How to Protect Online Exams from Cyberattacks: A Step-by-Step Preparedness Guide
Introduction
When a cyberattack took down the Canvas learning platform during final exams in April 2025, chaos erupted across schools and colleges nationwide. The incident, claimed by the ShinyHunters ransomware group, exposed user names, email addresses, student IDs, and internal messages, affecting an estimated 275 million users from 8,800 institutions. While Instructure quickly restored service, the disruption highlighted a critical vulnerability in online education. This guide walks you through practical steps to safeguard online exams and minimize disruptions if a similar attack occurs. Whether you're an administrator, instructor, or student, being prepared makes all the difference.
What You Need
Before an exam, ensure you have these items in place:
- An incident response plan – Documented procedures for communication, escalation, and alternate assessment methods.
- Backup assessment methods – Offline versions of exams, paper-based alternatives, or a secondary learning management system (LMS) like Google Classroom or Moodle.
- Updated contact lists – Email and phone numbers for all faculty, staff, and students.
- Cybersecurity tools – Multi-factor authentication (MFA), endpoint protection, and network monitoring software.
- Data backup – Regularly backed‑up course content and student records stored separately from the LMS.
- Communication templates – Pre‑written announcements for campus closures, exam postponements, or technical instructions.
Step-by-Step How-To Guide
Step 1: Recognize the Threat Early
Stay alert to warning signs of a cyberattack. Common indicators include sudden system slowdowns, error messages, or reports of phishing emails that mimic your institution's LMS. In the Canvas incident, unauthorized activity was detected before the platform went dark. Set up automated alerts for abnormal login attempts, data access, or traffic spikes. Designate a security officer to monitor these signals at least 24 hours before exams begin.
Step 2: Activate Your Incident Response Plan
As soon as suspicious activity is confirmed, trigger your incident response plan. This should include:
- Immediate shutdown – Temporarily take the LMS offline to contain the breach, as Instructure did.
- Notification chain – Alert IT, administration, and legal teams within minutes.
- Preserve evidence – Capture logs and screenshots for forensic analysis.
- User warning – Instruct all users to avoid logging in until further notice and to change passwords on other accounts.
Step 3: Communicate Transparently with Stakeholders
Clear, timely communication reduces panic and prevents rumors. Send an initial message via email, SMS, and the institution's website explaining: what happened (e.g., "a cyberattack has disrupted Canvas"), what actions are being taken (e.g., "we are working with security experts to restore service"), and what users should do now (e.g., "do not attempt to log in; check back for updates"). Follow up with a daily update until normal operations resume. For students, emphasize that exams will be rescheduled or accommodated.
Step 4: Activate Backup Assessment Methods
If exams must proceed during the outage, switch to backup methods immediately. For example:
- Paper exams – Distribute printed copies in a supervised classroom, collecting and scanning them later.
- Offline LMS features – Some systems allow downloading quizzes before an outage; use local copies.
- Alternative platforms – Migrate critical assessments to a secondary, secure LMS (e.g., Moodle, Blackboard) if you have pre‑arranged access.
- Remote proctoring – If the primary platform fails, use a separate proctoring tool (e.g., ProctorU) alongside a video conferencing platform like Zoom (with password protection).
Document which method you used for each exam to ensure academic integrity.
Step 5: Secure Compromised Accounts
After the attack is contained, focus on account hygiene. In the Canvas breach, data such as names, email addresses, student IDs, and messages were accessed. While passwords and financial data were not compromised, user accounts are still at risk of phishing or social engineering. Instruct all users to:
- Change their LMS passwords even if not required.
- Enable multi‑factor authentication (MFA) on all accounts.
- Be wary of unsolicited emails or messages asking for personal information.
- Report any suspicious activity to the IT help desk.
Consider requiring a password reset for all users as a preventive measure.
Step 6: Perform a Post-Incident Review
Once the crisis passes, conduct a thorough post‑incident review with all stakeholders. Analyze:
- What went well – Which response actions worked? For example, was your communication timely?
- What can be improved – Were backup methods sufficient? Did you have enough staff to handle calls?
- Lessons learned – Update your incident response plan accordingly.
- Data impact – Check if any student records were exfiltrated; notify affected individuals as required by law.
Document these findings in a report and share a redacted version with the community to build trust.
Tips for Long-Term Resilience
- Conduct regular drills – Practice a simulated cyberattack at least once a semester so everyone knows their role.
- Invest in redundancies – Have a second LMS or offline exam system ready to go, updated with current student rosters.
- Train users – Provide annual cybersecurity awareness training covering phishing, password security, and how to report incidents.
- Monitor dark web threats – Partner with threat intelligence services to detect if your institution's data appears on forums like those used by ShinyHunters.
- Update software – Keep your LMS and all plug‑ins patched against known vulnerabilities.
- Develop a student support plan – Create a dedicated hotline and FAQ page for exam‑related disruptions to reduce stress.
By following these steps, you can turn a cyberattack from a major disruption into a manageable event. The key is preparation, clear communication, and a resilient plan—just as the Canvas incident showed, it's not if an attack will happen, but when. Stay proactive, and your exams will remain secure and on track.