The complexity and breadth of technology usage in schools has expanded almost exponentially in the last few years, requiring leadership to critically evaluate the smartest and most cost effective way to manage a school’s growing investment in technology. 

Historically, an “IT Generalist” could reliably cover most areas of technology in a school, however the combination of increasingly sophisticated cybersecurity threats along with new specialized areas of ICT such as cloud services and AI means even the most committed individual struggles to keep up. 

As a result, more schools are seeking to partner with ICT services companies that have a focus on education customers, such as Cyclone. These partnerships allow schools to access a wider range of expertise, with individuals who are typically certified in specialist areas and who can provide comprehensive support to ensure projects, upgrades and emergency ICT responses can be supported in a timely manner. 

School leaders should be constantly evaluating how they are performing in the following six core ICT areas. Consider the questions in each section as a self-check warrant of fitness for your organisation.  

Security 

• Have you had an external audit of your current security posture in the last 12-18 months? 

• Are you confident that vendor firmware updates are consistently and reliably applied to critical security appliances such as your firewalls and core network switches? 

• Have you provided training to your staff to help them identify and report cybersecurity threats from increasingly sophisticated phishing attacks? 

Identity 

• Do you have a cloud-based identity provider that allows you to securely access services hosted both on your school network and in the cloud, whether you’re on campus or remote? 

• Can your staff and students easily Single Sign On into all school-approved resources (devices, cloud services, SMS, printing etc)? 

• Is Multi-Factor-Authentication (MFA) required and enforced when accessing content from a non-secure location? 

Endpoints 

• Are your school owned laptops/tablets/phones currently managed by an MDM? 

• Are vendor released security and operating system patches automatically applied to protect devices and users? 

• Are your devices running a managed and updated security product to protect against viruses, malware and other threats? 

Network 

• Have you had an external audit of your current network in the last 12-18 months? 

• Is your wireless network reliable and coping with increased network traffic and number of devices connecting to it? 

• Have you budgeted for upgrades to future-proof your network as usage increases, and before current equipment goes end-of-life or end-of-support? 

Infrastructure & Cloud 

• Have you had an external audit of your current on-premise infrastructure in the last 12-18 months? 

• Have you explored which services you currently run on-premise that could be migrated to the cloud or the vendor’s Software as a Service offerings (e.g. Student Management Systems, Library Management Systems, Learning Management Systems, Print Services etc) 

• Are you currently backing up core data stored on-premises and in the cloud (e.g. Microsoft 365 and Google Workspace) and regularly performing test restorations to build confidence in your disaster recovery capabilities? 

Artificial Intelligence 

• Do you have an organisational AI policy that has been communicated to your staff and students with clear expectations around usage and approved AI platforms? 

• Have you performed an audit of security permissions for cloud resources to prevent accidental data leaks / exposure before purchasing AI tools like Microsoft Copilot for M365 and Google Gemini? 

• Have you provided training to AI Champions inside your organisation to help maximise the value of AI to your users? 

If you have identified there are gaps or concerns to the above questions, then reach out to Cyclone for assistance on 0800 686 686 or hello@cyclone.co.nz. 

In the digital age, the advent of artificial intelligence (AI) has presented both opportunities and challenges, especially for educational institutions. Independent schools in Aotearoa, renowned for their commitment to providing exceptional education, find themselves navigating the everchanging landscape of AI integration. As an AI Specialist at Cyclone, I want to share crucial advice on how these schools can set a clear course in this evolving landscape. 

​​​The Imperative of Data Protection and Privacy 

One of the foremost considerations for independent schools venturing into AI is the protection of data and privacy. Generative AI tools offer immense potential to enhance learning, but it is imperative to select tools that prioritise data security. Schools should lean towards using data-protected and private AI tools such as Google Gemini, Microsoft Copilot and Apple Intelligence. These platforms are designed with robust security features that safeguard sensitive student and staff information, and this protection comes with purchased Workspace or 365 licences. 

Conversely, it is advisable to avoid using Open tools such as ChatGPT, Claude and Perplexity for educational purposes. While OpenAI has made significant strides in AI development, concerns about data privacy and security persist. Independent schools must be vigilant in selecting AI tools that comply with stringent data protection standards to maintain the trust of parents, students, and staff. 

Developing a Comprehensive AI Strategy 

The integration of AI into the educational framework should not be approached haphazardly. It requires a well-thought-out strategy that aligns with the school’s values and goals. A key component of this strategy is the development of policies that govern the use of AI tools. However, more crucial than a general policy is the establishment of an Acceptable Use Policy (AUP) specifically for AI. 

An Acceptable Use Policy serves as a guiding document that outlines the boundaries for AI usage by teachers and students. For teachers, the AUP should provide clear guidelines on what generative AI should and should not be used for. This clarity helps prevent misuse and ensures that AI is employed to enhance teaching rather than replace fundamental educational practices. 

For instance, teachers might be encouraged to use AI for unit planning and assessment creation but cautioned against using AI for grading student work or drafting emails to parents without proper oversight. By setting these boundaries, schools can ensure that AI tools are used ethically and effectively, contributing positively to the educational environment. 

Creating an AUP requires a collaborative approach involving educators, administrators, and IT professionals. Schools should also consult or utilise Boards of Governors during the process. It should be a living document, regularly reviewed and updated to reflect emerging trends and technologies. Training sessions for teachers on the ethical and practical aspects of AI usage are essential to ensure adherence to the policy. 

Moreover, involving students in the development of the AUP can foster a sense of ownership and responsibility. For example, secondary school students above the age of thirteen could participate in workshops where they discuss the ethical use of AI and propose guidelines for its implementation in their classrooms. By educating students about the ethical use of AI, schools can cultivate a generation of digitally literate individuals who understand the implications of AI technology. 

Embracing the Benefits While Mitigating Risks 

While the cautious adoption of AI is essential, it is equally important to embrace the benefits that AI can bring to the educational landscape. Currently, staff and students are already utilising these generative AI tools to enhance their learning experiences. For instance, AI can personalise learning experiences by providing customised lesson plans and resources tailored to individual student needs, making education more accessible for students with diverse learning profiles. They can also provide real-time feedback, enabling teachers to tailor their instruction to individual student progress. 

However, the focus should always be on augmenting human capabilities rather than replacing them. Teachers play a pivotal role in nurturing critical thinking, creativity, and emotional intelligence—qualities that AI cannot easily replicate currently. Therefore, AI should be seen as a tool to support teachers in their mission to provide holistic education. 

​​​In conclusion, the integration of AI in independent schools in Aotearoa requires a balanced approach that prioritises data protection, ethical usage, and strategic planning. By opting for secure AI tools like Google Gemini, Microsoft Copilot and Apple Intelligence, developing comprehensive Acceptable Use Policies, schools can harness the potential of AI while safeguarding the interests of their communities. As we navigate these turbulent seas, let us set a course that embraces innovation while upholding the values that define exceptional education. 

Written with the assistance of Microsoft Copilot 365. 

eduTech 22 in review

I recently returned from the eduTech 2022 conference in Melbourne where I, along with over 11,000 other people, enjoyed networking and listening to a range of great speakers including a number from Aotearoa. There was a lot of reflection of the pandemic and the way it has driven change across not only education, but the whole world. 

As Richard Culatta, CEO of ISTE said in his opening keynote, 2020 was all about emergency remote learning, not necessarily effective learning. And this was a repeated theme across a number of presentations. We now need to embrace the ‘new norm’ of hybrid learning, take forward skills and pedagogy changes that worked, and leave behind those that didn’t (including practices pre-COVID that may not work well now). 

We need to re-look at the tools that were in use during the last two years and ensure they meet minimum security and student safety standards. So often well-meaning teachers found a new online tool to support their class during the peak of the pandemic and used it to fill a gap. These are often free, full of ads, and send PII data to offshore servers in places like Eastern Europe where privacy may not be a high priority. Or worse, open unforeseen security holes in the school network to allow unauthorized access. 

State and State Integrated schools in New Zealand have free access to both Google Workspace Plus and Microsoft 365, something many Australian educators I spoke with are envious of. Schools need to continue leveraging Google Classroom and Microsoft Teams to support hybrid learning and use classroom technology such as the Jabra Panacast 50 to provide equitable access to students regardless of their geographic location for learning. During the lockdowns, schools used these tools to varying degrees of success and depth. Now is not the time to revert to the ways of teaching pre-2020 and put these toolsets on the shelf. 

Modern management of both school-owned and BYOD devices came up in various conversations, as a simple way to deliver learning ready devices to ākonga at home or school. Schools have realized that old ways of supporting devices don’t work effectively anymore; manually preparing them for teaching and learning, using a gold Windows image, or just leaving students & teachers to add in the tools they need to succeed in the classroom. It just isn’t practical anymore. And again, the platforms from Google and Microsoft to enable this are free to State and State Integrated schools in Aotearoa. Cyclone have delivered many modern management projects over the last few years to support schools adapt and save time & money. 

One interesting topic I found was the lack of desire from several vendors to introduce recyclable packaging and build devices in a more sustainable way. In fact, I had a couple state that in Australia it wasn’t a high priority! This is in stark contrast to here where schools are demanding, and rightly so, to have products in packaging that is planet friendly. We work hard with all our business partners to remove plastic and non-recyclable materials from their products before they arrive in country. And we promote the full lifecycle of device management to reduce cost and recycle or upcycle devices at the end of their life. 

Two years of adaptive practises have left their indelible mark on all of us and will shape the future of education for years to come. What we learn from this period of flux and embed in everyday practise will define the next generation. Technology can bring students closer together and allow them to create content collaboratively. We need to be moving away from the all-too-common content consumption model to one of content creation and allow this collaborative change to organically grow, with appropriate student-safety scaffolding in place. Then we will be preparing life-ready students that are engaged in learning and have the skills to thrive in the communities they live in. 

One of my favourite quotes is from Maya Angelou and seems to be highly relevant to the past couple of years of pandemic and emergency remote learning: 

‘I did then what I knew how to do.  Now that I know better, I do better.’ 

So I ask you – now that you know better, how are you going to do better? 

A Tale of Two Lockdowns

As we head into the final school term of the year, I have been reflecting on how schools I have been involved with have approached and tackled teaching and learning during lockdowns. And how they have managed their core ICT systems during this time to enable the teaching & learning to occur. 

In 2020 I was the IT and Digital Learning Manager for a global independent school. We had spent the last year or so transforming to a serverless school, with all platforms operating in a SaaS model. Legacy ways of thinking and operating were set aside, and the possibilities that Modern Management offered were embraced. All endpoints were Microsoft Windows 10 Professional and being effectively managed through Microsoft Endpoint Manager. The school was already using Canvas for its Learning Management System, and Zoom to teach a large number of classes to Years 7-13 nationwide and in Argentina. With the assignment loaded at the start of the year, and weekly course work loaded upfront, students were able to work through at their pace. Teachers used an interesting timetable that had 1 period for tutorials, 1 for coaching & mentoring and 1 for the students to work independently. This meant students could work ahead if they were confident in the material, and get 2 periods of teacher support if needed. They operated a 1:1 device program for Years 7-13, with 1:2 ratio in the junior school. When the first lockdown hit  early 2020, the school just carried on, albeit from residential homes. The spare devices held onsite were issued to the junior school so almost all students had a device for their sole use. 

Because all devices were being managed by Endpoint Manager, we were able to ensure they were secure, safe, and kept up to date throughout lockdown. New applications and browser shortcuts were pushed out by IT as needed by teaching staff almost real-time. Teaching and Learning barely missed a beat. If a replacement device was needed, it arrived already loaded with the latest applications, bookmarks, and settings, and OneDrive was logged in and waiting with the users work. All thanks to Modern Management powered by Microsoft 365. 

Fast forward to 2021. I am now working for Cyclone Computers and supporting a number of schools. Most are managing their devices using legacy on-premise tools such as Group Policy, WSUS and imaging servers. A few are not even doing that. Teaching is largely done how it has always been done, with text books, and a teacher at the front of the class lecturing to students. Some use of online tools has increased since the 2020 lockdowns, but old habits are hard to break. Its comfortable for teachers to go back to how they were trained, rows of students facing front and being fed content to regurgitate in a summative assessment. 

When lockdown arrives, there is the expected rush to prepare hard-copy content for those without a device, and to wedge content into the nearest online platform. Teachers are now having to (re)learn how to connect with students online, that may or may not be engaged. Content is static at best. Some schools adapt a relaxed approach to learning, others try to stick to the same timetable as pre-lockdown.  Devices have a mix of versions of operating system (and as a result features), outdated applications, and getting new apps onto them is problematic at best. Worse, patches are not being applied as the devices cant see the on-premise update servers, and legacy policies block the user from manually getting them. For some, work is locked away on servers on campus, unable to be accessed from home. They have to recreate documents and save them on their local drives. When the inevitable ‘coke-on-the-keyboard’ happens, all their work is lost, nothing is saved online in OneDrive or Google Drive. Get a new device, start from scratch installing applications manually and then re-doing work that was on their Desktop. 

Digital equity aside, all of the technical challenges we are seeing lockdown after lockdown can be avoided by using modern device management platforms to effectively and securely manage the schools fleet. The three main operating systems have a preferred MDM; Microsoft Endpoint Manager for Windows, Jamf for Apple devices, Google Workspace for Education for Chromebooks. Shifting to modern device management can and does make sense (and cents!) for schools. It directly impacts on teaching and learning outcomes in a positive way, improves device security, and opens up new opportunities to teach and learn from anywhere, anytime, on any device. 

If you identify opportunities for improvement, talk to us. We can support you with PLD, technical reviews & advice, and walk with you on the journey.  

So, where shall we go today? 

Protecting your organisation starts with protecting your data.

Ransomware. It wasn’t that long ago that it was a thing that happened to other people, often the big corporates, the blue chips in America. But not us in little old New Zealand/Aotearoa. We would occasionally hear it mentioned on the news in passing, or on page 10 of the paper. Leap forward to 2021, the year of COVID-19, of lockdowns and the now ubiquitous phrase ‘you are on mute’. The number of attacks made public on local organisations has increased. The biggest single target being the Waikato DHB. They estimate it taking another 2 years before they are back to where they were. 

And at the start of July international software company Kaseya had their remote management tools hijacked to deliver ransomware to unsuspecting victims. This new development is concerning, because the end users did not do anything wrong, nor did the support organisations. 

So what can we learn from these high-profile attacks, and what steps can we take to reduce the risk you are next? The number one thing to do if you haven’t already is to turn on multi-factor authentication (MFA) for all system administrators at a minimum, and preferably all staff. If you have a software platform that doesn’t support MFA you need to be asking questions of the vendor. If you have the choice of methods, using an app on your phone is top of the list, followed by a third party rotating key token (banks often use these). The worst options are receiving an email or text message – neither of these two options are secure. 

Ensure you are backing up your data. This includes Office365 and Google Workplace content. Not all backups are created equal though. Your backups should be going to an offsite location, retained for at least 60 days, and tested. It is no good making a copy of everything to a local hard drive if there is a fire! And no good backing things up if you cannot restore it. In the ideal world backup systems would be air-gapped from the source, and write permissions only allowed to the backup solution. These backups should be monitored and any anomalies investigated. Its common for attackers to quietly infect a system, then wait a month or more for all backups to also be infected before attacking. Look for larger than usual backup sizes, and odd looking content. Artificial Intelligence (AI) bots exist that can do this for you. For those with on-premise servers, ensure your DNS and Active Directory are included in the backups, and ideally locked away separately in a vault (software or physical) so you can quickly recover your infrastructure. 

Review who has access to what. You shouldn’t have more than three super-admins/global admins in any system, and these should be protected with MFA. Also review who has remote access into your systems, either using a VPN or some other method. Separate out the different administrative roles so breaching one account will not open the floodgates. 

Microsoft have a global threat activity website that shows cyber-threat activity for the last 30 days. Disturbingly education makes up of 60% of all recent encounters. 

Cyberthreats, viruses, and malware – Microsoft Security Intelligence 

Staying secure in the modern world

Halfway through the 2021 academic year, and we are still hearing of phishing attacks on schools at all levels throughout Aotearoa. There was a time were only the big global companies were targeted by these attacks. The recent attack on the Waikato DHB should be, and has been, a wake-up call for all organisations. One thing that strikes me when visiting schools is the lack of awareness posters up on the walls. Nothing in the staff room, nothing in the hallways, nothing in the learning spaces. 

For me this is concerning. Most if not all schools have some form of a Digital Citizenship programme they run for students. Part of being a good digital citizen is knowing how to keep safe online. Being able to identify a phishing email, learning to not download an application from a random Internet site, or clicking on links in instant messages is central to this (ISTE standard 2B for students relates directly to this very point). 

The risks that these types of attacks can introduce can be broadly categorised into one of two buckets; ransomware , where all your files are encrypted and you cannot access them without paying the hijackers, and theft where either your data is stolen to be sold on the dark web, or you are tricked into paying phoney invoices.  

Ransomware attacks are growing. Imagine being at the end of a school year, your students have worked hard all year on assignments, and suddenly they are no longer available for final grading or revision for external exams.  

Arguably worse than a ransomware attack is the theft of data. Schools hold a large amount of personally identifiable information (PII) about staff and students, from home addresses to medical information.  All this information holds a value, whether for identity theft, online bully or worse. 

Being tricked into sending school funds to bad actors is still a very real risk, despite years of publicity around the tricks used. A request to purchase 100 iTunes cards for example, or a request from the ‘principal’ to urgently pay the attached invoice should set off alarm bells. The sad reality is it doesn’t always. 

We live in an always-on world, connected across multiple online platforms. The ease in which we share content and connect to friends and colleagues has exploded in the last 5 years. Unfortunately this connectedness allows the attackers to understand the hierarchy at a school, the movements of staff and tailor their messaging accordingly. And because so many transactions are now done online, seeing an email from your favourite online store offering a special deal is accepted with glee, not scepticism.  

Awareness of how to identify a phishing or bogus email can reduce the chances of a user falling for it and introducing an external threat. Better still, awareness and on-going training and assessment that is targeted to the whole school community. The cost to implement these steps starts at $0.  

Ask yourself, what is the financial and reputational cost to do nothing and be compromised?  

Staying secure in the modern world

The recent hack of the Reserve Bank of New Zealand – Te Pūtea Matau (RBNZ) highlights that even central governments struggle with cyber security. Cyber crime is on the rise, and COVID-19 has provided a rich array of new opportunities for the criminal world. There are a number of things that you can do to mitigate some of the risks, and become a harder target. 

Here are our top six security recommendations that every individual and organisation should be adopting. 

1. Always keep the system software updated. This is the software on your laptop, tablet and phone as well as any network equipment such as routers and modems. The breach at the RBNZ was due to outdated software on a network appliance that they had not maintained and patched. The bad agents used a flaw in the software to gain access. Had they kept this updated they may not have been breached. 
2. Use Anti-virus software. And keep it updated. There are almost daily updates to most AV products to keep you safe and secure. No operating system is immune to virus attacks, and contrary to popular belief there are now more viruses and malware for MacOS than Windows. 
3. Use disk encryption. Encrypting your hard drives and USB drives will render them useless if they are lost or stolen. The contents are unreadable if someone trys to access without first decrypting. Both Windows 10 Pro and MacOS have built-in support for drive encryption and it is a very simple process to turn on. We hope that the devices stolen from Capitol Hill in January were encrypted!
4. Use MFA. Using multifactor authentication provides an additional layer of protection to your accounts. Most applications now support the use of MFA (sometimes called 2FA) and a mobile app. It is a simple yet effective way to add extra security to your applications as without it attackers cannot access a system, even with your username and password. TIP: DO NOT use SMS/Text as a secondary authentication method. It is easy for someone to spoof your mobile number and intercept a message. 
5. Run Phishing simulations and training. The easiest way for someone to get into your systems is if they know your username and password. It is very easy for someone to craft an email purporting to be from a trusted persons or company, and tricking you into handing over your credentials. There are a number of tools available to run these simulations and to block phishing emails. 
6. Use Data loss prevention policies. Both Office365 and G Suite have policies available with all subscriptions. The key is to really know your data; where it is, who should have access, and how sensitive it is. Then you can easily develop policies to prevent your data from leaving your environment without your knowledge. 

Talk to us today about how we can support you to secure your environment using these and other tools. 

Protecting your valuable data

Data is a valuable currency and the ultimate goal for cybercriminals. If you own an organisation’s data and intellectual property, you can bring the business to its knees. By breaching the company’s defences and locking up its data, cybercriminals can exploit businesses for a hefty ransom to retrieve their data and avoid the financial and reputational damage that goes along with being breached.

It’s not only businesses that are at risk of financial exploitation. An individual employee’s identity alone is valued at around US$1,200^[1]. However, that’s just the tip of the iceberg considering that a successful cyberattack could result in:

• Appropriation of resources: cybercriminals often use vulnerabilities in the network to infiltrate systems and use information that can be repurposed to create things of value, such as scams. By co-opting organisational data, such as internal email signatures, cyberattackers can create phishing emails to exploit other victims using your organisation as a proxy.
• Clients and suppliers transferring funds to bogus accounts: phishing and spear phishing attacks can exploit your email information to expose your customers to vulnerabilities. This can lead to customers sharing details and finances with cybercriminals using fake accounts and posing as employees of your company.
• Impact to financial credentials: cybercriminals can access company credit cards and bank accounts, which can cause financial losses and damage.
• Theft of intellectual property: cyberattackers that infiltrate your system or deploy ransomware can access sensitive data and information from within your organisation. This can be used to blackmail your organisation, or be sold through the black market, for monetary gain.
• Ransom demands: armed with sensitive company and customer information, cybercriminals can further exploit organisations by requesting payment for the return of locked up data.
• Company information used for unlawful purposes: in addition to financial exploitation, criminals can also exploit confidential information for other means, such as corporate espionage. This can involve company secrets or intellectual property being sold to other competing organisations or used for other illegal activities such as fraud.

It’s essential that organisations invest wisely in tools and technologies to keep their valuable information safe from cybercriminals. To protect company information, organisations must integrate processes like advanced email threat protection, multifactor authentication and employee cybersecurity training into their operations. They should also invest in network security tools, such as perimeter security, to provide the best defence possible for the network. However, there is a fine balance between investing in the right level of protection for your organisation, and over-investing in solutions that may not deliver the best security advantage for your business.

Cyclone has identified four key capabilities your cybersecurity solution must deliver to best protect your organisation and its valuable information in our latest checklist. For more information, download your copy today or contact the Cyclone expert team for a personalised consultation on how best to protect your organisation

[1] https://www.top10vpn.com/research/investigations/dark-web-market-price-index-2019-us-edition/