Globally, the education sector is one of the most targeted sectors for cyber attacks – and New Zealand is no different. Schools and kura hold sensitive student, staff and financial information that attackers would like to expose for their own benefit.
In addition, there’s an emotive factor at play with schools. Compromising students’ ability to learn would raise discomfort for most parents. If schools are locked out of their systems or devices for a lengthy period of time, this quickly starts to disrupt student learning. This provides a rather emotive bargaining chip that attackers would aim to exploit.
Technology like Microsoft Teams, Zoom meetings and cloud file sharing offer exciting learning opportunities for rangatahi that prepare them well for a digital world. So ever-present are these tools that they now form part of an expected education offering for students. Also, increasingly connected learning environments between school and home, alongside schools providing more access to laptops and cloud apps to support learning, mean that there are ongoing challenges for how to provide these services in a secured way.
In order to maximise efforts to shore-up your school’s defences to cyber threats, it’s key to do the basics well. Knowing your level of risk within your school’s digital environment, is a fundamental step to get right, so you can then start to mitigate risk.
Audit your environment
Hardware: How many computers and devices does your school/kura own and where are they? Do you have your own server? How many TVs, tablets and smartphones do you have? Do you have VOIP desk phones that rely on your network?
Software: Internal software that you may host or have installed on your devices (for example, some student management systems), and external software that’s hosted in the cloud (like Xero, Educa or Google Workspace).
Data: Identify the data you hold or have access to, including:
- Personal staff and student information;
- Medical information;
- Financial information; and
- Lesson plans, reports.
Identify potential risks and impacts
For the datasets you’ve identified, consider what implications there may be if this information was:
- Wiped, accidentally deleted or lost forever – do you have back-ups? Would there be financial or operational implications?
- Stolen, leaked or accessed by someone who isn’t authorised to see it – could information about custody or protection orders be exposed? Bank account details? Private health information like mental health conditions, or a history of sexual assault or other trauma?
- Locked down and you couldn’t access it, either because of a cyber incident or an accident or natural disaster – could the school keep running? Who would be affected and how?
You may want to categorise the type of risk, for example:
- Operational risks – losing access would affect day-to-operations;
- Financial risks – financial information could be lost or stolen, or this system or data would be costly to replace;
- Confidentiality risks – private or personal information could be lost or exposed; and
- Integrity risks – data that could be at risk of being changed, like test results or reports.
Evaluate your school’s current level of risk
To determine your level of risk, look at who has access to your systems and data and how they have access. What policies and protections do you already have in place? You might want to consider basing levels of access in your school around time of day and least amount of privilege required. For example, there might be some systems that only need to be accessed during certain hours of the day. Also consider, what is the least amount of privilege required for staff and students to access the data and information they need.
Prioritise and make a plan
Unfortunately, cyber security risks can’t be eliminated as there are always new and emerging online security threats, along with the human element of users interacting with technology. Taking charge of digital security is like taking charge of health and safety. It’s not a ‘one and done’ scenario.
Overall, it pays to take a proactive approach with cyber security. Digital security is an ongoing effort to manage new risks as they emerge. Knowing your digital environment to then mitigate risks will form a key foundation of your digital security strategy.
Look through all the information you’ve gathered and prioritise your areas of risk. It might seem like there’s a lot to do – or a few key areas to tackle might immediately jump out at you. Start with your top priority areas and remember you can build gradually on most of these recommendations over time.
Article supplied by the Ministry of Education’s Cyber Security in School team.
For more information and to create a digital security strategy go to education.govt.nz/school/digital-technology/ict-risk-management/complete-a-cyber-security-risk-assessment-for-your-school/
Cyber security training and webinars
The Ministry is developing dedicated cyber security advice and recommendations. To help your school configure your technology and get the most out of the security products available to you, it has worked with Google and Microsoft to develop a series of webinars and online training for keeping up to date with the latest technology changes.
The subjects of the webinars include ‘Identity and authentication’, ‘File security’, ‘Mail, calendar and contacts’, ‘Protect cloud apps’, ‘Detect risky users’ and more. These are available at education.govt.nz/school/digital-technology/ict-risk-management/cyber-security-in-schools-training/
INTERFACE Magazine August 2022