Protect your school from cyber attacks and cyber security breaches
Cyber attacks are becoming more frequent and can affect anyone, not just large organisations and business. The education sector is not immune from these cyber threats and there are New Zealand schools that have already been severely impacted.
|Level of compliance||Main audience||Other|
Successful cyber attacks can result in either permanent loss, or public exposure of, important or sensitive information, as well as ongoing disruption to school business while recovering from a cyber attack.
Here are some actions schools can take to strengthen your cyber security and reduce your risks:
- Back up important data from your school network regularly.
- Ensure your staff and school community know how to recognise and know what to do with phishing emails and telephone scams.
- Update your software and devices when patches become available.
- Install antivirus software on your devices.
- Only use a secure connection to access your school’s network remotely. Either your school's ICT provider or N4L can assist you with this.
Backing up your school’s important data
- Ensure backups of important information, software, and configuration settings are performed monthly at the very least. Plan to move to backing up important information daily.
- Ensure backups are retained for three months.
- Backups need to be stored securely and separately, away from your school network. These backups must be stored either offline, or online in the cloud in a non-erasable manner. Schools using either Apple, Google or Microsoft services should consult the support documentation provided for Apple Education(external link), G Suite(external link), OneDrive(external link), or SharePoint(external link). It is also strongly recommended that you seek an off-site backup solution that is completely separated from your network.
- Test that you can partially or fully restore from your backups at least annually. You can discuss this with your ICT provider.
- Make sure important data that is stored locally on laptops or memory sticks is also stored on your network and included in your backup regime.
Further guidance on backing up your data is available from CERT NZ(external link)
Be aware of phishing emails and telephone scams
You need to ensure your staff and school community are aware and vigilant about email scams and phishing and telephone scams. Phishing emails are a type of email scam where the sender tries to trick you into giving away information, installing computer viruses, or accessing your systems to steal data or for financial gain. Successful phishing campaigns have resulted in schools being locked out of systems and unable to recover their own data.
These phishing emails are becoming more sophisticated. Increasingly, scammers will use ‘spear phishing’ tactics where the scammer will first gather whatever information they can about their chosen target first to make their emails more personalised and convincing. Often these scammers will also try to impersonate trusted people, organisations or the systems they use. As well as using email, scammers also try to phish for information over the telephone or via text messages.
Staff handling payroll or accounts need to be particularly vigilant about these more sophisticated email phishing attacks and telephone scams.
To help protect your school from phishing email scams, we recommend you do the following:
- Consider whether the email was expected and check the sender’s details carefully, looking at the whole email address. For example, if you normally receive emails from a colleague at firstname.lastname@example.org and you have now received an email from email@example.com asking to perform an urgent action, then you need to notice that the email’s domain (that’s the bit after the ‘@’ symbol) is different, and that the email is suspicious.
- Treat with suspicion emails asking recipients to: click links, open attachments, enter passwords, make payments, change or enter bank account details, or any unusual requests.
- Even if the sender looks familiar, treat with suspicion emails pressuring recipients to perform any of the above actions urgently. An unusual email from a known sender might be a sign their email has been compromised.
- If in doubt, confirm the sender of the email by phoning them. If possible, use a number you already have for that person or organisation. Don’t rely on phone numbers given in the email.
- Always send emails to the school community from an email address that is associated with the school's domain name.
- Do not send password information (eg for parent portals) via email.
- Do not disclose any information over the telephone without first confirming the callers identity, and that the caller is entitled to receive the information.
- Always ensure that you call a sender directly to verify the legitimacy of an email asking you to change their bank account details for payment.
Further guidance on protecting your school from phishing attacks is available from CERT NZ(external link).
What else can your school do?
Cyber security is a challenge facing the entire education sector. Other steps you can take to reduce the risk include:
- Getting your staff to use two-factor authentication (2FA) when signing into school systems.
- Making sure staff know what to do if they have a cyber security incident.
- Checking that your school website is not disclosing any personally identifiable information that could be used by scammers.
- Making sure payroll, accounts, and leadership staff review what personal information they are disclosing publicly on social media and adjust their privacy settings if required.
More information and assistance
See what Network for Learning (N4L)(external link) can do to help you manage network safety and security.
Netsafe Schools(external link) is a free programme designed to help New Zealand schools and kura establish, develop and promote online safety, citizenship and wellbeing in their school community.
Our website has a digital technology safe use guide for schools.
State and state-integrated schools have access to funded Microsoft Defender for Endpoint (anti-virus) protection. For assistance with Ministry funded software contact the ICT Help Desk for schools: Phone 0800 225 542 or email firstname.lastname@example.org.
For further help strengthening your school’s cyber security, including advice for reporting cyber security incidents, visit the keeping your school network safe(external link) guide on the Computer Emergency Response Team (CERT) NZ website.
If you are a larger school with more complex IT systems, there may be a wider range of information and cyber security risks for you to consider.
If you have an incident or need support contact:
- Netsafe(external link)
on 0508 NETSAFE (0508 638723) or email email@example.com.
- CERT NZ(external link)
or call 0800 CERT NZ (0800 237 869).
Last reviewed: Has this been useful? Give us your feedback