NZAI Security
NZ Context

What the latest NZ cyber security reports say about schools right now

The government's latest threat report is dense with government-speak — here's what actually matters for New Zealand school leaders and classroom teachers.

By Feroze Ashraff
A school server room with blinking status lights — representing the cyber infrastructure protecting New Zealand schools from rising digital threats

Why this matters for schools

New Zealand schools are increasingly in the crosshairs. The government’s National Cyber Security Centre (NCSC) published its latest threat report in April 2026, and while the full document runs to 60 pages of qualified language, the practical message for schools is straightforward: the threat is real, it’s rising, and most schools are underprepared. [1]

The key findings that should matter to you:

Ransomware attacks on the education sector increased by 34% year on year. Most of these targeted administrative systems — student management platforms, learning management systems, financial records. Not the classroom laptop a student left in their bag. [1]

Phishing campaigns are becoming more tailored. It’s no longer bulk Nigerian-prince emails. Attackers are researching school staff, understanding school term calendars, and sending messages that look like they come from the principal, the Ministry, or a trusted vendor. A teacher in Northland received an email that precisely matched her school’s internal language about a non-existent overdue invoice. [1]

The biggest vulnerability is not technical — it’s human. The NCSC notes that the majority of successful attacks start with someone clicking something they shouldn’t have. Not because teachers are careless, but because the attacks are genuinely well-crafted. [1]

What this means for your school

The short version: your school does not need to become a cyber security firm. It needs to get the basics right, consistently.

That means:

  1. Two-factor authentication on everything that touches student or staff data — Not optional, not a nice-to-have. If your school uses Google Workspace for Education or Microsoft 365, both have built-in 2FA options. Turn them on.

  2. Password policy that prioritises length over complexity. The old advice of mixing numbers, symbols, and uppercase has been superseded. A passphrase — a sentence, essentially — is both easier to remember and harder to crack. “Mydogspotwashisdog” is stronger than “Tr0ub4dor!”

  3. A clear, simple process for what happens when someone clicks something they shouldn’t. The worst outcome is someone realising they clicked a bad link and keeping quiet because they’re embarrassed. Every minute of delay after a potential compromise matters.

  4. Regular backups that are actually tested. Many schools have backups configured. Fewer have ever verified that the backups actually restore properly. Test yours.

Where to go for help

The NCSC runs a free advisory service for public sector and non-profit organisations including schools. Their website has a practical school-specific guide, and they run webinars tailored to education sector IT managers.

If your school is part of a kura or a kāhui ako, talk to your shared IT support team — the security baseline for the group should be shared, not siloed.

What to take away from this

  • Ransomware targeting the education sector is rising — 34% year on year — and administrative systems are the primary target, not classroom devices
  • Phishing is getting more personalised — attackers research staff and mimic internal language, so no one is “too careful” to be caught
  • The single biggest vulnerability in any school is a human who clicked something they shouldn’t have — and that person will usually stay quiet out of embarrassment
  • Two-factor authentication on Google Workspace for Education or Microsoft 365 is the single highest-impact thing your school can do this week
  • The goal is not perfect security — it’s being less easy to compromise than the school down the road
  • When in doubt: open a new browser tab and navigate directly to the service an email is asking you to act on — never use a link in an unsolicited message to access sensitive accounts. For a practical starting point on passwords and authentication, see our Passwords, Passphrases and MFA guide.

Sources and references

[1] New Zealand. National Cyber Security Centre. (2026). Cyber Threat Report 2026. https://www.ncsc.govt.nz/

[2] New Zealand. National Cyber Security Centre. Resources for schools and kura. https://www.ncsc.govt.nz/resources/

Advertisement disclosure: This page may display relevant advertisements. Ad placements are clearly identified and do not influence NZAI Security's editorial decisions. See our full disclosure policy.