Cybersecurity has risen to become one of the largest risks facing education businesses. What are some of the risks to watch this year and how can you mitigate them effectively?
Cyber risk has risen to become the number one risk for global business outside of COVID-19.
The World Economic Forum’s Global Risk Report 2019 named cyber-attack as the top risk among business leaders in advanced economies, while insurer Allianz’s Risk Barometer also ranked it as the most important risk for global businesses in 2020. In Australia, 85 per cent of CEO respondents to PWC’s CEO Survey named it their greatest threat to growth at the beginning of 2020.
Are you prepared? Here are a few tips for what to watch and how to mitigate cyber risk in 2021.
Three cybersecurity risks
1) The remote learning shift
Distance learning and remote work has exploded and brought with it a series of challenges that are not new but are exacerbated by an increase in scale. With a massive uptick in virtual classrooms, recorded lectures and real-time collaboration tools – placing a much greater burden on limited IT resources – educators bear increased risks associated with a lack of availability.
2) Sophisticated adversaries
Several Australian tertiary education providers have fallen prey to very sophisticated adversaries in the past. There has been enough public discourse to suggest this was a concerted effort by a nation state. It’s almost certain these were not isolated instances, and that more evidence of successful attacks, and long-term compromise in other institutions will come to light in the future. High profile attacks have come to light recently, attributed to China and Russia, have underscored the audacity, and prevalence of such actors.
Ransomware attacks continue to surge. They have evolved from high-volume, low yield attacks on individuals into more sophisticated and targeted attacks on organisations with the goal of larger ransoms. The majority of ransomware crews have now pivoted to a model involving the exfiltration of sensitive data enabling them to follow-through on threats to expose data if ransom payments are not made.
Three mitigation measures
1) See through the noise
Resist the temptation to focus on the ‘threat de jour’. While we have a natural propensity to fixate on very specific threats, either as a result of an incident we may have experienced, witnessed in a similar organisation, or perhaps due to current hype cycle, educators should take a step back, form a comprehensive view of all of their risks, and use that picture for context.
2) Construct a cybersecurity ‘roadmap’
This is about understanding your current state against your desired future state, and then using this to plot a roadmap. Begin with a full review of your maturity using an established framework such as the NIST CSF to understand strengths and weaknesses, identify where you are, where you need to be and what needs to be done to get there. This can then be broken down into discreet work packages and sequenced based on risk, resources and effort. You can perform a free assessment at securitycolony.com.
3) Consult the consultants
Find good consultants and lean on them for intel. Consultants are constantly managing incidents, mitigating risks, interviewing candidates, assessing an organisational maturity, performing due diligence prior to acquisitions, carrying out design or implementation reviews of a given solution and anything in between. You can get a real-time threat intel feed without spending a cent.
Contributions were made to this article by cybersecurity firm Trustwave.