Protect your school from cyber-attacks and cyber security breaches
Cyber-attacks are becoming more frequent and can affect anyone, not just large organisations and business. The education sector is not immune from these cyber threats and there are New Zealand schools that have already been severely impacted.
|Level of compliance||Main audience||Other|
Successful cyber-attacks can result in either permanent loss, or public exposure of, important or sensitive information, as well as ongoing disruption to school business while recovering from a cyber-attack.
Here are some actions schools can take to strengthen your cyber security and reduce your risks:
- Backup important data from your school network regularly.
- Phishing emails and telephone scams – ensure your staff and school community are aware and vigilant.
- Update your software and devices when patches become available.
- Install antivirus software on your devices.
- Only use a secure connection to access your school’s network remotely.
Backing up your school’s important data
- Backups of important information, software, and configuration settings are performed monthly at the very least. (Plan to move to backing up important information daily.)
- Backups are retained for one month at the very least. (Plan to start retaining backups for at least three months.)
- Backups need to be stored securely, and separately away from your school network. These backups must be stored either offline, or online in the cloud in a non-erasable manner. Schools using either Apple, Google or Microsoft services should consult the support documentation provided for Apple Education(external link), G Suite,(external link) OneDrive(external link), and SharePoint(external link) respectively. It is also strongly recommended that you seek an off-site backup solution that is completely separated from your network.
- You have tested that you can partially or fully restore from your backups at least annually. (Discuss this with your ICT provider.)
- Make sure that important data that is stored locally on laptops or memory sticks are also stored on your network and included in your backup regime.
Be aware of phishing emails and telephone scams
You need to ensure your staff and school community are aware and vigilant about email scams and phishing and telephone scams. Phishing emails are a type of email scam where the sender tries to trick you into giving away information, installing computer viruses, or accessing your systems to steal data or for financial gain. Successful phishing campaigns have resulted in schools being locked out of systems and unable to recover their own data.
These phishing emails are becoming more sophisticated. Increasingly scammers will use ‘spear phishing’ tactics where the scammer will first gather whatever information they can about their chosen target first to make their emails more personalised and convincing. Often these scammers will also try to impersonate trusted people, organisations or the systems they use. As well as using email, scammers also try to phish for information over the telephone or via text messages.
Staff handling payroll or accounts need to be particularly vigilant about these more sophisticated email phishing attacks and telephone scams.
To help protect your school from phishing email scams, we recommend you do the following:
- Consider whether the email was expected, and check the sender’s details carefully looking at the whole email address. For example, if you normally receive emails from a colleague at email@example.com and you have now received an email from firstname.lastname@example.org asking to perform an urgent action, then you need to notice that the email’s domain (that’s the bit after the ‘@’ symbol) is different, and that the email is suspicious.
- Treat with suspicion emails asking recipients to: click links, open attachments, enter passwords, make payments, change or enter bank account details, or any unusual requests.
- Even if the sender looks familiar, treat with suspicion emails pressuring recipients to perform any of the above actions urgently. An unusual email from a known sender might be a sign their email has been compromised.
- If in doubt, confirm the sender of the email by phoning them. If possible, use a number you already have for that person or organisation. Don’t rely on phone numbers given in the email.
- Always send emails to the school community from an email address that is associated with the schools domain name.
- Do not send password information (e.g. for parent portals) via email.
- Do not disclose any information over the telephone without first confirming the callers identity, and that the caller is entitled to receive the information.
What else can your school do?
Cyber security is a challenge facing the entire education sector. In addition to implementing backups and making your school community aware of email scams we recommend that you discuss the following with your school’s tech lead, your board and your ICT provider:
- Ensure the devices and software your school uses always have the latest updates.
- Install antivirus software on all your devices.
- Use a secure connection to access your school’s network or systems remotely. Either your school’s ICT provider or N4L can assist you with this.
Other steps you can take to reduce the risk include:
- Make sure paper records intended for disposal that contain sensitive information are disposed of or destroyed securely.
- Check that your school website is not disclosing any personally identifiable information that could be used by scammers.
- Payroll, accounts, and leadership staff should also review what personal information they are disclosing publicly on social media and adjust their privacy settings if required.
- Always apply your school’s payroll business processes when making changes or updates.
More information and assistance
See what Network for Learning (N4L)(external link) can do to help you manage network safety and security.
Netsafe Schools(external link) is a free programme designed to help New Zealand schools and Kura establish, develop and promote online safety, citizenship and wellbeing in their school community.
Our website has a digital technology safe use guide for schools.
State and state integrated schools have access to funded software including Symantec Endpoint (anti-virus) protection. For assistance with Ministry funded software contact the ICT Help Desk for schools: Phone 0800 225 542 or email email@example.com.
For further help on strengthening your school’s cyber security, including advice for reporting cyber security incidents, visit the keeping your school network safe(external link) guide on the Computer Emergency Response Team (CERT) NZ website.
If you are a larger school with more complex IT systems, there may be a wider range of information and cyber security risks for you to consider.
If you have an incident or need support contact:
- Netsafe(external link)
on 0508 NETSAFE (0508 638723) or email firstname.lastname@example.org.
- CERT NZ(external link)
or call 0800 CERT NZ (0800 237 869).
Last reviewed: Has this been useful? Give us your feedback