Complete a cyber security risk assessment for your school

To understand your kura or school's level of risk, you need to identify the systems and data you need to protect, who has access to them, and what your current policies are.

1. Audit your environment


Systems are all the technology used at your school or kura by students, teaching staff, and in the office.

Start by identifying:

  • the hardware you use – your devices. How many computers does your school or kura own and where are they? Do you have your own server? How many TVs, tablets and smartphones do you have? Do you have VOIP desk phones that rely on your network?
  • the software you use, such as:
    • internal software that you may host or have installed on your devices (for example, some student management systems)
    • external software that's hosted in the cloud (for example, Google Workspace, Educa or Xero).


Next, identify all the kinds of data you hold or access to keep your school or kura running.

For example:

  • personal records for students and staff
  • medical histories, vaccination records and healthcare plans
  • financial information for staff or parents
  • financial records for the school or kura
  • student records
  • classwork, lesson plans, reports, school policies and procedures.

Which of the systems above holds each of these pieces of data?

2. Identify potential risks and impacts

For each kind of data you identified above, what would happen if this information was:

  • wiped, accidentally deleted or lost forever – do you have back-ups? Would there be financial or operational implications?
  • stolen, leaked or accessed by someone who isn't authorised to see it – could information about custody or protection orders be exposed? Bank account details? Private health information like mental health conditions, or a history of sexual assault or other trauma?
  • locked down and you couldn't access it, either because of a cyber incident or an accident or natural disaster – could the school or kura keep running? Who would be affected and how?

You may want to categorise the type of risk, for example:

  • operational risks – losing access would affect day-to-day operations of the school or kura
  • financial risks – financial information could be lost or stolen, or the system or data would be costly to replace
  • confidentiality risks – private or personal information could be lost or exposed
  • integrity risks – data that could be at risk of being changed, like test results or school and kura reports.

Most common cyber threats

3. Evaluate your current level of risk

To determine your level of risk, look at who has access to your systems and data and how they have access. What policies and protections do you already have in place?


Who has access currently?

Identify which systems and data:

  • teaching and office staff have access to
  • students and/or caregivers can access
  • third party providers supply, manage or can access.

You should also make sure you know who has administrator access (the ability to set up new software and devices or add users). Some schools will have a dedicated IT person or outsource this to an IT company. In smaller schools, this may be a teacher or member of the office staff.

How are your systems and data accessed?

What can be accessed:

  • via an individual password the user chooses
  • via an individual password the school sets
  • via a shared password
  • via password with two-factor authentication or through a password manager
  • by anyone on the school network
  • remotely or through staff or students' own devices?

Password policy – Best practices

Setting up 2-factor authentication in schools


What policies does your school or kura already have in place around:

  • remote access and BYOD (bring your own device)
  • creating and managing passwords
  • adding software or apps to school devices
  • updating software and apps
  • backing up information?

If your school or kura doesn't have a cyber security policy, work with the board of trustees to complete a risk assessment and develop a policy. If you do have a policy, is the policy being used? Is it up-to-date and following the latest best practice?


What security measures does the school or kura already have in place? Do you have:

  • a password manager or two-factor authentication – who uses these and when?
  • antivirus software – on which devices, and who is responsible for updating it?
  • automatic back-ups of key data – how often do the back ups run? Where are they stored?
  • email filtering for spam or swear words
  • a filter to block students from accessing porn or other inappropriate content on the school network?

4. Prioritise and make a plan

Look through all the information you've gathered and prioritise your areas of risk.

It might seem like there's a lot to do – or a few key areas to tackle might immediately jump out at you.

Next steps

Follow our recommendations in the other sections of this website. Start with your top priority areas and remember you can build on most of these recommendations over time.

Digital technology and cyber security

Last reviewed: Has this been useful? Give us your feedback