Around the world, cybersecurity threats are real and rising, and Australia’s education sector is far from immune.
Maintaining effective cybersecurity defences has become an enterprise-wide challenge for organisations of all sizes and stripes, including the country’s houses of higher learning.
Higher learning is one of Australia’s biggest export industries, and universities and vocational education institutions can offer rich pickings for hackers and cyber-criminals looking to appropriate and misuse the personal data of students and staff.
They can also be repositories for information of considerable commercial value – think cutting-edge research that could potentially help enterprises gain an advantage on their competitors in the commercial market.
Mitigating the risk effectively calls for a top-down approach, with buy-in and support from senior management and academics.
Scoping out the challenge
The past two decades have seen information technology undergo an extreme transformation. Once synonymous with processing power in the data centre, it’s now ingrained in almost every aspect of daily life, at home and at work. That’s resulted in a change to the threat landscape.
Once a rarity, cybersecurity incidents are now unremarkable and managing the risks associated with them has become part and parcel of running an organisation, rather than merely an issue for the tech team.
For many higher education institutions, the challenges of implementing effective cybersecurity practices are exacerbated by the legacy solutions that are still in use – ageing equipment and core infrastructure that can be difficult to patch and protect.
Getting the board on board
Unfortunately, board-level discussion about cyber risks tends to revolve around fear in many universities and colleges. Attention is typically focused on the dire implications of an attack and the fallout it could cause.
Often, security professionals will present alarming data about the rates of attack and the extent of potential damage. Their overriding message is that, if everything is not fixed quickly, the institution could find itself in real trouble.
A more constructive focus would be on how, beyond reducing the threat level, becoming proactive about cyber-security can benefit an organisation more broadly.
For higher education providers, lowering the level of cyber risk can enhance their reputation for integrity and diligence – both factors that contribute to the attraction and retention of students. That’s a key imperative for management, given tertiary institutions operate in a competitive global market.
Leaders also need to consider cyber risk from a legal perspective. In common with other organisations, universities and colleges need to comply with the Australian Privacy Principles laid down by the Office of the Australian Information Commissioner.
Institutions that enrol students or employ staff from EU countries are also subject to that bloc’s stringent GDPR regulations, which extend to all organisations that hold the personal data of EU citizens, regardless of geographic location.
Leaders also have a duty to manage the level of cyber risk faced by their institution and should keep the reasonableness test front of mind when assessing their planned level of action.
This is important because risk reduction steps that would be deemed reasonable today are very different from what they were 10 years ago. Decision makers need to ensure their responses are evolving over time and commensurate with current threat levels.
A problem for the institution, not the IT department
Viewing cybersecurity as a technology problem, rather than a governance problem, is a mistake. Institutions that take that approach and believe that the purchase of another new piece of technology will solve the problem perpetrate the myth that it’s possible to buy your way to safety.
And a myth it is. While products are clearly an essential piece of the security puzzle, it’s vital organisations develop much broader strategies to deal with rising threat levels.
Creating a multi-disciplinary team comprising representatives from across the institution is the best way to ensure all aspects of cyber risk are assessed and each division or business unit is aware of its role, both in mitigation and response, should an incident occur.
Time to act
The risk to organisations posed by hackers and cyber-criminals is real and rising. Threats are becoming increasingly targeted and sophisticated, according to advice released by the Australian Cyber Security Centre in 2019. Business leaders surveyed for PwC’s 2018 Global Economic Crime and Fraud Survey: Australian Report flagged cyber-crime as the most disruptive economic crime of our era.
Taking an enterprise-wide approach to cyber-security, led by senior management, will not only mitigate the risk but result in additional business benefits for higher education institutions prepared to put the issue on the agenda in the boardroom as well as the IT shop.
Phil Kernick, co-founder and chief technology officer at CQR Consulting.
Email [email protected]