When it comes to Cybersecurity, do you have a resilience mind-set?
Tertiary Talk - May 2018
Digitisation of tertiary institutions is increasing and with this, so is the need for cybersecurity vigilance. The very innovations that drive efficiency and growth in an organisation are the same that create first order cyber security risks. If University College London, named a “centre of excellence in cyber-security research” by the GCHQ intelligence and monitoring service, can be hit by a ransomware attack, causing “very substantial disruption”, it’s clear that even the best prepared are at risk.
Deloitte’s report on ‘Elevating cybersecurity on the higher education leadership agenda’ explains why higher education institutions are (and will continue to be) vulnerable to cyberattacks. A combination of valuable data, de-centralised structures and widespread use of personal devices, makes the academic arena a prime target for cyber criminals. The frequency and increasing sophistication of cyberattacks is forcing organisations to be pro-active when it comes to hackers – the alternative re-active approach is proving to be costly, disruptive and damaging to reputations.
It’s no longer an option to rely solely on vigilance and security software as protection - it’s not a matter of if you’ll be targeted, but when. Simon Shiu, site director of HP Labs, a major research facility specialising in cybersecurity explains “if you haven’t been breached yet, you probably will be in future”. This is where resilience comes into play, if we shift our mind-sets to assuming we will be targeted, we can put a plan in place to act, recover quickly and minimise the impact. Resilient capabilities are built through a focus on detection, incident management, simulation and training.
At the cyber security summit held in 2017 by CenturyLink, experts advise that the best defence to a cyberattack is an active one. Cybersecurity experts are “sharing data in real time” and this can help institutions predict areas of vulnerability and therefore potential threats. This allows for a shift in focus and for organisations to build up resilience and prioritise areas of weakness. Predictive analytics is helping to shape the future of cyber security - machine learning powered solutions are helping organisations to speed up the rate at which they detect attacks. If you haven’t yet invested in this space, it’s important to make sure this is a conscious choice based on weighing up the likelihood and potential impact of an attack.
With continued spend scrutiny and budget constraints overwhelming the tertiary education sector, something you can do immediately and with minimal investment is to review your disaster recovery plan. Ask yourself, when was this written? Does it talk to your latest IT systems? Is it relevant, and do your staff know where to find it?
Simulating a high impact cyber threat is also a good way to increase awareness and put your disaster recovery plan to the test. With cyberattacks increasing in frequency and creativity, it is essential that your students and faculty are on board and working with you to prevent such attacks. A research bulletin by The Higher Education Information Security Awareness Programs outlined that from a study in 2016, 77% of US institutions have a budget of less than $5,000 or ‘don’t know’ their allocated budget for security awareness. When 91% of cyberattacks start with a phishing email, your users are your first defence and increasing awareness is a must.
From recent Deloitte cybersecurity reviews we note that most, if not all, local institutions here in New Zealand are aware of the risks and are on a similar journey to build resilience. They are focussing on sustainable and cost effective ways to reduce the likelihood of:
- Loss of confidential information, especially intellectual property and student and staff information;
- Opportunistic changing of critical information such as student marks; or
- Staff being unable to work due to system outages.
We understand that tertiary institutions want to allow academics to have the freedom to conduct research and experiment with new software and technologies. However, the risk tolerance of the institutions has not always been defined to validate that all parties understand how far this freedom should extend, and who ought to be responsible for protecting the university from the associated security risks.
So we’re asking, do you have a resilience mind-set when it comes to cybersecurity? Being resilient doesn’t mean you won’t be targeted, it means that when you are, your team will be equipped to identify an attack quickly, contain the damage and reduce the impact.
If you would like to discuss this further you can contact Anu Nayar, Partner Cyber Privacy and Resilience at email@example.com or Crispin Deans, Associate Director Cyber, Privacy and Resilience at firstname.lastname@example.org.
 https://www.verdict.co.uk/top-uk-university-hit-by-major-cyber-attack/ (June 15, 2017)
 https://www.telegraph.co.uk/business/sme-home/hp-resilience-and-cyber-security/ (January 3, 2017)
 Joanna L. Grama and Eden Dahlstrom, Higher Education Information Security Awareness Programs, research bulletin (Louisville, CO: ECAR, August 8, 2016)