taken offline because a provider used by thousands of organisations was compromised. That is a failure to understand systemic risk rather than a failure of controls.
The questions worth asking now are different:
- Which suppliers represent operational single points of failure?
- Where do multiple critical services quietly depend on the same underlying provider?
- What fourth party dependencies are currently invisible to us?
- How quickly could we continue operating if a strategic supplier disappeared tomorrow?
- Do our continuity plans account for supplier failure, not only our own compromise?
These questions are worth considerably more than another completed questionnaire.
From compliance to resilience.
What distinguishes resilient organisations is not that they prevent every breach, but that they understand what happens when one lands, and have a plan to keep operating regardless.
The most mature organisations are shifting from compliance based assurance towards operational resilience.
That shift starts from an uncomfortable premise. No one can guarantee that every supplier remains uncompromised. Incidents are inevitable.
Education is the case study currently playing out in public. The lesson applies equally to financial services, healthcare, government and critical infrastructure. Where organisations share digital ecosystems, they share cyber risk.
The question that matters…
Modern attackers are not pursuing single breaches. They are compromising the trusted suppliers, platforms and services that connect entire sectors, and the objective is systemic impact rather than a single victim.
For those of us working in third party risk management, this confirms what we have argued for years. Effective supplier risk management is not about proving that controls exist. It is about understanding dependency, resilience and concentration risk across a deeply interconnected web of providers.
The question organisations should now be asking is no longer “Is my supplier secure?”
It is “What happens to my organisation when they aren’t?”