EdTech sprawl has become one of the most underestimated cybersecurity risks in K-12 and higher education. Over the last five to ten years, schools at every level, from K-12 districts and private academies to colleges abd universities, adopted educational technology at a pace that outstripped anyone’s ability to govern it. The pandemic forced an tidal wave of changes. But we’ve also seen the advent of digital admissions portals, parent communication platforms, fundraising tools, tutoring apps, HR systems, and 31 flavors of classroom engagement software, each one adding vendor risk and student data privacy exposure.
Don’t misunderstand: most of those tools addressed genuine problems. But many were adopted fast, department by department, with no coordination and no software governance plan. A math department chair signed up for one platform. The development office picked another. Athletics bought a third.
Now the IT leaders at these institutions are stuck managing the aftermath: overlapping tools doing the same job, duplicate subscriptions bleeding money, wildly inconsistent security standards across platforms, unclear ownership of who approved what, and a growing pile of FERPA obligations that nobody mapped to the actual vendor landscape.
The question facing schools today isn’t whether to embrace technology. That ship sailed. The question is whether anyone has real visibility into what’s running, who controls it, and what risks it’s creating—before edtech sprawl turns into an operational, financial, or cybersecurity crisis.
Why K-12 Schools and Universities Are Especially Vulnerable to EdTech Sprawl
Every industry has its version of this problem. But education has structural characteristics that make it worse, faster.
Decentralized Purchasing Is the Default, Not the Exception
In most schools, and especially in private schools and mid-sized colleges, there is no centralized procurement process for software. Faculty members adopt classroom tools on their own. Department heads purchase platforms for their teams. Admissions buys a CRM. The development office licenses a donor management system. The athletics department picks up a scheduling app. The counseling office starts using a mental health platform.
Each of these decisions might be perfectly reasonable in isolation. But nobody is looking at the full picture. Nobody is asking whether the new admissions platform duplicates functionality already available in the SIS, or whether the counseling tool meets the institution’s data security baseline, or whether the donor management system stores parent financial data in a way that creates regulatory exposure.
Decentralized purchasing isn’t a cultural quirk. In education, it’s the default operating model, and it creates vendor sprawl by design.
The Pressure to Modernize Is Relentless
Schools operate under a kind of innovation pressure that most industries don’t face. Parents expect a polished digital experience. Boards want to see evidence of forward-thinking technology adoption. Students compare their school’s digital tools to whatever their friends’ schools are using. Donors want to see their gifts reflected in modernization.
That pressure creates a bias toward saying yes to every new platform. Slowing down to evaluate, standardize, or consolidate feels like falling behind. But the institutions that rush to adopt without governing what they’ve adopted are the ones that end up with 47 active software subscriptions and no idea which ones are still in use.
IT Teams Are Outnumbered
Most schools have IT teams that are dramatically undersized relative to the complexity of what they’re expected to manage. A private K-12 school might have two or three IT staff supporting an environment with hundreds of endpoints, dozens of third-party applications, a student information system, a learning management system, parent portals, and whatever else the faculty adopted last semester.
Small colleges aren’t much better off. The IT director tends to also be the security officer, the help desk, and the person who has to figure out why the projector in the auditorium isn’t working.
These teams don’t lack talent, just capacity. And when you pair an undersized IT team with a sprawling, decentralized software ecosystem, the result is predictable: things fall through the cracks, security reviews don’t happen, and nobody notices a problem until it becomes an incident.
Common EdTech Vendor Risks Schools Often Miss
Software sprawl isn’t just an operational headache. It’s a vector for risk, particularly when the vendors in the ecosystem haven’t been evaluated for the things that actually matter.
Weak Data Privacy Protections
Schools collect and store an extraordinary volume of sensitive information: student academic records, behavioral data, disciplinary records, health information, disability accommodations, parent financial data, and Social Security numbers. Much of this data is protected under the Family Educational Rights and Privacy Act (FERPA), which places strict obligations on how educational institutions share student records with third parties.
FERPA permits schools to disclose personally identifiable information to vendors under the “school official” exception, but only if the vendor is performing an institutional function, is under the institution’s direct control regarding use and maintenance of records, and agrees not to redisclose the data without authorization. In practice, too many schools hand student data to vendors without confirming any of those conditions are met.
Poor Identity and Access Controls
Some of the most widely used education platforms still lack basic security features. They may not have multi-factor authentication, for example. Or there’s no integration with the school’s single sign-on (SSO) system. No role-based access controls that limit who can see what.
When a platform doesn’t support SSO, every user gets a standalone username and password, which means the school’s IT team has no centralized way to manage access, enforce password policies, or revoke credentials when someone leaves. When a platform doesn’t support MFA, a single compromised password is all it takes to expose student data.
These aren’t exotic security requirements. They’re the minimum. But too many education vendors still don’t meet them.
Unclear Vendor Security Practices
Most schools never ask their vendors the questions that matter most. Where is our data stored? Is it encrypted in transit and at rest? How long is it retained after our contract ends? Who at the vendor’s organization can access it? What happens to our data if the vendor is acquired, merges with another company, or shuts down?
These aren’t gotcha questions. But in an environment where software gets adopted by a department head with a credit card, that due diligence never happens. The vendor’s security posture becomes the school’s security posture, and nobody evaluated it.
Redundant Platforms
This one is less about risk and more about waste, though the two are connected. Schools routinely end up with three separate communication platforms, multiple learning apps that do the same thing, and overlapping reporting tools that nobody can reconcile. Each redundant platform is money spent for no additional value. Each one is another attack surface. Each one is another set of credentials to manage, another vendor to monitor, and another data silo that complicates everything from compliance to breach response.
How EdTech Sprawl Creates Cybersecurity Risk in K-12 and Higher Education
Every unmanaged application is a form of shadow IT. If the IT team doesn’t know a tool exists, they can’t assess its security posture, monitor it for anomalies, or include it in incident response planning. Every abandoned account (be it a teacher who left, a student who graduated, or an administrator who switched roles) is a credential that still works somewhere, attached to data that still matters. Every unreviewed integration between platforms is a pathway that nobody’s watching. Every phishing email that impersonates a vendor the school actually uses is more convincing because the sprawl makes it impossible to tell what’s legitimate.
Between July 2023 and December 2024, 82 percent of K-12 schools surveyed by the Center for Internet Security reported experiencing a cyber threat. U.S. school districts now face an average of five cyber incidents per week. Ransomware attacks against education institutions held relatively steady in 2025 at 251 globally, but the volume of records exposed in confirmed attacks rose 27 percent year over year—driven partly by vulnerabilities in third-party software.
The PowerSchool breach of December 2024 is the clearest illustration of what third-party vendor risk looks like in education. A compromised credential gave an attacker access to the student information system used by over 18,000 schools in North America. The breach went undetected for nine days. Approximately 62 million student and educator records were exposed, including names, Social Security numbers, dates of birth, and medical information. The attacker demanded $2.85 million in bitcoin, and PowerSchool paid. Then the same data was used to extort individual school districts months later. The Ontario Information and Privacy Commissioner’s investigation found that the lack of mandatory MFA, an always-on remote maintenance feature, limited log retention, and delayed detection all contributed to the breach’s severity.
PowerSchool serves roughly 75 percent of the K-12 market. Schools didn’t choose to be vulnerable. They were made vulnerable by a vendor whose security practices failed to match the sensitivity of the data it held.
That’s not an edge case. That’s the risk model for every third-party tool in your ecosystem that you haven’t evaluated.
How Schools Can Reduce EdTech Vendor Risk Without Slowing Innovation
None of this means schools should stop adopting technology. Teachers and administrators need flexibility. New tools solve real problems. The goal isn’t to build a bureaucratic wall between faculty and the software they need—it’s to put enough structure around the process that nobody is creating risk without knowing it.
That starts with a few practical steps. Create a lightweight approval workflow for new software. It doesn’t need to be a sixty-day procurement process. It needs to be a gate; something that routes new tool requests through IT for a basic security review before data starts flowing. Build a vendor risk assessment into that workflow. A short questionnaire covering data storage, encryption, access controls, MFA support, SSO compatibility, retention policies, and breach notification obligations will catch the worst problems before they’re your problems.
- Conduct an application inventory audit. You can’t govern what you can’t see. Catalog every tool in use, who approved it, what data it touches, and whether it’s been reviewed. The results will be uncomfortable. That’s the point.
- Standardize where you can. If three departments are using three different communication platforms, pick one. If two tools perform the same function, consolidate. Standardization reduces cost, simplifies management, and shrinks your attack surface.
- Establish a cross-functional governance committee. This shouldn’t be an IT-only initiative. Include representatives from academics, admissions, administration, and finance. The people who adopt tools should be part of the process that governs them.
- Review vendor contracts periodically, not just at renewal. Contracts that were signed three years ago may not reflect the institution’s current security requirements or regulatory obligations. Build offboarding into the vendor lifecycle. When a contract ends, there should be a documented process for deprovisioning accounts, retrieving data, and confirming deletion.
None of these steps require massive budgets. They require attention, ownership, and a willingness to treat software governance as a real institutional priority rather than something IT worries about alone.
Education Technology Should Support Learning, Not Create Risk
Schools exist to educate students. Every piece of technology in the building should serve that mission. When software sprawl and unmanaged vendors start creating budget waste, security gaps, and compliance exposure, the technology has stopped serving the institution and started working against it.
The good news is that regaining control doesn’t require starting over. It requires visibility, process, and the willingness to ask uncomfortable questions about what’s been adopted, by whom, and with what level of oversight.
If your institution is struggling with software sprawl, vendor risk management, or cybersecurity gaps you don’t have the internal capacity to address, an outside perspective can help identify the blind spots before they become headlines. TMG works with organizations to assess their risk posture, evaluate vendor ecosystems, and build governance frameworks that protect what matters most without slowing down the work that moves the mission forward.