What Is Third-Party Risk, and What Do Schools Need to Know?

What Is Third-Party Risk?

Third-party risk is the risk facing a school or organization from any external parties or systems.

There are two primary avenues of third-party risk for school districts, says David Waugh, chief revenue officer of ManagedMethods: “There are third-party risks with known vendors, meaning those that schools know about and have a signed agreement with. Then there are the third-party applications and vendors that have access to a school’s system that they don’t know about.”

Whether the vendors are known or flying under the radar, schools need to understand how these vendors use data and how much access they have to schools’ networks — and when districts are managing upward of 1,400 edtech tools in their ecosystems, that adds an additional layer of risk.

“Complexity is its own risk,” says Jim Siegl, a senior technologist for the Future of Privacy Forum. “Sharing data with more places increases the risk exponentially. Schools need to look at the way data is collected, used, protected, shared, retained and deleted.”

Why Are K–12 Schools Vulnerable to Third-Party Risk?

The number of applications being used isn’t the only factor putting K–12 institutions at risk of a third-party breach. Many districts, especially small ones, also must deal with a lack of security expertise on their IT teams.

As of 2020, roughly 85 percent of school districts in the U.S. had enrollments under 5,000, according to the National Center for Education Statistics.

“When you look at an IT department for a school district that has less than 5,000 students enrolled, you may have an IT department that consists of three people, maybe five if you have the funding,” Waugh says. “They’re generalists, so they’re pretty good at a lot of things, but they’re not necessarily experts in cybersecurity.”

This lack of expertise makes it easy for students and educators to download browser extensions and other applications undetected. Educators may be downloading new apps they heard about at a conference or from a colleague on social media, without considering how it collects and stores data. They may also use their school-issued devices to download personal apps or extensions — again, without considering the security implications.

Also, students and educators may use their personal devices for applications but sign up using their school email account. This happens either because they don’t understand the security risks or because they didn’t realize that account was the one they were using at the time.

“We saw a tremendous amount of that — just an explosion — last August and September when the new school year started,” Waugh adds.

Referred to as shadow IT, each new application or program downloaded without the IT department’s knowledge and consent introduces risk to the school’s environment. While shadow IT isn’t limited to education — an IBM study found 1 in 3 Fortune 1000 employees use SaaS without IT approval — it can have a more detrimental effect on a school’s network without a security expert on staff.

LEARN MORE: Build a culture of cybersecurity awareness in your school district.

Schools are also vulnerable to known third-party risks when they don’t update their software or re-evaluate applications they’ve installed.

“Many schools are using a content filtering system, for example,” says Siegl. “But many of those systems have evolved since 2001, when it was simply a literal filter — a list of URLs and domains. Schools should be very conscious about systems that are collecting large amounts of data about their students, such as web search history, location and other things.”

How Can Schools Protect Themselves from Third-Party Risk?

There are many steps school IT admins can take to protect their data and networks from third-party risk.

First, they can look at the security controls set up in their cloud-based environments. There are security settings in Microsoft and Google that schools can change to better protect networks from shadow IT and safeguard end users from having their data stolen.

With the right controls in place, it’s harder for educators and students to download applications they don’t have permission to install. However, educators need ways to request and install the tools they need in the classroom. The IT department should vet requests for new applications. When doing so, there are certain things they should look out for.

“Review the terms and conditions, and make sure that the vendor you’re going to work with is accountable for their actions. But you can’t stop there,” says Waugh. “You need to audit the application itself to see what permissions and scopes and access points it has and make sure that it matches what the vendor is telling you within their agreement.”

Auditing every new application, when educators are using an average 148 tools during the school year, is a daunting task for any IT department, let alone a small team with general IT knowledge.

“That’s not a lot of people to cover security and privacy, and compliance with laws,” Siegl says. “I also want to look at the flip side of using third parties as a way of managing risk. A large company may be better suited to do that job than a small school district.”

Schools can outsource some of their security processes to a trusted partner. CDW has a wide range of security services for K–12 districts, from staff augmentation through virtual CISOs to penetration testing and risk audits. ManagedMethods also specifically serves K–12 districts, offering cloud security features that work across Google and Microsoft platforms.

The ManagedMethods solutions can automatically revoke an application the IT team has blocked. “We can send a warning message when someone tries downloading certain applications, saying, ‘You’re violating the school district’s technology acceptable use policy,’” Waugh explains. “Then, we can set up a rule that if that person or anyone else tries to install that app again, it sends the warning message and revokes the app and doesn’t allow the download to happen.”

What Are K–12 Districts Doing to Mitigate Risk?

“The typical approaches for managing risk are to transfer that risk, and that’s a lot of what schools do by outsourcing,” Siegl says. “But they’re not transferring the risk, they’re transferring the risk of managing it. At the end of the day, the school is responsible for the security and privacy of its data, as well as the safety of the students.”

This is one of the reasons the Moore Public School District in Oklahoma began its own application vetting process.

DISCOVER: How schools are modernizing their on-premises data centers with HCI.

First, the IT and ed tech teams worked together to create a flowchart for educators who want to download a new application. “We’ve created this flowchart where educators have to ask themselves certain questions about the product they want to use,” says Emily Monroe, education technology specialist at the district. “Every time they run into the green or the blue boxes, they have to submit a ticket for the application they want to use.”

The ticket first goes to the curriculum department, Monroe explains, which evaluates whether the technology connects to a strategy and whether there’s something already approved that offers the same benefits. Once software is approved by the curriculum department, it goes back to Monroe and her MPS colleague Michelle Hammond, another ed tech specialist.

“We go to their website, we analyze their privacy policy, we go find a contact email of some kind, and we’ll send our data survey off to that vendor,” Monroe says.

When the survey is returned, Monroe and Hammond sit down with MPS Technology Director Jun Kim to analyze the responses and make a determination.

With five or six requests coming per week, the team of three works hard to keep up. “It is a long, drawn-out process, but we have to keep students safe,” Hammond says.

Resources for Schools to Evaluate Risk and SaaS Applications

For his data privacy survey and overall evaluation of new applications, Kim takes his cues from the Consortium of School Networks and its Trusted Learning Environment standards.

“We’ve tweaked our process, but it all came from CoSN and their TLE process,” Kim says. “We manage it from a leadership perspective, a business perspective and a teacher training perspective.”

“CoSN provides a privacy toolkit that covers understanding the laws and vetting applications, and it provides a set of 25 best practices for schools as part of its trusted learning environment,” Siegl explains.

ManagedMethods has a checklist schools can use to determine the security of a new application, and other organizations have free resources for schools as well.

“Common Sense Media has also put together a division that just looks at educational software privacy policies, and rates the policies on three tiers,” Siegl says.

DIVE DEEPER: Explore five reliable cybersecurity resources for K–12 districts.