SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Education report recommends more cybersecurity investment as risk grows
Wed, 30th Nov 2022
FYI, this story is more than a year old

An assessment has found big gaps in schools' cybersecurity and recommends a multi-million-dollar boost to school funding for IT.

The report, provided to RNZ under the Official Information Act, recommended setting minimum standards and providing more central support for schools.

The assessment was prompted by growing concern about schools' vulnerability to hackers and was completed in March.

It said the Education Ministry was developing a business case for a multi-year work programme to address longer-term problems.

The report said schools received $40 million a year in specific IT funding from the government but spent $59 million, with secondary schools especially spending more than they received.

It also found many teachers and principals did not know enough about cybersecurity and their behaviour increased cyber risks and impeded good teaching using IT.

It said a survey last year of 45 schools found 46 percent filtered email for spam and/or obscene language or did not filter at all, 78 percent of principals had not been trained on cybersecurity, and only 18 percent offered any form of cybersecurity training to their staff.

"The survey results support the hypothesis that improvement in schools' digital environments and its management is required. This is highlighted by the inconsistent application of protections such as email filtering and the performance of backups," the report said.

"The results show 82 percent scoring as poor in awareness maturity. The respondents try to do what they can, but don't always know where to get information from, or have the time needed to dedicate to addressing cybersecurity issues."

The report said the government needed to spend more to increase schools' cybersecurity but also to increase their productivity, because the workload associated with IT detracted from teaching and learning.

"The need for investment is a response to a growing threat of cybersecurity, data protection and system interoperability. However, there is an increasing need to provide central digital support to kura and schools to enable productivity," the report said.

It said there were no core minimum IT requirements for schools and no framework to ensure they provided safe and secure internet access which complied with the Privacy Act and the Education and Training Act.

The assurance report recommended creating a framework so schools could measure and improve their cybersecurity; reducing the gap between government funding and school spending; increasing teaching time by reducing IT disruption and administration; and taking stock of cyberattack risk.

It also recommended an "audit of the core services that schools would benefit from and set as a minimum secure and equitable service provision".

This would "enable a minimum secure service provision across the New Zealand school types so that variation from a target state of security, capability and capacity is reduced".

The report said research in the USA found education was hit by malware attacks more than any other industry, costing billions of dollars a year in downtime alone, while in the United Kingdom 36 percent of surveyed primary schools and 58 percent of secondary schools had suffered a breach or attack in a single year.

"Cyber risks are increasing in volume, scope, and complexity. Awareness of the risks is ongoing and requires constant understanding of the changing environment that cyber risk can occur. Learning opportunities are impeded by awareness, knowledge, diligence, and capability to safely manage the digital learning environment," the report said.

The report said schools had to buy some IT services themselves and sometimes that approach was not efficient.

"Cost of sale is a barrier to both international and national suppliers - especially for small schools with low marginal revenue opportunities. We have schools who cannot get services due to lack of suppliers willing to cover their location," the report said.

Cybersecurity fears last year prompted the ministry to pause the roll out of Te Rito, a $40 million system developed to help early childhood centres, schools and the ministry share and store information about students.

Te Rito is now part of the ministry's broader work on IT capability and cybersecurity through to 2030.

This year's government budget included a one-off $27 million allocation to strengthen cybersecurity, provide more centralised services for schools, and improve the quality and consistency of digital learning in schools.