The complexity and breadth of technology usage in schools has expanded almost exponentially in the last few years, requiring leadership to critically evaluate the smartest and most cost effective way to manage a school’s growing investment in technology. 

Historically, an “IT Generalist” could reliably cover most areas of technology in a school, however the combination of increasingly sophisticated cybersecurity threats along with new specialized areas of ICT such as cloud services and AI means even the most committed individual struggles to keep up. 

As a result, more schools are seeking to partner with ICT services companies that have a focus on education customers, such as Cyclone. These partnerships allow schools to access a wider range of expertise, with individuals who are typically certified in specialist areas and who can provide comprehensive support to ensure projects, upgrades and emergency ICT responses can be supported in a timely manner. 

School leaders should be constantly evaluating how they are performing in the following six core ICT areas. Consider the questions in each section as a self-check warrant of fitness for your organisation.  

Security 

• Have you had an external audit of your current security posture in the last 12-18 months? 

• Are you confident that vendor firmware updates are consistently and reliably applied to critical security appliances such as your firewalls and core network switches? 

• Have you provided training to your staff to help them identify and report cybersecurity threats from increasingly sophisticated phishing attacks? 

Identity 

• Do you have a cloud-based identity provider that allows you to securely access services hosted both on your school network and in the cloud, whether you’re on campus or remote? 

• Can your staff and students easily Single Sign On into all school-approved resources (devices, cloud services, SMS, printing etc)? 

• Is Multi-Factor-Authentication (MFA) required and enforced when accessing content from a non-secure location? 

Endpoints 

• Are your school owned laptops/tablets/phones currently managed by an MDM? 

• Are vendor released security and operating system patches automatically applied to protect devices and users? 

• Are your devices running a managed and updated security product to protect against viruses, malware and other threats? 

Network 

• Have you had an external audit of your current network in the last 12-18 months? 

• Is your wireless network reliable and coping with increased network traffic and number of devices connecting to it? 

• Have you budgeted for upgrades to future-proof your network as usage increases, and before current equipment goes end-of-life or end-of-support? 

Infrastructure & Cloud 

• Have you had an external audit of your current on-premise infrastructure in the last 12-18 months? 

• Have you explored which services you currently run on-premise that could be migrated to the cloud or the vendor’s Software as a Service offerings (e.g. Student Management Systems, Library Management Systems, Learning Management Systems, Print Services etc) 

• Are you currently backing up core data stored on-premises and in the cloud (e.g. Microsoft 365 and Google Workspace) and regularly performing test restorations to build confidence in your disaster recovery capabilities? 

Artificial Intelligence 

• Do you have an organisational AI policy that has been communicated to your staff and students with clear expectations around usage and approved AI platforms? 

• Have you performed an audit of security permissions for cloud resources to prevent accidental data leaks / exposure before purchasing AI tools like Microsoft Copilot for M365 and Google Gemini? 

• Have you provided training to AI Champions inside your organisation to help maximise the value of AI to your users? 

If you have identified there are gaps or concerns to the above questions, then reach out to Cyclone for assistance on 0800 686 686 or hello@cyclone.co.nz. 

In the digital age, the advent of artificial intelligence (AI) has presented both opportunities and challenges, especially for educational institutions. Schools in Aotearoa are renowned for their commitment to providing exceptional education, find themselves navigating the everchanging landscape of AI integration. As an AI Specialist at Cyclone, I want to share crucial advice on how these schools can set a clear course in this evolving landscape. 

​​​The Imperative of Data Protection and Privacy 

One of the foremost considerations for independent schools venturing into AI is the protection of data and privacy. Generative AI tools offer immense potential to enhance learning, but it is imperative to select tools that prioritise data security. Schools should lean towards using data-protected and private AI tools such as Google Gemini, Microsoft Copilot and Apple Intelligence. These platforms are designed with robust security features that safeguard sensitive student and staff information, and this protection comes with purchased Workspace or 365 licences. 

Conversely, it is advisable to avoid using Open tools such as ChatGPT, Claude and Perplexity for educational purposes. While OpenAI has made significant strides in AI development, concerns about data privacy and security persist. Independent schools must be vigilant in selecting AI tools that comply with stringent data protection standards to maintain the trust of parents, students, and staff. 

Developing a Comprehensive AI Strategy 

The integration of AI into the educational framework should not be approached haphazardly. It requires a well-thought-out strategy that aligns with the school’s values and goals. A key component of this strategy is the development of policies that govern the use of AI tools. However, more crucial than a general policy is the establishment of an Acceptable Use Policy (AUP) specifically for AI. 

An Acceptable Use Policy serves as a guiding document that outlines the boundaries for AI usage by teachers and students. For teachers, the AUP should provide clear guidelines on what generative AI should and should not be used for. This clarity helps prevent misuse and ensures that AI is employed to enhance teaching rather than replace fundamental educational practices. 

For instance, teachers might be encouraged to use AI for unit planning and assessment creation but cautioned against using AI for grading student work or drafting emails to parents without proper oversight. By setting these boundaries, schools can ensure that AI tools are used ethically and effectively, contributing positively to the educational environment. 

Creating an AUP requires a collaborative approach involving educators, administrators, and IT professionals. Schools should also consult or utilise Boards of Governors during the process. It should be a living document, regularly reviewed and updated to reflect emerging trends and technologies. Training sessions for teachers on the ethical and practical aspects of AI usage are essential to ensure adherence to the policy. 

Moreover, involving students in the development of the AUP can foster a sense of ownership and responsibility. For example, secondary school students above the age of thirteen could participate in workshops where they discuss the ethical use of AI and propose guidelines for its implementation in their classrooms. By educating students about the ethical use of AI, schools can cultivate a generation of digitally literate individuals who understand the implications of AI technology. 

Embracing the Benefits While Mitigating Risks 

While the cautious adoption of AI is essential, it is equally important to embrace the benefits that AI can bring to the educational landscape. Currently, staff and students are already utilising these generative AI tools to enhance their learning experiences. For instance, AI can personalise learning experiences by providing customised lesson plans and resources tailored to individual student needs, making education more accessible for students with diverse learning profiles. They can also provide real-time feedback, enabling teachers to tailor their instruction to individual student progress. 

However, the focus should always be on augmenting human capabilities rather than replacing them. Teachers play a pivotal role in nurturing critical thinking, creativity, and emotional intelligence—qualities that AI cannot easily replicate currently. Therefore, AI should be seen as a tool to support teachers in their mission to provide holistic education. 

​​​In conclusion, the integration of AI in independent schools in Aotearoa requires a balanced approach that prioritises data protection, ethical usage, and strategic planning. By opting for secure AI tools like Google Gemini, Microsoft Copilot and Apple Intelligence, developing comprehensive Acceptable Use Policies, schools can harness the potential of AI while safeguarding the interests of their communities. As we navigate these turbulent seas, let us set a course that embraces innovation while upholding the values that define exceptional education. 

Written with the assistance of Microsoft Copilot 365. 

Protecting your organisation starts with protecting your data.

Ransomware. It wasn’t that long ago that it was a thing that happened to other people, often the big corporates, the blue chips in America. But not us in little old New Zealand/Aotearoa. We would occasionally hear it mentioned on the news in passing, or on page 10 of the paper. Leap forward to 2021, the year of COVID-19, of lockdowns and the now ubiquitous phrase ‘you are on mute’. The number of attacks made public on local organisations has increased. The biggest single target being the Waikato DHB. They estimate it taking another 2 years before they are back to where they were. 

And at the start of July international software company Kaseya had their remote management tools hijacked to deliver ransomware to unsuspecting victims. This new development is concerning, because the end users did not do anything wrong, nor did the support organisations. 

So what can we learn from these high-profile attacks, and what steps can we take to reduce the risk you are next? The number one thing to do if you haven’t already is to turn on multi-factor authentication (MFA) for all system administrators at a minimum, and preferably all staff. If you have a software platform that doesn’t support MFA you need to be asking questions of the vendor. If you have the choice of methods, using an app on your phone is top of the list, followed by a third party rotating key token (banks often use these). The worst options are receiving an email or text message – neither of these two options are secure. 

Ensure you are backing up your data. This includes Office365 and Google Workplace content. Not all backups are created equal though. Your backups should be going to an offsite location, retained for at least 60 days, and tested. It is no good making a copy of everything to a local hard drive if there is a fire! And no good backing things up if you cannot restore it. In the ideal world backup systems would be air-gapped from the source, and write permissions only allowed to the backup solution. These backups should be monitored and any anomalies investigated. Its common for attackers to quietly infect a system, then wait a month or more for all backups to also be infected before attacking. Look for larger than usual backup sizes, and odd looking content. Artificial Intelligence (AI) bots exist that can do this for you. For those with on-premise servers, ensure your DNS and Active Directory are included in the backups, and ideally locked away separately in a vault (software or physical) so you can quickly recover your infrastructure. 

Review who has access to what. You shouldn’t have more than three super-admins/global admins in any system, and these should be protected with MFA. Also review who has remote access into your systems, either using a VPN or some other method. Separate out the different administrative roles so breaching one account will not open the floodgates. 

Microsoft have a global threat activity website that shows cyber-threat activity for the last 30 days. Disturbingly education makes up of 60% of all recent encounters. 

Cyberthreats, viruses, and malware – Microsoft Security Intelligence 

Staying secure in the modern world

Halfway through the 2021 academic year, and we are still hearing of phishing attacks on schools at all levels throughout Aotearoa. There was a time were only the big global companies were targeted by these attacks. The recent attack on the Waikato DHB should be, and has been, a wake-up call for all organisations. One thing that strikes me when visiting schools is the lack of awareness posters up on the walls. Nothing in the staff room, nothing in the hallways, nothing in the learning spaces. 

For me this is concerning. Most if not all schools have some form of a Digital Citizenship programme they run for students. Part of being a good digital citizen is knowing how to keep safe online. Being able to identify a phishing email, learning to not download an application from a random Internet site, or clicking on links in instant messages is central to this (ISTE standard 2B for students relates directly to this very point). 

The risks that these types of attacks can introduce can be broadly categorised into one of two buckets; ransomware , where all your files are encrypted and you cannot access them without paying the hijackers, and theft where either your data is stolen to be sold on the dark web, or you are tricked into paying phoney invoices.  

Ransomware attacks are growing. Imagine being at the end of a school year, your students have worked hard all year on assignments, and suddenly they are no longer available for final grading or revision for external exams.  

Arguably worse than a ransomware attack is the theft of data. Schools hold a large amount of personally identifiable information (PII) about staff and students, from home addresses to medical information.  All this information holds a value, whether for identity theft, online bully or worse. 

Being tricked into sending school funds to bad actors is still a very real risk, despite years of publicity around the tricks used. A request to purchase 100 iTunes cards for example, or a request from the ‘principal’ to urgently pay the attached invoice should set off alarm bells. The sad reality is it doesn’t always. 

We live in an always-on world, connected across multiple online platforms. The ease in which we share content and connect to friends and colleagues has exploded in the last 5 years. Unfortunately this connectedness allows the attackers to understand the hierarchy at a school, the movements of staff and tailor their messaging accordingly. And because so many transactions are now done online, seeing an email from your favourite online store offering a special deal is accepted with glee, not scepticism.  

Awareness of how to identify a phishing or bogus email can reduce the chances of a user falling for it and introducing an external threat. Better still, awareness and on-going training and assessment that is targeted to the whole school community. The cost to implement these steps starts at $0.  

Ask yourself, what is the financial and reputational cost to do nothing and be compromised?  

Staying secure in the modern world

The recent hack of the Reserve Bank of New Zealand – Te Pūtea Matau (RBNZ) highlights that even central governments struggle with cyber security. Cyber crime is on the rise, and COVID-19 has provided a rich array of new opportunities for the criminal world. There are a number of things that you can do to mitigate some of the risks, and become a harder target. 

Here are our top six security recommendations that every individual and organisation should be adopting. 

1. Always keep the system software updated. This is the software on your laptop, tablet and phone as well as any network equipment such as routers and modems. The breach at the RBNZ was due to outdated software on a network appliance that they had not maintained and patched. The bad agents used a flaw in the software to gain access. Had they kept this updated they may not have been breached. 
2. Use Anti-virus software. And keep it updated. There are almost daily updates to most AV products to keep you safe and secure. No operating system is immune to virus attacks, and contrary to popular belief there are now more viruses and malware for MacOS than Windows. 
3. Use disk encryption. Encrypting your hard drives and USB drives will render them useless if they are lost or stolen. The contents are unreadable if someone trys to access without first decrypting. Both Windows 10 Pro and MacOS have built-in support for drive encryption and it is a very simple process to turn on. We hope that the devices stolen from Capitol Hill in January were encrypted!
4. Use MFA. Using multifactor authentication provides an additional layer of protection to your accounts. Most applications now support the use of MFA (sometimes called 2FA) and a mobile app. It is a simple yet effective way to add extra security to your applications as without it attackers cannot access a system, even with your username and password. TIP: DO NOT use SMS/Text as a secondary authentication method. It is easy for someone to spoof your mobile number and intercept a message. 
5. Run Phishing simulations and training. The easiest way for someone to get into your systems is if they know your username and password. It is very easy for someone to craft an email purporting to be from a trusted persons or company, and tricking you into handing over your credentials. There are a number of tools available to run these simulations and to block phishing emails. 
6. Use Data loss prevention policies. Both Office365 and G Suite have policies available with all subscriptions. The key is to really know your data; where it is, who should have access, and how sensitive it is. Then you can easily develop policies to prevent your data from leaving your environment without your knowledge. 

Talk to us today about how we can support you to secure your environment using these and other tools. 

Protecting your valuable data

Data is a valuable currency and the ultimate goal for cybercriminals. If you own an organisation’s data and intellectual property, you can bring the business to its knees. By breaching the company’s defences and locking up its data, cybercriminals can exploit businesses for a hefty ransom to retrieve their data and avoid the financial and reputational damage that goes along with being breached.

It’s not only businesses that are at risk of financial exploitation. An individual employee’s identity alone is valued at around US$1,200^[1]. However, that’s just the tip of the iceberg considering that a successful cyberattack could result in:

• Appropriation of resources: cybercriminals often use vulnerabilities in the network to infiltrate systems and use information that can be repurposed to create things of value, such as scams. By co-opting organisational data, such as internal email signatures, cyberattackers can create phishing emails to exploit other victims using your organisation as a proxy.
• Clients and suppliers transferring funds to bogus accounts: phishing and spear phishing attacks can exploit your email information to expose your customers to vulnerabilities. This can lead to customers sharing details and finances with cybercriminals using fake accounts and posing as employees of your company.
• Impact to financial credentials: cybercriminals can access company credit cards and bank accounts, which can cause financial losses and damage.
• Theft of intellectual property: cyberattackers that infiltrate your system or deploy ransomware can access sensitive data and information from within your organisation. This can be used to blackmail your organisation, or be sold through the black market, for monetary gain.
• Ransom demands: armed with sensitive company and customer information, cybercriminals can further exploit organisations by requesting payment for the return of locked up data.
• Company information used for unlawful purposes: in addition to financial exploitation, criminals can also exploit confidential information for other means, such as corporate espionage. This can involve company secrets or intellectual property being sold to other competing organisations or used for other illegal activities such as fraud.

It’s essential that organisations invest wisely in tools and technologies to keep their valuable information safe from cybercriminals. To protect company information, organisations must integrate processes like advanced email threat protection, multifactor authentication and employee cybersecurity training into their operations. They should also invest in network security tools, such as perimeter security, to provide the best defence possible for the network. However, there is a fine balance between investing in the right level of protection for your organisation, and over-investing in solutions that may not deliver the best security advantage for your business.

Cyclone has identified four key capabilities your cybersecurity solution must deliver to best protect your organisation and its valuable information in our latest checklist. For more information, download your copy today or contact the Cyclone expert team for a personalised consultation on how best to protect your organisation

[1] https://www.top10vpn.com/research/investigations/dark-web-market-price-index-2019-us-edition/