Last week’s cyber attack against Learning Management System (LMS) Canvas exposed a critical reality for education leaders: operational resilience depends heavily on the security, availability, and recoverability of third-party digital platforms beyond your direct control.
Instructure has since apologised for the impact of the incident, acknowledging the ‘real disruption’ faced by institutions and the strain placed on teaching teams and students during a critical academic period. But while institutions can’t fully control how every technology supplier protects its own environment, they can control how prepared they are when a critical dependency fails.
That is a lesson from the Canvas attack that must be taken forward.
Want the short version of this article? Click here.
The Canvas attack, launched by ShinyHunters, showed how exposed learning environments are. They are open, distributed, and highly connected. They must support students, staff, researchers, suppliers, parents, visiting academics, and alumni. Access changes constantly. Devices are varied. Data moves continuously across internal systems, cloud applications, learning platforms, identity services, research environments, and external providers.
Many institutions are managing this complexity with stretched IT teams, constrained budgets, and legacy infrastructure. They also hold large volumes of sensitive data, including personal, academic, safeguarding, and sometimes health-related information.
When a critical system goes down, the impact is immediate. Teaching is disrupted. Assessments are affected. Staff are forced into manual workarounds. Students lose access to the tools they rely on to learn and communicate.
That does not make education powerless. But it does mean cyber resilience must be designed around continuity, not just prevention.
James Holton, Cyber Security Practice Director at Trustmarque Ultima, says: ‘Education institutions should not see attacks on platforms like Canvas as a supplier-only problem. The same factors that make those platforms attractive to ransomware groups – rich data, complex user environments, and the potential for immediate operational disruption – also make universities, colleges, and even schools targets in their own right. As threat actors become more capable of scaling attacks across a wider pool of organisations, education providers need to assume they are firmly within scope and plan accordingly for cyber resilience.’
Ransomware planning in education needs to move beyond pure security and IT recovery towards institutionally managed cyber resilience. That means understanding which platforms, identities, data flows, and suppliers are critical to keeping education running, and what happens if one of them fails.
Education providers cannot fully control supplier-side security. But they can control their own dependency mapping, continuity planning, identity governance, supplier escalation routes, communications and recovery options.
That means thinking about cyber resilience in the bigger picture, beyond backups alone.
The recommendations that follow do not suggest education providers could have prevented the Canvas incident. They focus on what institutions can do to reduce the operational, legal, safeguarding and communications impact when a critical supplier-side platform is compromised.
The distinction between knowing which systems are important and which dependencies would create operational paralysis if they failed is critical. This is where cyber resilience gaps often emerge.
The Canvas attack showed how disruption at a third-party provider can quickly become an institutional problem. Education providers should therefore start by mapping the systems that underpin teaching, assessment, safeguarding, communications, research, and administration. This should include externally hosted platforms, identity providers, Software as a Service (SaaS) applications, and supplier-managed services.
The goal is not simply to maintain an asset inventory, but to identify where risk exists and where operational dependency is highest.
Guide your process with these questions:
This exercise should extend beyond technology teams, with the goal of exposing which services are critical to continuity, where resilience gaps exist, and where contingency planning is weakest before attackers or outages expose them under pressure.
Education environments are uniquely difficult to govern from an identity perspective, with global access across a broad and constantly changing user base, alongside fast-moving and sometimes complex joiner, mover, and leaver (JML) processes. Students, staff, researchers, suppliers, alumni, and external collaborators often access systems from unmanaged devices, multiple locations, and shared environments. Permissions accumulate over time, visibility becomes fragmented, and inactive accounts can persist unnoticed.
Threat actors take advantage of that complexity. Credential compromise and identity misuse are now central to modern ransomware operations because they allow threat actors to move through environments while appearing legitimate.
Education providers should therefore prioritise stronger identity governance and visibility across their environment, including:
The objective is not only to prevent compromise, but to reduce the likelihood that disruption spreads unchecked once a threat actor gains access.
Strong identity governance also improves recovery time and effectiveness. Institutions that understand who has access to what, where critical dependencies sit, and how identities interact across systems can make faster, more confident decisions during an incident.
The most dangerous point in a ransomware incident is often the moment decision-making collapses under uncertainty. Too many response plans remain heavily technical when, in reality, ransomware incidents quickly become operational, legal, financial, and reputational events.
To avoid this chokepoint, education providers should build board-approved ransomware playbooks and rehearse them against realistic education-specific scenarios.
Playbooks should cover:
Institutions should then rehearse scenarios such as:
These exercises help organisations identify gaps before attackers do. More importantly, they give leadership teams something ransomware is designed to remove: the ability to think clearly under pressure.
Education providers can’t eliminate every dependency or guarantee that every supplier will remain secure, but they can decide how prepared they are when disruption occurs, and whether they have the recovery options, governance and confidence to avoid making decisions under ransom pressure.
Reports that a ransom payment may have been made following the Canvas incident should also act as a warning to the sector. Payment may appear to offer the fastest route back to normality, but it is not sustainable.
The long-term answer is not to become better at paying ransoms. It is to become better at absorbing disruption, maintaining continuity and recovering with confidence when critical platforms fail.
The cyber attack against Canvas is a reminder that operational resilience in education now depends heavily on third-party digital platforms outside institutions’ direct control. Learning, assessment, communication, and safeguarding are increasingly delivered through connected and co-dependent systems and suppliers. When one of those critical dependencies is compromised, the impact is felt quickly across teaching teams, students, operations and leadership.
Education providers cannot prevent every supplier-side incident. But they can reduce the operational, legal, safeguarding and communications impact when a critical platform fails. That starts with three key focus areas:
1. Understand operational dependency
Map the systems and suppliers that keep education running. Identify where concentration risk exists, which platforms are critical to continuity, and what processes would still function if a key service became unavailable.
2. Strengthen identity governance
Education environments are highly complex from an identity perspective, with constantly changing users, varied devices and broad access requirements. Institutions should strengthen visibility, access governance, MFA coverage and monitoring to reduce the likelihood of compromise spreading unchecked.
3. Build and rehearse ransomware playbooks
Ransomware incidents quickly become operational, legal and reputational events. Playbooks should cover communications, supplier escalation, safeguarding, continuity plans, law enforcement engagement and principles on ransom payment, and they should be tested regularly against realistic scenarios.
Reports that a ransom may have been paid following the Canvas incident should act as a warning. Payment may feel like the fastest route back to normality, but it is not sustainable. The long-term answer is not to become better at paying ransoms, but better at absorbing disruption, maintaining continuity, and recovering with confidence when critical systems fail.