A living, breathing community classroom in Queenstown
1 June 2023

Young conservationists at Shotover Primary School are doing their part to restore the regionally significant Shotover Wetland,
Schools are encouraged to take steps to protect themselves from cyber attacks and breaches.
The business manager of a Wellington high school says the cyber criminals involved in a recent breach of the school’s systems knew what they were doing.
“We suspect it was a team, and they went to great lengths to cover their tracks,” he says.
Fortunately, the school was well equipped to deal with the breach, although the business manager – who doesn’t want himself or the school to be identified – says they have learned a lot from the experience.
Unfortunately, such attacks against New Zealand schools are becoming more frequent, causing in some cases, data loss and significant disruption.
One type of cyber attack with particularly severe impacts is ransomware, a type of malware (malicious software) that encrypts and locks out access to computer systems and can result in the stolen information being dumped publicly or shared among cyber criminals.
The good news is there are practical cyber security measures that can be taken to help protect schools from cyber attacks like this.
When applying these measures, schools must discuss them with their ICT providers or in-house IT staff and ensure that ‘cyber security risk’ is on the school leadership agenda since it presents a material risk to the whole school.
While there are a broad range of strategies that can strengthen cyber security and significantly reduce the risk and impact of cyber security threats like ransomware, practical measures start with ensuring that:
The business manager of the school that recently suffered the cyber-attack has urged other schools to take these measures to mitigate the risk of a cyber-attack and minimise the time to recover in the event of a breach.
Additionally, he particularly urges schools to take out cyber security insurance. He also suggests introducing a two-factor authentication of Google or Microsoft accounts for new device log-ins. And he urges schools to have a strategy in place to mitigate the risk for BYOD devices from home that might have bugs, as this can be a common way for viruses to infiltrate the school network.
Taking regular backups of important data and storing them securely and separately away from the school network is of utmost importance. Having clean backups of important information, software, and configuration settings allows schools to be able to recover more quickly and minimise the disruption and data loss that can result from cyber-attacks. It is good practice with backups to ensure that:
It is also critical that the partial restoration of backups is tested annually, and full restoration of backups is tested at least once. Having assurance that clean backups can be restored means that even in a worst case scenario the disruption to learning, teaching, and school business can be minimised.
Security updates
Ensuring that software is updated with the latest security updates (patches) helps reduce the risk of that a school’s ICT systems will be compromised by a cyber-attack. This is because unpatched or unsupported software that has known security flaws are a popular target for cyber criminals intending to launch a cyber-attack. In particular it is recommended that:
Some software vendors e.g. Microsoft, release security updates monthly, while other software vendors will release security updates on a different cycle or when new vulnerabilities are discovered. Regardless of the pattern of security updates, it is important that any software used on a school’s Network has the latest security updates.
Phishing email scams
Ensuring that both staff and the school community are aware and vigilant about email scams and phishing attacks, this can help prevent serious cyber-attacks. Phishing emails are a type of email scam where the sender tries to trick the recipient into giving away information, installing malware, or getting unauthorised access to systems to steal data or for financial gain. Being successfully ‘phished’ can in some cases also trigger the start of a ransomware attack.
These phishing emails are becoming more sophisticated. Increasingly scammers will use ‘spear phishing’ tactics where the scammer will first gather whatever information they can about their chosen target to make their emails more personalised and convincing. Often these scammers will also try to impersonate trusted people, organisations or the systems they use. Staff handling payroll or payments need to be particularly vigilant about these more sophisticated phishing attacks because payroll and accounts staff are a popular target for some phishing scams.
Protecting against phishing scams is about awareness and knowing the warning signs that an email could be a phishing attempt. To help protect from phishing email scams it is recommend that staff and the school community:
While email spam filtering will remove many harmful emails before they get into inboxes, there will always be some emails that slip through and these are the emails that school staff and people in the school community need to be vigilant about.
Other steps schools can take to reduce the risk of cyber-attack include:
If you are a larger school with more complex IT systems, there may be a wider range of information and cyber security risks for you to consider.
Schools that discover a cyber attack or are facing a cyber security incident or need support should contact Netsafe (external link)on 0508 NETSAFE (0508 638723) or email help@netsafe.org.nz and CERT NZ (external link)or call 0800 CERT NZ (0800 237 869).
BY Education Gazette editors
Education Gazette | Tukutuku Kōrero, reporter@edgazette.govt.nz
Posted: 3:15 pm, 25 March 2020
1 June 2023
Young conservationists at Shotover Primary School are doing their part to restore the regionally significant Shotover Wetland,
1 June 2023
The challenges of maintaining engagement in learning are exacerbated when students span a remote rural area of the motu.
1 June 2023
A whakawhanaungatanga approach between primary and secondary schools in Te Whanganui-a-Tara Wellington is tackling attendance downturns