An article that universities are at particular risk of a cyber attack….that was news 10 years ago. But it is worth saying it again now governments in Australia are sort of taking privacy seriously

October 19, 2022 |

Sometimes it feels like the the last decade of writing and reporting on privacy never existed.  Articles are being written and statements made portentously with a breathless quality about a cyber threat here or a privacy harm there as if it was never said before.  The Australian’s Universities are at particular risk of cyber attack is a classic example of this reheating of well known facts and previous commentary of a phenomana that has been well known and understood for many years but written as if it is some sort of revelation. 

Universities are and have always been a focus for espionage and theft of information, sometimes by state actors and sometimes by criminals who can see a financial pay day in stealing commercial information.  During the Cold War, the analog era, universities were engaged to do sensitive defence related research.  There was a constant competition between those screening staff and protecting information and those intent on  trying to corrupt or turn staff and otherwise purloin information.  In the digital era this issue has taken on new dimensions with much more information, including personal information on a massive scale, and many more ways of accessing it.  Universities are notorious for having inadequate cyber protection often because of multiple systems being cobbled together after mergers or rationalisations.  The authorisation policies are lax and the training is poor.

I have posted on data breaches at the University of Western Australia, Deakin University, University of Tasmania, Australian Catholic University, Australian National University and  the University of Greenwich.

The article says nothing much new and is more about the general, very general, observations while its prescriptions are reasonable at an ephemeral level and written in consultant speak so precision is not a priority.  It is a marketing exercise by some PwC partners as much as a column about events.  It is not an article for the ages and will not find its way into any text book.  But at this time, with some focus on privacy it is contribution in a space where contributions of any sort have been few and far between.  The quality of the commentary on privacy and cyber security since the Optus Data Breach reflects a serious lack of understanding of privacy principles and cyber security obligations.

The article provides:

A disrupted digital age and the level of threat that nations face from malicious parties is unprecedented. In Australia, no sector is immune, but as one of the nation’s largest industries and holders of valuable intellectual property, the higher education sector is particularly at risk.

Universities are increasingly more connected and accessible to global research and industry partners, which creates significant value for our society. An individual academic (for good reason) may collaborate and share data across multiple institutions and companies in many countries. It is more important than ever for universities, as knowledge holders, to champion and protect the rights of data owners.

However, how do you remain open to the community and partners while ensuring intellectual property, critical infrastructure, students and staff remain safe and the university remains resilient in the longer term?

This is the challenge that university management and council members have been grappling with, even before recent cyber attacks in corporate Australia.

As cyber attacks increase, the ability to protect research, intellectual property, and personal or confidential information using risk-based security strategies at a “whole-of-organisation” level will be highly critical for universities.

They will need to invest in capabilities to ensure future shocks are treated less like emergencies and more like foreseeable challenges to overcome as part of the day to day.

Universities have a complex network of users, including staff, students, alumni, industry partners and community groups. The complexity and sheer number of users make it more difficult to properly secure and manage access across an often distributed technology environment with bring-your-own devices and siloed systems.

The Office of the Australian Information Commissioner indicates education is one of the top five sectors for data breaches. The number of attacks on educational institutions has grown rapidly. The total recovery cost from a ransomware attack in the sector – considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, and more – was, on average, $US3m ($4.7m), according to a report, The State of Ransomware in Education 2022, from IT security firm Sophos.

The higher education sector has seen a wave of cyber attacks in recent years, from ransomware through to espionage motivated actors. Attacks have typically focused on theft of research or personally identifiable information.

For many organisations, investing in cyber security historically meant buying digital tools. But investing in such technology is only half the battle. Cyber security needs to strike a balance between technology, process and people.

Universities can help address these threats through greater investment in cyber capability, the sharing of threat intelligence, strengthening of security controls and establishing the right governance over their security program.

Furthermore, universities will need to understand the root causes driving particular behaviour and asking themselves whether their culture encourages good security practices. If not, why not? And what can be done to encourage a more secure culture?

In 2022, cyber threats present a clearly foreseeable organisational risk – when it comes to cyber-attack victimisation, organisations including universities should see that it is not a matter of “if”, but as a matter of “when”.

To help bolster cyber resilience, university council members and management should focus efforts on five key areas:

1. Measuring resilience: you can only improve resilience and sustain it if you can measure the success of your efforts and investments.

2. Defining value: knowing what an attacker might find valuable (e.g. student data, money movement, intellectual property) and the impact of that information or asset being compromised at any moment.

3. Controlling access: understanding where critical information is stored (on a cloud provider or on laptops or mobile devices) and limiting access to the purpose intended and only the permitted individuals.

4. Software updates and backups: operating systems and technology software needs to be regularly updated, restoring from backed-up data should be tested.

5. Culture of resilience: making sure staff and students are continuously educated on business contingency plans and cyber security.

We are seeing more and more the importance of cyber capability as an integral part of a broader resilience capability being built by universities. For universities to continue to have a significantly positive impact on society, they need to successfully address these challenges in the best interests of all Australians.

Leave a Reply

Verified by MonsterInsights