New Zealand educator reviewing school account security and phishing alerts on a laptop

Quick answer

Secure school accounts with unique passwords and MFA, treat phishing as a routine operational risk, and protect student data as carefully as you protect your own access. For educators, the fastest wins are stronger sign-ins, calmer message handling, and earlier reporting.

For educators, cyber security is part of professional practice. School systems, staff email, learning platforms, and student records all create opportunities for mistakes or compromise if the basics are handled casually.

This guide is for New Zealand educators who want a strong everyday foundation for safer accounts, devices, communications, and student-data handling.

Why educators are a high-value target

School accounts are useful to attackers because they can open the door to:

  • student and family information
  • internal communications
  • shared documents and cloud platforms
  • fake messages sent from a trusted account
  • access to connected services through password resets

A compromised educator account can become an operational problem for a whole school, not just one person.

Protect school accounts properly

The most important controls are still the basics:

  • use a strong, unique password or passphrase for your school account
  • never reuse that password on any non-school service
  • enable multi-factor authentication wherever it is available
  • review recovery settings and active sessions periodically
  • do not leave school accounts signed in on shared or family devices

A school email account often connects to much more than email. Treat it accordingly.

For the full login-focused guide, use Passwords, passphrases, and MFA: a simple guide.

Keep staff devices and shared devices tidy

A lot of cyber risk comes from ordinary device habits rather than sophisticated attacks.

Useful baseline habits include:

  • enabling automatic operating system updates
  • using full-disk encryption where supported
  • locking screens when stepping away
  • avoiding personal browsing or random downloads on school devices
  • limiting browser-saved passwords on shared equipment
  • checking that endpoint protection or antivirus is active where relevant

If you use a personal device for work, separate work and personal use as much as possible. Mixing everything together increases the chance that a personal compromise spills into school work.

Phishing remains one of the biggest day-to-day risks

Educators receive urgent-looking messages all the time: parent communication, shared documents, invoices, platform alerts, and internal notices. That makes phishing easier to disguise.

Common warning signs:

  • messages that create urgency around passwords or accounts
  • links to login pages you were not expecting
  • unusual requests from a colleague or leader
  • attachments that arrive without context
  • small spelling or domain differences in the sender address

If a message tries to rush you into logging in, paying, downloading, or sharing information, pause before acting.

For the detailed breakdown, use How to Spot Phishing Emails, Scams, and Fake Messages.

Student data deserves extra care

Cyber security in education is not just about protecting yourself. It is also about protecting information that belongs to students and families.

Safer handling habits include:

  • only accessing the information you need for your role
  • avoiding downloads of student data to personal devices unless clearly authorised
  • using school-approved systems for communication and file sharing
  • not forwarding sensitive information through personal email or messaging apps
  • pausing before uploading school or student material into third-party tools

For the privacy-specific side of this, use Privacy in Education — What Teachers and Students Should Check.

A school IT coordinator reviewing a cybersecurity checklist on a laptop — cyber security for New Zealand educators.

Cyber security and AI use now overlap

AI tools are now part of the educator cyber picture because they can involve account sign-ins, third-party data handling, and unreviewed outputs.

That means cyber-safe practice now also includes:

  • checking whether an AI tool is approved before using it with school content
  • not pasting student-identifiable information into casual AI systems
  • verifying AI-generated material before using it in class

For the fuller AI-specific guide, use AI Safety for New Zealand Educators.

Know your first-response steps

If you think something has gone wrong, early action matters.

If you suspect an educator account has been compromised:

  1. change the password from a trusted device
  2. confirm MFA is active
  3. review recent account activity
  4. sign out of other sessions where possible
  5. notify the appropriate school IT or leadership contact
  6. document what may have been accessed or sent

If student data may have been exposed, the school may need to assess whether there are privacy breach obligations under New Zealand law (1)(2).

Build habits, not just awareness

The most reliable protection comes from repeatable habits:

  • checking unusual requests through a second channel
  • reviewing account security every few months
  • asking questions before adopting new tools
  • reporting concerns early instead of waiting to see if they get worse
  • treating digital hygiene as part of professional responsibility

A practical educator cyber checklist

Is my school password unique?
Is MFA enabled on important school systems?
Are my work devices updated and locked properly?
Do I pause before clicking unexpected login links or attachments?
Am I handling student information only through appropriate systems?
Do I know who to notify if something goes wrong?

Knowledge check

Q1 You receive a shared-document email from a senior staff member, but the message feels slightly off and asks you to log in again. What is the safest first step? tap to flip
Answer: Do not use the link in the email. Verify the request through another channel you already trust, such as a direct message, phone call, or a known bookmark to the real service. Phishing often relies on urgency and familiarity.
Q2 Why is reusing your school password on another website risky even if that site seems harmless? tap to flip
Answer: If the other site is breached, attackers may try the same password on email and school systems. That means a compromise elsewhere can become a school-security problem very quickly.
Q3 You want to upload student work to a new AI tool to speed up marking feedback. What should you check first? tap to flip
Answer: Check whether the tool is approved, how it stores and uses uploaded data, whether prompts or files are used for training, and whether the school has evaluated the privacy risk. Student information should not be uploaded casually to third-party systems.

Sources and references

[1] New Zealand. Office of the Privacy Commissioner. (2025). Privacy tools for agencies. https://www.privacy.org.nz/responsibilities/privacy-tools-for-agencies/

[2] New Zealand. Parliament. (2020). Privacy Act 2020. https://www.legislation.govt.nz/act/public/2020/0031/latest/whole.html

[3] Netsafe New Zealand. (2025). Education. https://netsafe.org.nz/our-work/education

[4] National Cyber Security Centre UK. (2023). Password managers. https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers

What to do next