Key points:
- A breach will happen–the question is how much damage it can cause
- How well can your institution recover from a ransomware attack?
- Rising cyber threats drive higher-ed leaders to prioritize cyber resilience
- For more news on ransomware, visit eCN’s Cybersecurity hub
The recent ransomware incident involving Canvas has renewed attention on one of the most difficult decisions schools and technology providers can face: how to respond when sensitive student, faculty, or institutional data is stolen and threatened with public release.
Paying a ransom can fuel future attacks by proving the tactic works. Refusing to pay can leave affected communities exposed to further harm. For education organizations, the decision is especially fraught because the consequences can reach far beyond IT systems.
But by the time an organization is weighing those options, the real failure has already occurred. Attackers have gained access to sensitive systems, moved far enough to reach high-value data, and created a situation where every available choice carries risk.
That is why schools need to think beyond recovery. Backups, incident response plans, and restoration capabilities are critical, but they do not stop an attacker from spreading once inside. According to a recent study, 52 percent of respondents believe having a full and accurate backup is a sufficient defense against ransomware. Yet only 13 percent were able to recover all impacted data following a ransomware attack.
The real priority is containment: limiting how far ransomware can move, what systems it can reach, and how much damage it can cause before recovery is even necessary.
Timing is not accidental
The Canvas incident is a good example of how disruptive these attacks can become for the education sector. The attack occurred during finals and graduation season–for colleges and universities, that timing creates enormous operational pressure. Graduation schedules are tied to travel plans, family events, employment start dates, and academic deadlines that cannot easily be shifted. Even delaying final grades or academic records can create ripple effects across an institution.
Attackers understand that. Cybercriminal groups increasingly target organizations at moments when downtime is hardest to tolerate because it increases pressure to restore systems quickly.
Learning platforms now hold far more than grades
There is also a tendency to think about platforms like Canvas only in terms of grades and assignments, but these environments contain much more than that. Modern learning management systems function similarly to enterprise collaboration platforms. Students, faculty, and administrators use them for messaging, classroom discussions, group collaboration, and direct communication.
That means a breach can expose far more than academic records. It can expose private conversations, internal communications, student information, and other sensitive material that schools never expected to become public. In many ways, the situation is similar to what a corporation would face if years of internal Slack or Microsoft Teams messages were suddenly exposed.
The growing importance of shared cybersecurity responsibility
The incident also reinforces how interconnected modern education environments have become. Schools, universities, and education technology providers all play a role in protecting sensitive data and maintaining operational resilience. Even when institutions have strong passwords, multifactor authentication, and solid cybersecurity practices in place internally, they are still part of a broader ecosystem of connected platforms and services.
Supply chain and third-party attacks remain a significant concern across every sector, including education. Cybersecurity has become a shared responsibility between institutions and the technology partners they trust to support critical operations.
Incidents like this should not automatically lead organizations to conclude that cloud platforms are inherently unsafe. Cloud and third-party technologies provide enormous operational and educational benefits. The larger issue is that many organizations still approach cybersecurity primarily as a prevention problem, when the reality is that no environment is going to stop every attack indefinitely.
Why containment needs to become the priority
A more resilient posture starts with a different assumption: A breach will happen. The question is how much damage it can cause.
In many ransomware incidents, the most damaging part of the attack is not the initial compromise itself, but the ability for attackers to move laterally across systems, escalate privileges, and access high-value data that was never meant to be interconnected in the first place.
That is where containment becomes critical.
For schools and universities, that starts with reducing unnecessary pathways between systems and isolating sensitive assets wherever possible. Student records, grading systems, financial systems, research environments, and collaboration tools should not all be freely accessible from one compromised account or device. Applying Zero Trust principles and stronger segmentation controls can help prevent attackers from moving throughout an environment and turning a single compromise into a much larger institutional crisis.
This approach also helps reduce operational disruption during an incident. If a breach can be isolated to a smaller portion of the environment, institutions are in a much better position to keep core academic and administrative functions running while security teams respond. That becomes especially important in education environments where outages can directly affect instruction, testing, graduation timelines, payroll, and student services.
Risk-based visibility is another important piece of the equation. Many organizations still struggle to fully understand how applications, users, and systems communicate across their environments. Without that visibility, it becomes much harder to identify unusual behavior or stop attackers before they gain broader access. Understanding where sensitive data resides and how it moves across the network is foundational to building an effective containment strategy.
Encryption also plays an important role because it can help reduce the value of stolen information. If attackers are able to exfiltrate data but cannot easily use it, organizations have more options available to them during an incident response. While no single control eliminates risk entirely, layering segmentation, visibility, Zero Trust principles, and encryption together can significantly reduce the leverage attackers have during a ransomware event.
Moving beyond recovery alone
The broader lesson from the Canvas attack is that recovery alone is no longer enough. Once sensitive information has already been stolen, the conversation quickly shifts from prevention to damage control, and by that point the organization is operating with very limited leverage.
For schools and universities, the goal should be ensuring that a single compromise cannot disrupt operations, expose sensitive information, and force institutions into making decisions they never wanted to face in the first place. Those that invest in containment, not just restoration, will be in a fundamentally stronger position when the next attack arrives.
Gary Barlet is the public sector chief technology officer at Illumio, where he works with government agencies, contractors, and the broader ecosystem to incorporate Zero Trust Segmentation, or microsegmentation, as a strategic enabler of Zero Trust architecture. He can be reached at gary.barlet@illumio.com.