Today (the next 4 hours)
Last updated 9 May 2026.
1. Confirm whether your school uses Canvas, any other Instructure product, or any SaaS that integrates with Instructure (some plagiarism tools, e-portfolio systems, and proctoring platforms route through it).
2. Brief staff in writing: do not click links in emails about the Canvas incident unless they came through your usual internal comms channel. Phishing campaigns ride on news cycles.
3. Force a password reset on any administrator account that uses the same password as their Canvas account, plus any account that has admin access to your SIS or finance system.
4. Check vendor advisories from Instructure, your AV vendor, and your cyber insurer. Read them in full, do not skim.
This week (next 7 days)
5. Review every administrative account on every Critical SaaS vendor. Confirm MFA is enforced. Remove any MFA exceptions and document why each remaining one is necessary.
6. Audit shared accounts. Shared logins for SIS, finance, payments, or safeguarding MIS are an immediate weakness. Convert each to per-user accounts.
7. Verify your latest backup of student data, grades, and financials is restorable. Run a partial restore test on a non-production environment.
8. Check your incident response playbook against a vendor outage scenario. If the playbook does not cover "vendor goes down mid-exam", add the missing pages.
9. Send a clear factual update to parents and students. Even "we are monitoring the situation, no impact at this time" is better than silence.
10. Confirm with your cyber insurer what coverage you have for vendor-cause incidents. Some policies exclude them by default.
This month (next 30 days)
11. Inventory every SaaS vendor with access to student or staff data. Tier them Critical, Important, Nice-to-have. The Critical tier needs continuous monitoring.
12. Subscribe to security advisories from each Critical vendor. Set up Google Alerts on the vendor name plus "breach", "incident", and "vulnerability".
13. Review your endpoint and email security stack. If you are still relying on Microsoft Defender baseline plus a free email filter, prioritise the upgrade. AI-native protection (Coro, ESET, Sophos) typically costs £20 to £60 per device per year and materially shrinks attack surface.
14. Run the AI Readiness Assessment to get an objective view of where your school stands and which AI-native products close your gaps. (Free, three minutes, link below.)
What to skip
Do not pay any ransom directly under any circumstance. Do not negotiate with the threat actor; that is for the breached vendor and law enforcement. Do not migrate off Canvas in the first 30 days; switching learning platforms mid-academic year carries higher risk than holding steady while the post-incident report lands.
Frequently asked questions
We have already done some of these. Which are most important?
Items 1 to 4 are non-negotiable today. Items 5, 6, 8 are the highest-value follow-ups for the rest of the week. Items 11 and 13 are the strategic moves that prevent the next incident.
How long until we should expect the next attack of this kind?
Public threat-intelligence reporting suggests vendor-led attacks against education accelerated through 2025 and 2026. Plan for at least one significant SaaS-vendor incident affecting your school every 12 to 18 months as a baseline.
Can KB help us run this checklist?
Yes. The AI Readiness Assessment maps your current stack against the items above and produces a prioritised action plan in three minutes. Schools wanting hands-on support can book a 15-minute call to walk through the results.