With public awareness of cyber security breaches continuing to rise, every kind of Australian organisation – Government, state owned enterprises, public and private companies and not-for-profits - must understand the risks they face as a result of modern technology and its impact on data privacy and security. The past year saw both the largest data breach in Australian history (with the accidental exposure of the personal information of around 550,000 donors to the Australian Red Cross), as well as highly-publicised attempts to sabotage the first digital Australian Bureau of Statistics Census through a series of denial of service attacks.
The higher education sector, like all other Australian organisations, is not immune from this risk. The main area of concern for universities and other higher education institutions is data theft – the combination of students’ personal and financial details, confidential data such as medical records and commercially desirable research, plus an intrinsic virtual and cultural openness – makes these institutions obvious targets for hackers. The consequences of a data breach resulting in the theft of personal, confidential or commercial information may include reputational damage (potentially impacting an institution's ability to attract students, research opportunities and funding), business interruption losses and the possible erosion of intellectual property rights (as confidential information may lose its confidentiality once communicated to the public and enforcing copyright and other intellectual property rights across international borders can be difficult and costly). Universities and other higher education institutions that are subject to the Commonwealth Privacy Act will also face more stringent regulatory obligations with the introduction of a scheme for the mandatory notification of data breaches on 23 February next year.
Against this backdrop, MinterEllison conducted its second annual Cyber Security Survey (the Survey) to assess changes in Australian organisations' cyber resilience over the past 12 months. We distributed two different surveys: one directed at company chairmen, directors and CEOs, and another directed at CIOs, CISOs, general counsel and other risk-related managers. Respondents to the Survey came from both public and private sector backgrounds across a wide range of industries.
MinterEllison found that, while some progress has been made over the last 12 months amongst the entities surveyed, many Australian organisations have a long way to go to achieve an appropriate level of cyber resilience.
Awareness of cyber risk is increasing, but what is being done about it?
Although awareness of cyber risk has increased, concrete actions to mitigate this risk have not changed much since last year. In 2016, responses indicated the number of daily ransomware attacks increased by 300%, compared with 2015 statistics. Despite this exponential increase in attacks, 42% of surveyed organisations do not have a data breach response plan, 92% do conduct regular staff training on IT security issues, and 47% reported that they do not regularly audit suppliers' IT security practices.
Organisations remain complacent about supply chain risk
The survey revealed that only 57% of organisations regularly review their own IT systems and a mere 33% of organisations regularly audit their suppliers' IT security practices. A failure to appropriately and regularly review these practices increases the risk of cyber breaches and attacks within an organisation's supply chain network. Target US’s 2014 data breach is a dramatic example of what can go wrong when a third party supplier opens the door to malicious external actors. In that case, 40 million credit card numbers, as well as the personal information of 70 million individuals, were stolen through malware installed within Target’s point-of-sale system. The subsequent investigation determined that hackers had accessed Target’s network through credentials stolen from a company that supplied Target with refrigeration and HVAC services.
Cyber security is still (wrongly) seen as being primarily an IT issue
Just over half of our survey respondents told us that their IT departments remain principally responsible for cyber-risk management, compliance and review activities. However, the noxious ripples caused by malicious cyber incidents extend far beyond the confines of an organisation's IT department. The potential scale and severity of damage to organisations transforms cyber risk into an enterprise-wide risk, requiring appropriate Board oversight. According to the ASX 100 Cyber Health Check Report, 'cyber risk demands attention across all levels and functions. It affects everybody from the boardroom to senior management, and from the branch office to the engine room of the business'.
A rising proportion of organisations are electing to purchase specialist cyber insurance
As awareness of cyber risk rises, organisations are increasingly purchasing cyber insurance to help mitigate and manage the risks associated with a cyber incident. The survey results indicate that in 2016, 39% of respondents purchased some form of cyber insurance, compared with 24% in 2015. Now that Australian insurers offer tailored policies covering cyber risk, privacy and data security losses, the uptake of specialist cyber insurance is likely to continue rising in the coming year.
Recommendations for universities and other higher education institutions
Identifying and understanding what you need to protect
The starting point for ensuring your institution is cyber resilient is to identify critical data, systems and services. Determine what data has a potential value outside your organisation, and is therefore more attractive to hackers. For higher education institutions, data will usually fall into the category of personal information (of students and staff) or commercially sensitive information (such as commercially valuable research).
Once an institution has identified what data, systems and services are critical, the next step is developing and implementing cyber risk policies and strategies to monitor and mitigate cyber risk.
Software is the first line of defence
There are myriad resources available to assist organisations to understand the technical tools available to mitigate cyber risk.
CERT Australia (CERT) is the national computer emergency response team and the point of contact in Government for cyber security issues affecting major Australian businesses. CERT recommends that organisations take the following four steps (known as the 'essential four'):
- patching applications & operating systems;
- limiting the number of users with administrative privileges;
- using multifactor authentication for critical systems; and
- using strong passwords/passphrases.
In addition, CERT advises businesses to implement the Strategies to Mitigating Cyber Security Incidents produced by the Australian Signals Directorate, an intelligence agency in the Department of Defence. The strategies are a prioritised list of practical actions organisations can take to improve technical security. CERT considers the advantage of this guidance is that it is customisable to each organisation based on risk profiles and the threats that are of the greatest concern.
Policies, procedures and training
While implementing the right technical tools is crucial, effective cyber resilience extends well beyond the installation of technology tools designed to detect a data breach – to the realm of processes and people.
For example, it is imperative that existing policies in relation to password protection and the use of mobile devices are reviewed and implemented regularly. Employees and contractors should be appraised of the importance of these policies and regularly educated on the risks and the importance of their role. Many hackers exploit employees' access to an organisation's services, so this step is crucial.
Entities that are subject to the Commonwealth Privacy Act should also take the following steps ahead of the introduction of the new mandatory notification scheme:
- review their existing information handling practices and security governance; and
- review their contracts (particularly with offshore entities), including to ensure that they maintain control over any data breach incident.
Cyber risk insurance
While five years ago cyber insurance was a niche product offered by only a small handful of tech-savvy insurers in the Australian market, most blue-chip Australian insurers now offer tailored policies covering cyber risk, privacy and data security losses.
In the past year we have witnessed the continued evolution of cyber insurance offerings from traditional policies focused on liability to third parties, to comprehensive hybrid products covering additional losses such as breach response costs, regulatory expenses and business interruption.
Higher education institutions seeking to secure cyber risk insurance, or renew an existing policy, may wish to consider the following factors:
- whether a deductible or retention applies to urgent breach coaching and cyber incident response services (providing direct access for organisations to IT professionals, forensic accountants, public relations professionals and regulatory lawyers)
- any limitations on an organisation's preferred response to a cyber incident (for example, does the insurer require an insured organisation to obtain written permission prior to paying a ransom?)
- policy exclusions for liability assumed under contract. In the absence of a statutory tort for breach of privacy in Australia, many third party liability claims will be advanced against insured organisations in contract, and institutions should therefore take care to identify potentially applicable exclusions in their policies.
Data breaches – like death and taxes – are now an inevitably in our digitally connected world. Australian universities owe it to their students, their alumni, their academics, their researchers, their employees, and the many thousands of Australians whose personal information they hold, to take the cyber threat seriously, and to take the steps necessary to ensure that they continuously review and enhance their cyber resilience.
Author(s): Paul Kallenbach and Leah Mooney