How to Safeguard Schools from Cybersecurity Threats After the Canvas Attack

Introduction

In early 2025, a cyberattack on Instructure's Canvas platform—a learning management system used by over 30 million active users across 9,000 institutions—exposed the fragility of school data security. The hacking group ShinyHunters stole 275 million records, including student and teacher emails, usernames, and enrollment details, forcing schools into crisis mode. This incident, occurring during finals week, highlighted that the education sector is "target rich, resource poor." As schools increasingly rely on edtech, proactive measures are essential. This guide provides a step-by-step approach to strengthen your school's cybersecurity posture, using the Canvas breach as a cautionary case.

How to Safeguard Schools from Cybersecurity Threats After the Canvas Attack — Source: www.edsurge.com

What You Need

Cybersecurity team or designated IT lead – responsible for implementing and monitoring security measures.
Risk assessment tools – to identify vulnerabilities in your network and third-party integrations.
Multi-factor authentication (MFA) system – such as authenticator apps or hardware tokens.
Incident response plan template – adaptable for data breaches or ransomware.
Staff and student training materials – covering password hygiene, phishing awareness, and data privacy.
Vendor security evaluation checklist – to assess edtech providers before contracts.
Patch management software – for timely updates of systems and applications.
Backup solutions – offline or cloud-based with encryption.

Step-by-Step Guide

Step 1: Conduct a Comprehensive Risk Assessment

Start by mapping your digital assets. Identify all systems storing sensitive data—like student records, grades, and enrollment info—and their access points. The Canvas breach exploited a "free for teacher" account, which shows how seemingly minor accounts can be gateways. Use vulnerability scanners to uncover weak spots, such as outdated software or insecure third-party integrations. Document findings, prioritizing risks that could lead to unauthorized access or data theft. This foundation ensures your efforts target the most critical vulnerabilities first.

Step 2: Enforce Multi-Factor Authentication (MFA) Everywhere

The attackers likely gained entry through compromised credentials. MFA adds a vital second layer of security, making stolen passwords insufficient. Implement MFA for all accounts—teachers, students, and administrators—especially those with elevated privileges. Ensure it covers your learning management system (LMS), email, and any cloud services. Use authenticator apps over SMS when possible to avoid SIM-swapping attacks. In the Canvas incident, had MFA been mandatory on free teacher accounts, the breach might have been prevented.

Step 3: Educate Staff and Students on Cyber Hygiene

Human error remains a leading cause of breaches. Develop training sessions that cover recognizing phishing emails, using strong unique passwords, and reporting suspicious activity. Use real-world examples, like the ShinyHunters group's tactics, to make lessons memorable. Emphasize that everyone is a target—teachers, students, and support staff. Schedule regular refresher courses, especially before exam periods when stress is high. A well-informed community is your first line of defense.

Step 4: Establish Vendor Security Requirements

Since schools rely heavily on third-party edtech tools, vet vendors thoroughly. Create a checklist that includes: data encryption standards (in transit and at rest), past breach history (Instructure had a prior breach within the year), incident response plans, and contractual obligations for timely breach notifications. Demand proof of security audits (e.g., SOC 2 Type II reports). For existing contracts, renegotiate terms to include stronger clauses. The Canvas attack shows that a vendor's security gaps become your school's crisis.

Step 5: Develop and Test an Incident Response Plan

Prepare for the worst. Write a clear plan outlining roles, communication channels, and escalation procedures when a breach occurs. Include steps for containment (e.g., disconnecting affected systems), evidence preservation, and notifying affected parties (students, parents, regulators). The Canvas incident saw six universities and districts in a dozen states alerting communities within days—fast communication builds trust. Regularly drill your plan, conducting tabletop exercises simulating ransomware or data theft. Update based on lessons learned from each drill or real incidents.

Step 6: Implement Regular Patching and Updates

Cybercriminals exploit known vulnerabilities. Establish a patch management schedule for all systems: servers, workstations, network devices, and especially your LMS. Automate updates where possible, but test critical applications first to avoid disruptions. After the Canvas attack, attackers leveraged a customer-facing account; such accounts often have older software versions. Set a policy to apply security patches within 48 hours for critical vulnerabilities. Also, update antivirus/EDR tools to detect new threats.

Step 7: Conduct Security Audits and Engage External Experts

At least annually, perform a full security audit, either internally or with a third-party firm. Penetration testing simulates real attacks to identify blind spots. Review logs and access controls to ensure no unauthorized changes occurred. The Center for Internet Security reported that 82% of K-12 organizations faced cybersecurity incidents; audits help you learn from others' mistakes. Consider joining threat-sharing groups like the Multi-State Information Sharing and Analysis Center (MS-ISAC) for K-12. External experts can also help negotiate with hackers—as Instructure did to retrieve stolen data—but prevention is far better.

Tips for Long-Term Success

Prioritize budget allocation – Cybersecurity should be a line item, not an afterthought. Use the Canvas breach as leverage for funding.
Monitor the threat landscape – Groups like ShinyHunters evolve tactics; subscribe to security news feeds tailored to education.
Foster a culture of security – Celebrate staff who report phishing attempts; make security everyone’s responsibility.
Back up data daily – Store backups offline to prevent ransomware from disabling them. Test restoration quarterly.
Limit data retention – Delete old records that are no longer needed by law. Fewer records mean less exposure.
Stay compliant with regulations – Laws like FERPA and state data privacy acts require specific protections; non-compliance adds legal risk.
Build relationships with law enforcement – The FBI’s cyber division can provide guidance; report incidents quickly.

By following these steps, schools can transform from being "target rich, resource poor" to resilient institutions that protect the data and trust of their communities. The Canvas attack is a wake-up call—act now to secure tomorrow.

Tags: