The recent Canvas LMS breach puts front and centre an uncomfortable truth about IT in education: we don't actually control our school's data.
We talk extensively about creating secure "private and secure boundaries" within our schools, but the reality is that the vast majority of our data risk is completely outsourced to third-party vendors. We accept the risk on paper, but we have almost zero ability to deeply vet, check, or protect data held with these private (and public) sector partners.
This is fuelling a systemic issue I call "it's not our fault, but it is our problem." When a major company suffers a breach, or an external service goes down, school IT teams are the ones left to pick up the pieces. To our teachers, students, and parents, the technology we deploy is perceived as a single, cohesive school-based platform. They don’t see the dozens of tiny, fragmented products and services packaged together under the hood. When one link in that vendor chain breaks, it's our reputation and our classroom productivity that suffers.
Third-party data risk is currently at an all-time high, forcing us to ask incredibly difficult questions. Right now, vendors are aggressively loading AI features into every LMS and core system imaginable. Meanwhile, standard accreditation frameworks like ST4S aren't even accepting AI-based apps for evaluation yet. Tools are being deployed into existing systems with existing agreements that the experts haven't even figured out how to evaluate.
Compounding this is a massive misnomer in ed-tech: the idea that software is ever "done." Schools often buy an app based on a rigorous security review, assuming that the product they approved is the product they will be using long-term. The reality is that through forced cloud updates, the app you purchased today rarely bears any resemblance to the app running a year from now.
Third-party vendor risk is universally viewed as one of the most difficult security challenges to manage, and because it's hard, it’s usually left until last and done poorly.
Two Things School IT Teams Must Do Better
- Radical Transparency
- We need a better method for clearly communicating exactly which third-party vendors we are invested in and what data they hold. This shouldn't be a hidden compliance register, but rather a public list of our digital partners for parents to build trust and awareness.
- Stop Appointing Absolution
- We have a habit of absolving ourselves of blame when things go wrong. Microsoft Windows bugs, SIS system failures, and Office 365 glitches happen constantly. When small or massive incidents occur, the default defense is often, "Well, everyone is experiencing it, what could we do?" We need to reject that complacency.
- Look no further than the irony of the historic CrowdStrike outage that crippled global infrastructure. Instead of being abandoned by the market, the company was recently named a leader in the 2026 Gartner Magic Quadrant for endpoint protection and is enjoying unprecedented success. The dangers of this "Too Big to Fail" mentality in enterprise tech. Consumers and organisations fall victim to "status quo bias"—the brain's tendency to stick with the familiar to avoid the perceived logistical nightmare of switching vendors. No one ever got fired for buying IBM, Microsoft, or CrowdStrike even when they take the network down. We don't feel the same pressure when vendors fail vs if we'd built the system ourself, but we should!
Ownership Over Outages
It comes down to a fundamental shift in mindset. Instead of throwing our hands up or pointing to a vendor's broken service-level agreement, every technical issue we encounter needs to be reframed: it may not be our fault, but what role can we can play to be a part of the solution.
When evaluating a vendor, we have to own the consequences of that choice.
If a platform erodes the confidence of our staff and students through spotty updates, poor data practices, or security scares, the status quo is no longer acceptable. Market popularity shouldn't be mistaken for the right fit. We must routinely investigate viable alternatives, even if we don’t end up moving products. Having an exit strategy gives us the certainty that our current platform is a deliberate, proactive choice, not a lazy default.