Cyberattacks impact all organizations: understanding the security landscape remains a focus for businessesAs cyberattacks continue to impact Australian organizations, increased security and an understanding of the landscape remains a key focus across all industries. This requirement is particularly critical in the higher education sector, where a shift to remote learning has expanded the threat landscape. As Australia’s third-largest export, valued over USD 32 billion annually (according to the Department of Foreign Affairs and Trade), it’s critical our education sector is secured to prevent theft of IP and personal data.
NTT Ltd. recently met with one of Australia’s major public universities, as well as leading industry experts, to explore how collaboration between private and public bodies is crucial to keeping both sets of organizations ahead of cybercriminals, particularly when it comes to producing talent. John Karabin, Director of Cybersecurity at NTT Ltd.
Australia and Mihoko Matsubara, NTT Ltd. Group Chief Cybersecurity Strategist were joined by Dr. Stephen Weller, Australian Catholic University’s (ACU) Chief Operating Officer, and Deputy Vice-Chancellor; Microsoft’s APAC Lead Chief Cybersecurity Advisor, Abbas Kudrati; and Craig Hinkley, WhiteHat’s CEO, in the discussion.
‘Throwing the keys out the window’ - ACU’s data breach experience
In late 2017, ACU began a process, like many large-scale organizations, of improving its security posture. It underwent an assessment against the National Institute of Standards and Technology, drafting a cybersecurity roadmap, and strengthening relationships with key vendors such as Microsoft, to ensure it was better protected from external cyber threats. Dr. Stephen Weller recalls, ‘We were confident. Not cocky, but we were confident.’
‘Cyber is not a thing you do and then move on. It has to be business as usual.
Like Workplace Health and Safety, it has to be everyone’s responsibility.'
Dr. Stephen Weller, Chief Operating Officer and Vice-Chancellor at the Australian Catholic University
However in 2019, ACU experienced a data breach. Dr. Weller recalled ‘it wasn’t a breach of our cybersecurity. It was a phishing attack. No one broke in. They tried and the system was resilient. But they knocked on the door, somebody opened the window and threw the keys out’. While at first, only three accounts appeared to have been impacted, it soon became apparent that 118 accounts had been compromised by the breach. As the Chief Operating Officer, Weller remembers asking, ‘‘How many more? How long have they been in? Are they still in? What else did they take?’ and no one had the answers.’
Dr. Weller and his team quickly moved from treating it as a cyber issue to making it the singular focus of the institution. They also made the critical decision to make a public declaration to the Office of the Australian Information Commission that they couldn’t guarantee that serious harm would not arise. While not a popular decision internally or externally, ACU understood that the data breach was a breach of trust and they could not guarantee that other areas of the institution wouldn’t be impacted.
From that point, it became clear to ACU that they were facing three key issues running in parallel, which Stephen said was ‘the security of the network, the privacy of the data and the impact on our reputation.’ Solving the first two would be key for ACU in order to protect the institution’s reputation with students and staff.
During 2020, the pandemic has shifted ACU’s approach to its students. Stephen reported that the lessons learned from this breach meant that the focus is now not about cybersecurity but about the data they’re protecting, the people that data belongs to, and the reputation of the organization.
The COVID-19 cyber arms race facing the education sector
Australia has faced a series of sustained cyberattacks recently impacting a broad range of industries and businesses. Microsoft’s Abbas Kudrati noted that cybersecurity has become a business issue that’s everyone’s responsibility — no one’s immune.
Microsoft collects eight trillion data security signals daily, providing it with a detailed view of the global security landscape. Kudrati says that while phishing attacks have been a concern for years, the COVID-19 pandemic has given cyber attackers a new theme to use, with Microsoft observing around 18,000 different malicious COVID-19 themed emails, URLs, and IP addresses.
Cyber attackers are getting smarter as well. In the same way that Microsoft uses Machine Learning (ML) and Artificial Intelligence (AI) to stop these attacks, cyber attackers are also using ML and AI to target individuals and organizations. ‘It’s technology against technology, human against human. It’s really surprising to see that they have a similar set of capabilities to what most tech vendors are using,’ according to Kudrati.
When it comes to the education sector, Matsubara noted that cyber maturity levels are low and although many institutions are looking at how to improve, constraints in budgets and resources are preventing progress. This presents a massive opportunity for cyber attackers to target education institutions. Matsubara highlighted that over 60% of malware attacks target the education sector and that, given universities are central to research efforts for a COVID-19 vaccine, they’re prime targets for cyber attackers looking to target that information.
Partnerships are key to filling the talent gaps
The prevailing theory has been ‘as long as you’re faster than the slowest person, you’re okay’ - but this is no longer adequate in today’s cyber landscape. Businesses, universities, and governments all need to work together to combat threats and improve security posture.
Whitehat CEO Craig Hinkley noted that the cybersecurity industry is facing a talent shortage and there are opportunities for partnerships between universities and private organizations to manage this deficit. Hinkley explained that the lack of available talent means ‘none of us can expect to hire the skills we need to do all the offensive and defensive activities we want’. This means that partnerships where organizations come together and share best practices and learnings are essential for businesses and governments, in order to keep pace with cyber attackers.
While challenges may arise with this, the benefits are well worth the efforts to forge these partnerships, in particular public-private partnerships that can help build and solve the talent gap, especially in relation to the number of white hat ethical hackers. Matsubara also identified that the term ‘cybersecurity professional’ can be difficult to define and this creates another reason for universities and private organizations to work together to explain exactly what the role entails and the skills that are required.
The future of Australia’s cybersecurity approach
There needs to be a 360-degree approach to cybersecurity. It’s no longer enough to have a secure and stable network — the environment has changed and will continue to transform. For universities, running cyber strategies with limited resources means making the most of the talent and knowledge you have access to. Crucially, the panel agreed there needs to be a standard way to measure skill sets so that universities are preparing the next generation of cybersecurity professionals and helping to fill the talent shortage, and that these skills are adaptable to a changing environment. Collaboration between private and public institutions is the only way Australia’s universities, so critical to our national innovation efforts, can stay one step ahead.
Want to find out more? Check out these great papers:
Verify, and keep verifying: Cybersecurity in a rapidly accelerating zero-trust world. Download the paper here.
2020 Global Threat Intelligence Report, for more insights on the latest trends in cybersecurity