Not if, but when—preparing your cyber defences for the inevitable27 October 2017
Universities, hospitals, corporations, information technology companies, law firms, small to medium-sized enterprises, chocolate factories and government organisations—no one is immune from cyber criminals and a potential cyber breach. There has been an exponential increase in the number of cyber breaches recently, not to mention ransomware attacks, which are becoming more targeted and demand more significant amounts. In June this year, for example, a South Korean web hosting company was affected by the Erebus ransomware attack and had to pay US$1 million in ransom following an eight-day outage.
Universities hold a wealth of information about previous and current students and staff—birth dates, tax file numbers, addresses, bank details and, of course, academic records. This type of information is highly sought and often sold on the black market for identity theft. Like so many other organisations, a university's database is its lifeline, which makes it a major ransomware target.
Cyber risk is real
The WannaCry cyber breach in May 2017 gained attention because of the number of inadequately protected systems and the failure of many organisations to have the basics in place, such as applying patches to their systems. The Petya virus (and the NonPetya variant) struck six weeks after WannaCry. Last month, American credit reporting agency Equifax announced a data breach involving the potential exposure of 143 million peoples' personal information, including social security numbers, financial information, licences, addresses and names.
There is no shortage of evidence of cyber breaches in the United States (US) to illustrate that universities are just as vulnerable as other organisations. In 2014, university cyber breaches notably increased. Then, on 13 November 2016, Michigan State University's records of 400,000 students (former and current) were breached by a cyber attack. Have universities changed their cyber security since then?
Most universities use open Wi-Fi networks and generic passwords, leaving them highly vulnerable to attack. The extent of a university's cyber security and resilience framework is critical in case open Wi-Fi is hacked and access to information held by the university is obtained. These frameworks, however, are a balancing act of keeping certain information safe and secure, while promoting access to other information. Universities need to filter and audit their data, then segregate and secure it based on the sensitivity of, and the need to use, the data—some data should be encrypted, other data completely restricted.
It is not only Wi-Fi and computers that create risk. The internet-of-things (IoT) allows interconnectivity with all devices. Anything can be hacked if it is connected to or operates on the IoT—take printers, for example. Not if, but when—preparing your cyber defences for the inevitable. In 2016, printers at various universities in the US were breached and used not as a jump point to access the university network but to print white supremacist flyers. The management of interconnectivity poses yet another challenge to university cyber security.
Sophisticated systems and security helps, but it does not always completely prevent a breach. In the digital age, when all institutions are a target, the mitigation of loss is also important. The University College London (UCL), recognised as a leading university globally and academic centre of excellence in cyber security research, was recently affected by a ransomware attack causing substantial disruptions. The UCL, however, was able to mitigate loss through its very quick response team.
Mandatory data breach legislation—are universities affected?
In February 2017, the Commonwealth Government passed a bill amending the Privacy Act 1988 (Cth), which requires mandatory notification of data breaches for entities governed by the Act. The amendments will apply to eligible data breaches that happen after 18 February 2018.
As a general rule, the legislation does not apply to state government agencies, including universities, although some have opted into the Act. For those universities, it's worth considering what to do if there is a serious privacy breach. Will you notify affected people if you are not compelled to do so by legislation?
Every entity should have a process in place to respond to a serious cyber breach, as well as an agreed plan for notifying affected people following a breach. As the UCL example highlights, a response protocol can help you significantly mitigate loss.
Is insurance a solution?
"Just as the process of obtaining home insurance can incentivise home owners to invest in alarm systems, smoke detectors and better locks, the same could be true for companies seeking to obtain cyber insurance," said ASIC Commissioner John Price recently at the Cyber Insurance Forum in Sydney. "Cyber insurance providers can potentially contribute to the management of cyber risk by promoting awareness, encouraging measurement and by providing incentives for risk reduction."
Insurance alone is not the solution to cyber security; rather cyber resilience and insurance form a solution together. As the local cyber insurance market matures, the underwriting process and requirements should assist organisations to achieve resilience goals. Cyber resilience and insurance should complement each other.
The 2017 report on data breaches in Australia by Ponemon Institute estimates a cost of $140 per capita to effectively notify affected people following a cyber breach—insurance can assist in funding this cost. While cyber insurance policies in the market vary, they generally cover breach response costs (including notification costs), business interruptions costs and some third party liability following a breach.
The other benefit of insurance is that it assists affected organisations to respond to a cyber breach. Promptly responding to a breach and mitigating loss is paramount—an insurance response team will work closely with your cyber security team to achieve this.
So what should you do to be prepared?
Every organisation must recognise, no matter how sophisticated or resilient its system, that it isn't invincible and that human users often are the weakest link when it comes to maintaining a robust defence.
Manage your data effectively and be more cyber resilient through data retention practices, cyber security and training your employees. A cyber breach is just a matter of when, so make sure you are ready to respond by having a protocol in place, seeking professional advice on that protocol if necessary or working closely with your insurer's response protocol.