Cyber Safety Basics for New Zealand Educators

A practical educator-facing guide to safer school accounts, devices, sharing habits, privacy checks, and early incident response.

Cyber safety in schools is not primarily about understanding technology. It is about understanding risk and developing habits that reduce the chance of something going wrong through everyday actions — the emails you open, the devices you use, the accounts you maintain, and the way you handle student data (1)(2).

For New Zealand educators, the context includes the Privacy Act 2020, obligations under the Education and Training Act 2020, and the guidance from the National Cyber Security Centre. These are not abstract compliance concerns — they describe the baseline for what responsible school digital practice looks like (2)(3)(4).

This guide covers the practical side of that for educators who are not IT specialists but who want to reduce their exposure to common digital risks.

Why educator accounts are a high-value target

A school email account is often connected to everything: student information, learning platforms, admin systems, file storage, and communication channels. That makes it valuable. If an attacker gains access to a teacher’s school email, they may be able to:

• access student records and personal information
• use the account to send convincing phishing messages to colleagues, parents, or students
• reset passwords on other connected services
• access shared school files and documents

This is why account security — particularly using strong unique passwords and multi-factor authentication — is not optional for educators. It is part of your professional responsibility.

Core account security habits

The most impactful habits are also the simplest to maintain once you have them in place.

Use a strong, unique password for your school account

Do not reuse your school password on any other service. If one service is breached and your password is exposed, a reused password allows immediate access to your school account too. Use a passphrase — a sequence of random words — or use your school’s password manager if one is provided (5).

Enable multi-factor authentication on all accounts that support it

MFA significantly reduces the risk of account compromise even if your password is exposed. Every authentication prompt adds a layer — even if the attacker has your password, they still need your second factor. Configure this on your school email, any platform you use for student data, and your device management accounts (5).

For a practical guide on what this looks like in plain language, see Passwords, passphrases, and MFA: a simple guide.

Use a separate work profile for school tasks on shared devices

If you use a personal device for school work — or a school device for personal tasks — set up separate profiles or accounts so the two are not mixed. This prevents personal account compromises from affecting school data and vice versa.

Device security in practice

The device you use for school work should have:

• full-disk encryption enabled (most modern devices support this in settings)
• automatic screen lock after a short period of inactivity — set it to lock after 2–3 minutes of no use
• the operating system updated automatically — delays in applying updates leave known vulnerabilities open
• antivirus or endpoint protection if the device runs Windows

When using school devices, avoid connecting personal storage devices or logging into personal accounts that are not needed for the task. Each additional account or connection point is a potential exposure.

Handling student data safely

Student data deserves specific care. In most schools, this means:

• only accessing the student information you need for your specific role
• not downloading student data to personal devices or unencrypted storage
• using school-approved platforms for any communication that involves student details
• not sharing student information via personal email or messaging apps, even if the recipient is a colleague you know well

If you are unsure whether a specific action is appropriate, ask your school’s designated privacy officer or leadership team. It is always better to check than to assume.

For the privacy-specific guide, see Privacy checks for school tools and student data.

Phishing awareness for educators

Educators receive a wide range of messages that can look legitimate but are not. The same patterns that apply to general phishing awareness — checking sender addresses, not clicking unexpected links, never entering passwords via a link — are especially important in the school context because:

• educators are connected to student records and admin systems
• school communication culture is collaborative, which can make it easier to impersonate a colleague
• attackers know that educators often use the same platforms (Google Workspace, Microsoft 365) so fake login pages are credible

If you receive a message that feels out of context — especially one that asks you to act quickly, verify your account, or open an attachment you were not expecting — pause and check before clicking.

For a full guide to spotting these messages, see How to Spot Phishing Emails, Scams, and Fake Messages.

What to do when something goes wrong

If you think your school account has been compromised:

1. Change your password immediately from a trusted device.
2. Enable or verify multi-factor authentication is active.
3. Check the account’s recent activity for anything you do not recognise.
4. Notify your school’s IT support or leadership — do not wait to see if it gets worse.
5. If student data may have been accessed, the school may have notification obligations under the Privacy Act 2020 (4).

If a student has been targeted or affected by a cyber incident at school:

1. Document what you know — do not dismiss it as a one-off.
2. Report it through your school’s normal channel for student safety incidents.
3. If it is a criminal matter — such as image-based abuse, online harassment, or extortion — contact Police and the Netsafe helpline (6).

Professional development habits

Cyber safety literacy is not a one-time training. Threats evolve, and the most reliable educators are those who build ongoing habits:

• When a new platform or tool is introduced at your school, ask about its privacy and security implications before adopting it
• Revisit your account security settings every six months — add new layers where available
• If you are unsure about a message, link, or request, check with your IT team or a colleague before acting

Knowledge check

Test your understanding of educator cyber safety responsibilities with these questions. Remember to click on each question to reveal the answer.

Q1: You receive an email from what appears to be your school principal asking you to urgently open an attached document about a "confidential student matter." You were not expecting this and the tone is unusual. What is the safest first step?

Answer: Do not open the attachment yet. Verify the request through a different channel — call or message the principal directly using contact details you already have, not the contact details in the email. This is a common impersonation pattern in school-focused phishing. Once you confirm whether the email is genuine, you can act appropriately. If it turns out to be fake, report it to your IT team and warn colleagues.

Q2: Your school is adopting a new AI-assisted marking tool that stores student work on the provider's servers overseas. What privacy and security questions should you ask before using it with students?

Answer: Ask these key questions: Is the data stored in a country with equivalent privacy protections to New Zealand? Does the provider use submitted work for AI model training? Who at the school can access the data and how is access controlled? Has a Privacy Impact Assessment been done? If the answers are unclear or unsatisfactory, do not adopt the tool for student work until the school leadership has properly evaluated the risk. Under the Privacy Act 2020 (4), schools must have a lawful basis for collecting and using student data.

Q3: You suspect a student's personal information has been accessed through your school email account after you clicked a suspicious link. What should you do?

Answer: Act immediately. Change your school email password from a clean device, notify your IT team, and check for any unusual activity in the account. If student data was accessed, the school may have notification obligations under the Privacy Act 2020 (4). Document what happened, including the timeline and what data may have been exposed. Your IT team and school leadership need to know — do not try to manage this alone or wait to see if it improves.

Sources and references

[1] New Zealand. National Cyber Security Centre. (2025). Cyber security guidance for schools. https://www.ncsc.govt.nz

[2] New Zealand. Office of the Privacy Commissioner. (2025). Privacy tools for agencies. https://www.privacy.org.nz/responsibilities/privacy-tools-for-agencies/

[3] New Zealand. Office of the Privacy Commissioner. (2025). Children’s Privacy Project. https://www.privacy.org.nz/focus-areas/children-and-young-people-policy-project/

[4] New Zealand. Parliament. (2020). Privacy Act 2020. https://www.legislation.govt.nz/act/public/2020/0031/latest/whole.html

[5] National Cyber Security Centre UK. (2023). Password managers. https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers

[6] Netsafe New Zealand. (2025). Education. https://netsafe.org.nz/our-work/education

What to do next

• Set up or review your account security with Passwords, passphrases, and MFA: a simple guide.
• Review your school tool privacy obligations with Privacy checks for school tools and student data.
• Use How to Spot Phishing Emails, Scams, and Fake Messages as your practical phishing reference.
• Follow the full educator pathway at For Educators.