Protect your school from cyber-attacks and cyber security breaches

Cyber-attacks are becoming more frequent and can affect anyone, not just large organisations and business. The education sector is not immune from these cyber threats and there are New Zealand schools that have already been severely impacted.

Successful cyber-attacks can result in either permanent loss, or public exposure of, important or sensitive information, as well as ongoing disruption to school business while recovering from a cyber-attack.

Here are some actions schools can take to strengthen your cyber security and reduce your risks:

  • Backup important data from your school network regularly.
  • Phishing and other email scams - ensure your staff and school community are aware and vigilant.
  • Update your software and devices when patches become available.
  • Install antivirus software on your devices.
  • Only use a secure connection to access your school’s network remotely.

Backing up your school’s important data

Reliable backups are essential and increases the chances your school can recover from a cyber-attack. To ensure your school is backing up important data and settings, we recommend you discuss backups with your school’s tech lead, your board, and your school’s ICT provider. You need to ensure that:

  • Backups of important information, software, and configuration settings are performed monthly at the very least. (Plan to move to backing up important information daily.)
  • Backups are retained for one month at the very least. (Plan to start retaining backups for at least three months.)
  • Backups need to be stored separately away from your school network. (These backups must be stored either offline, or online in the cloud in a non-erasable manner.)
  • You have tested that you can restore from your backups.

Further guidance on backing up your data is available from CERTNZ (external link)
(external link)

Be aware of phishing email scams

You need to ensure your staff and school community are aware and vigilant about email scams and phishing attacks. Phishing emails are a type of email scam where the sender tries to trick you into giving away information, installing computer viruses, or accessing your systems to steal data or for financial gain. Scammers are becoming highly sophisticated and use emails that will often pretend to be either a person or organisation you know. Successful phishing campaigns have resulted in schools being locked out of systems and unable to recover their own data. To start protecting your school from phishing email scams we recommend you advise your school community to:

  • Check the sender is actually who they say they are.
  • Treat with suspicion, any requests via email for passwords, user names, bank details, or urgent payments, or links in emails asking you to update these details.
  • If unsure, confirm the sender of the email by telephoning them.
  • Always send emails to the school community from an email address that is associated with the schools domain name.
  • Do not send password information (e.g. for parent portals) via email
  • Report suspicious emails or security incidents to CERTNZ (external link)

Further guidance on protecting your school from phishing attacks is available from CERTNZ (external link)

What else can your school do?

Cyber security is a challenge facing the entire education sector. In addition to implementing backups and making your school community aware of email scams we recommend that you discuss the following with your school’s tech lead, your board and your ICT provider:

Last reviewed: Has this been useful? Give us your feedback