Cars, toys, edtech: The security double standards harming schools

The proliferation of edtech in schools is happening with few standards to help schools purchase safe products, argues Dr Velislava Hillman, who says governments need to step up protection for schools – and children

30th November 2022, 6:00am

Dr Velislava Hillman

Before a new car can be used on the roads, it must pass a barrage of well-defined safety tests.

This does not stop innovation but it means manufacturers know the rules by which they must adhere if they want to sell a car to the public.

It also means car buyers should be able to rest assured that any car they buy is safe to drive.

It’s not foolproof, of course, but it’s a system that works well for keeping people safe.

Similar procedures exist in other areas, such as for children’s toys or food, as we recognise that an untested and unregulated product coming to market would have disastrous consequences.

Passing the buck

In edtech, however, there are no mandatory safety requirements - even though these products often gather up huge amounts of sensitive information on children and often school staff, too.

What’s more, the growth of edtech rocketed in the pandemic and is only set to continue to grow in use among schools.

This growth has not gone unnoticed by cybercriminals either, with a government report earlier this year showing 41 per cent of primary schools and 70 per cent of secondary schools in the UK experienced a cyberattack or breach in the past 12 months.

This is a shocking statistic and underlines the risk education now faces.

Yet, unlike with cars, toys or food, there is little help for schools to give them guidance on what edtech products are safe to buy.

In fact, according to a study I recently conducted that looked at research into cybersecurity and edtech, it is clear that the onus for cybersecurity is not on the companies producing the products, but on schools and teachers.

Some have called this “liability dumping” - shifting the responsibility of cybercrime onto end-users by saying they have to be the ones to ensure anything they use is safe and properly managed, rather than requiring the firms selling the products to get this right before they can be sold.

We can see this issue in much of the language used by the Department for Education’s guidance to schools.

For example, the recently updated Meeting digital and technology standards, which provides a baseline for schools and colleges to follow when it comes to their use of edtech tools, outlines numerous requirements - such as “Train all staff with access to school IT networks”, “Check security for all applications downloaded”, set up contingency plans, conduct data protection impact assessments and so on - are standards that DfE expects schools to either have already met or do so “as soon as possible”.

That’s a lot to put on schools that are grappling with everything from financial pressures to sustainability initiatives or adhering to the new Keeping Children Safe in Education guidance, which also contains non-digital safety necessities, alongside the responsibilities of actually teaching and learning.

Built-in problems

What’s more, although the advice above is sound and worth doing if it can be incorporated into workloads, research has also shown that 80 per cent of applications in government and educational institutions use old codebases and have high flaw density (the number of confirmed bugs in a software application).

This is the highest rate measured and far higher than other sectors, such as financial services, retail and technology, with 23 per cent of these having high severity flaws.

In short, even if schools follow all the good advice they are given, there would almost invariably be products that enter the market without the necessary security standards in place.

This issue opened up the second strand of my research - the standards and external validation, or lack thereof, governing edtech providers that could at least give schools some confidence in what they might purchase.

However, as was made clear by a series of in-depth interviews with edtech providers from the UK and abroad, which aimed to gauge what cybersecurity standards or frameworks they adhere to, there is a lack of guidance for them in this space.

They cited the fact there are numerous overlapping standards, such as Cyber Essentials and NIST Cybersecurity Framework, that make it hard for firms to know what to implement - let alone for schools to look for any trusted kitemark of cybersecurity standards from any provider.

Innovation over safety?

While some firms show due diligence, the lack of strict mandates imposed on edtech businesses to implement any cybersecurity controls means that for some, especially start-ups, cybersecurity frameworks tend to be seen as “tedious” and “bureaucratic”.

What’s more, in a fast-paced industry, the costs and resources required to meet cybersecurity standards are typically high, which makes it near impossible for early-stage companies to level up.

Moreover, one could argue that regulatory measures can stifle innovation, which is often used as a reason to avoid any overly dogmatic standards for companies. However, when it comes to protecting children’s data, this seems like a lopsided argument.

I also spoke to several international cybersecurity standards organisations such as IASME Consortium Cyber Essentials (in the UK), the National Institute of Standards and Technology Cybersecurity Framework and the National Initiative for Cybersecurity in Education (in the US) about this situation, too.

They generally acknowledged their frameworks don’t specifically address secondary education, which is why they are independently looking to update their frameworks.

However, it can be anyone’s guess what those updates will look like and if key stakeholders, such as teachers, students and parents, have any say in these new designs.

Signs of hope

This is all quite gloomy perhaps - but there are signs of hope, too.

Many edtech companies acknowledged it would be a good idea to have a dedicated cybersecurity standard to help bring clarity to the market.

This is partly driven by economic considerations - having verified cybersecurity credentials would make it easier to market to schools. It can also help offset the costly impact of any potential future cyber breach.

It would likely also lead to better products by ensuring new platforms and upgrades were not rushed out but instead developed carefully. Of course, the big question is: who would oversee these rules?

Many supported the proposal for setting up “a national institution or a government-supported private entity” that can create security certification for edtech products or a database for such secure-by-design products, which can facilitate edtech procurement.

The other positive to this is that there is a growing awareness among the education community (teachers, students and parents) of the risks ensuing from the rapid digitalisation of education.

This is putting more pressure on edtech vendors to ensure they have the right cybersecurity standards in place and will set those that do apart from those that do not.

Ultimately, while we may not see the creation of edtech regulations immediately, it is clear there is a growing awareness from both schools and vendors that we need greater oversight of the tools and platforms used on millions of children both in the UK and worldwide.

As one US edtech provider interviewed for the study said: “Marking one’s own homework is not ideal”.

Dr Velislava Hillman is a visiting fellow at the London School of Economics and Political Science researching and working with educational institutions, students, teachers and edtech organisations globally