Common cyber threats to schools and kura
These common cyber security threats can put your school/kura at risk. You could be locked out of your systems and devices or having confidential data lost, stolen or sold.
Why cyber security matters to schools and kura
Cyber attacks affect schools in New Zealand every day.
These attacks are becoming more sophisticated all the time – and less discerning about their targets. The attacker's aim is usually to try and get as much sensitive information as they can by any means possible.
You might wonder what your school/kura would have that's worth hacking your systems to steal, but remember that all schools hold:
- private personal information about students, their families, their health and their educational achievements
- financial information
- passwords that might be reused elsewhere
- files and records for teachers, staff, and students.
The most common types of threat
Here are some of the most common cyber risks schools might face.
Phishing is when someone uses an email or phone call to try and get access to sensitive information (like bank account numbers and passwords). Phishing scammers will claim to be from a legitimate organisation, and often have email addresses or websites that look very real. They'll often ask you to claim a prize, check your details, or tell you that your account is expiring or needs to be checked.
Denial of service (DoS or DDoS) attacks
When a website is under a DoS attack, it will look like it's 'down' or unavailable. The attack works by overwhelming the website's servers with multiple requests for access until the server becomes overloaded and goes down. DoS attacks are much more likely to happen to an organisation than to an individual.
A data leak is when sensitive information is accidentally or deliberately copied, viewed, sent or stolen. Whenever data or information is available online it's at risk of a data leak – that's why it's so important to configure how school/kura’s data can be accessed and by who.
If you think you've had a data leak, talk to the Office of the Privacy Commissioner about what to do next.
Ransomware is a type of malicious software that hackers or criminals put into your system – often through a phishing scam. The malware encrypts your data so no-one can access it, until you pay a fee or ransom to get it back. Anyone can be affected by ransomware, from individuals up to large organisations.
Software vulnerabilities are an unintended weakness in a computer system, they are often identified when someone finds that a piece of code in the software can do something more than was originally intended, such as give users more access to the system. Once software companies are told about it, they usually quickly fix these bits of code and then share them through a software update (sometimes known as a patch).
Vulnerable devices are devices that haven't been secured in some way. They may not have had:
- your school or kura’s security policies applied
- user access limited (for example, any user has full admin access to the device)
- anti-virus software installed
- security settings added (such as a password to lock the computer), or
- software updates applied, so the software is out of date.
Human error is a computer breach or attack that occurs because of a staff or student mistake. This could be by emailing a spreadsheet to the wrong person, forgetting to make a folder private rather than public, or by being tricked by sophisticated phishing attempts.
What we're doing to help
The Ministry is developing dedicated cyber security advice and recommendations for schools and kura.
We recommend you make the most out of the security features available in your Google and Microsoft software. We've created a series of webinars with Google and Microsoft to help schools and kura implement cyber security measures.
Past webinars are available on the cyber security training page
To get more tips and information about upcoming webinars, subscribe to our newsletter.
Last reviewed: Has this been useful? Give us your feedback