Cyber Safety Basics for New Zealand Educators
A practical educator-facing guide to safer school accounts, devices, sharing habits, privacy checks, and early incident response.
Quick answer
Educator cyber safety comes down to protecting school accounts, securing devices, handling student data carefully, and responding early when something looks wrong. You do not need to be an IT specialist to reduce risk, but you do need reliable habits around email, passwords, privacy, and reporting.
For New Zealand educators, the context includes the Privacy Act 2020, obligations under the Education and Training Act 2020, and the guidance from the National Cyber Security Centre. These are not abstract compliance concerns — they describe the baseline for what responsible school digital practice looks like (2)(3)(4).
This guide covers the practical side of that for educators who are not IT specialists but who want to reduce their exposure to common digital risks.
Why educator accounts are a high-value target
A school email account is often connected to everything: student information, learning platforms, admin systems, file storage, and communication channels. That makes it valuable. If an attacker gains access to a teacher’s school email, they may be able to:
- access student records and personal information
- use the account to send convincing phishing messages to colleagues, parents, or students
- reset passwords on other connected services
- access shared school files and documents
This is why account security — particularly using strong unique passwords and multi-factor authentication — is not optional for educators. It is part of your professional responsibility.
Core account security habits
The most impactful habits are also the simplest to maintain once you have them in place.
Use a strong, unique password for your school account
Do not reuse your school password on any other service. If one service is breached and your password is exposed, a reused password allows immediate access to your school account too. Use a passphrase — a sequence of random words — or use your school’s password manager if one is provided (5).
Enable multi-factor authentication on all accounts that support it
MFA significantly reduces the risk of account compromise even if your password is exposed. Every authentication prompt adds a layer — even if the attacker has your password, they still need your second factor. Configure this on your school email, any platform you use for student data, and your device management accounts (5).
For a practical guide on what this looks like in plain language, see Passwords, passphrases, and MFA: a simple guide.
Use a separate work profile for school tasks on shared devices
If you use a personal device for school work — or a school device for personal tasks — set up separate profiles or accounts so the two are not mixed. This prevents personal account compromises from affecting school data and vice versa.
Device security in practice
The device you use for school work should have:
- full-disk encryption enabled (most modern devices support this in settings)
- automatic screen lock after a short period of inactivity — set it to lock after 2–3 minutes of no use
- the operating system updated automatically — delays in applying updates leave known vulnerabilities open
- antivirus or endpoint protection if the device runs Windows
When using school devices, avoid connecting personal storage devices or logging into personal accounts that are not needed for the task. Each additional account or connection point is a potential exposure.
Handling student data safely
Student data deserves specific care. In most schools, this means:
- only accessing the student information you need for your specific role
- not downloading student data to personal devices or unencrypted storage
- using school-approved platforms for any communication that involves student details
- not sharing student information via personal email or messaging apps, even if the recipient is a colleague you know well
If you are unsure whether a specific action is appropriate, ask your school’s designated privacy officer or leadership team. It is always better to check than to assume.
For the privacy-specific guide, see Privacy checks for school tools and student data.
Phishing awareness for educators
Educators receive a wide range of messages that can look legitimate but are not. The same patterns that apply to general phishing awareness — checking sender addresses, not clicking unexpected links, never entering passwords via a link — are especially important in the school context because:
- educators are connected to student records and admin systems
- school communication culture is collaborative, which can make it easier to impersonate a colleague
- attackers know that educators often use the same platforms (Google Workspace, Microsoft 365) so fake login pages are credible
If you receive a message that feels out of context — especially one that asks you to act quickly, verify your account, or open an attachment you were not expecting — pause and check before clicking.
For a full guide to spotting these messages, see How to Spot Phishing Emails, Scams, and Fake Messages.
What to do when something goes wrong
If you think your school account has been compromised:
- Change your password immediately from a trusted device.
- Enable or verify multi-factor authentication is active.
- Check the account’s recent activity for anything you do not recognise.
- Notify your school’s IT support or leadership — do not wait to see if it gets worse.
- If student data may have been accessed, the school may have notification obligations under the Privacy Act 2020 (4).
If a student has been targeted or affected by a cyber incident at school:
- Document what you know — do not dismiss it as a one-off.
- Report it through your school’s normal channel for student safety incidents.
- If it is a criminal matter — such as image-based abuse, online harassment, or extortion — contact Police and the Netsafe helpline (6).
Professional development habits
Cyber safety literacy is not a one-time training. Threats evolve, and the most reliable educators are those who build ongoing habits:
- When a new platform or tool is introduced at your school, ask about its privacy and security implications before adopting it
- Revisit your account security settings every six months — add new layers where available
- If you are unsure about a message, link, or request, check with your IT team or a colleague before acting
Knowledge check
Sources and references
[1] New Zealand. National Cyber Security Centre. (2025). Cyber security guidance for schools. https://www.ncsc.govt.nz
[2] New Zealand. Office of the Privacy Commissioner. (2025). Privacy tools for agencies. https://www.privacy.org.nz/responsibilities/privacy-tools-for-agencies/
[3] New Zealand. Office of the Privacy Commissioner. (2025). Children’s Privacy Project. https://www.privacy.org.nz/focus-areas/children-and-young-people-policy-project/
[4] New Zealand. Parliament. (2020). Privacy Act 2020. https://www.legislation.govt.nz/act/public/2020/0031/latest/whole.html
[5] National Cyber Security Centre UK. (2023). Password managers. https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers
[6] Netsafe New Zealand. (2025). Education. https://netsafe.org.nz/our-work/education
What to do next
- Set up or review your account security with Passwords, passphrases, and MFA: a simple guide.
- Review your school tool privacy obligations with Privacy checks for school tools and student data.
- Use How to Spot Phishing Emails, Scams, and Fake Messages as your practical phishing reference.
- Follow the full educator pathway at For Educators.