In today’s interconnected digital landscape, Software-as-a-Service (SaaS) solutions have become indispensable tools for educational institutions and businesses alike. However, the convenience of outsourcing critical functions to SaaS vendors comes with inherent cybersecurity risks. Unlike district-specific cybersecurity incidents where organizations have direct control and access to details, incidents involving SaaS vendors can provoke anxiety due to the lack of direct control and oversight. Despite rigorous vendor selection processes and compliance with standards and certifications, breaches can still occur, impacting sensitive data and operational continuity.

What to Do if Your Vendor Experiences a Cybersecurity Incident 

  • Launch your Incident Response Team: Even though a technical response to the incident is not within your direct control, you can leverage your Incident Response procedures to handle communications and monitoring of the incident.
  • Review Contracts and Responsibilities: Understand your and your vendor’s contractual obligations regarding incident response, notification, and liability allocation.
  • Consult Your Insurance Policy & Talk to Your General Counsel: Understand when and how to involve your insurance company based on your policy’s coverage.
  • Know Your Legal Obligations: Familiarize yourself with state and potentially other states’ legal requirements in case of a data breach affecting your organization.
  • Communication Strategy: Develop a clear strategy for when and how to communicate with stakeholders, even if the incident does not directly impact your organization.
  • Prepare Guidance for Stakeholders: Educate parents/guardians on monitoring and freezing their child’s credit if personal data is compromised. The Federal Trade Commission’s Site on How to Protect Your Child’s Identity is an excellent resource

Responding to Incidents Involving SaaS Solutions Not Used By Your District

In the event of a widely publicized incident involving a vendor not used by your organization:

  • Acknowledge the Incident: Communicate with your school community, reassuring them that your organization does not use the affected product and is therefore unaffected by the incident. Saying nothing may leave your stakeholders concerned about whether your district is impacted and may fuel unnecessary anxiety and rumors.
  • Monitor the Incident: Track the incident to maintain situational awareness and for early warning in the event the incident expands to a product currently in use at your district.

Proactive ActionsGroup of people working in office

Long before a vendor experiences an incident, there are many things districts can do to reduce their risk including:

  1. Request K12-CVAT from all vendors: Even if not in the purchase cycle, obtain the K12-specific Vendor Assessment Tool (K12-CVAT) to assess vendor security practices. Be sure to validate that the K12-CVAT includes documentation of the use of key technical controls such as ensuring sure Multi-Factor Authentication (MFA) is implemented across operations. The K12-CVAT is available here: https://www.cosn.org/tools-and-resources/resource/k-12cvat/
  2. Evaluate Standards and Certifications: Ensure vendors adhere to recommended cybersecurity standards and are auditable for compliance. Utilize a third-party management vendor to evaluate a vendor’s security posture, identify risks, and monitor vendors for future security incidents.
  3. Data Segmentation and Architecture: Advocate for robust data segmentation within the vendor’s architecture to minimize impact in case of a breach. Look for this capability in the K12-CVAT from each vendor
  4. Consider CISA’s Secure by Design Program (https://www.cisa.gov/securebydesign) : Encourage vendors to adopt principles like MFA as a core function by default, tailored to educational environments.
  5. Future Contract Considerations: Incorporate data privacy and incident response clauses into future vendor contracts.
  6. Update Your Incident Response Plan: Make sure your incident response plan contains specific steps for responding to vendor cybersecurity incidents.
  7. Practice Your Incident Response Process: Schedule time to practice responding to incidents as a team using tabletop incident response exercises.  These are very effective when creating

Conclusion

As cybersecurity threats evolve, proactive measures are crucial for safeguarding sensitive data entrusted to SaaS vendors. By understanding contractual rights, implementing robust security assessments, and fostering transparent communication practices, educational institutions can mitigate risks and maintain trust within their communities. For further guidance and resources, explore the Consortium for School Networking (CoSN) resources linked here

In navigating the complexities of vendor cybersecurity incidents, preparedness and informed decision-making are essential pillars of effective risk management. Stay vigilant, stay informed, and continue to prioritize data security in all digital engagements.

AUTHOR: Amy McLaughlin, Project Director and CoSN’s Cybersecurity Advisory

Published: January 13, 2025

CoSN is vendor neutral and does not endorse products or services. Any mention of a specific solution is for contextual purposes.
cc by nc