Share this article on:
Up to now we have never really been able to quantify risk, as data is too dynamic and dispersed. So when inevitable breaches happen, we are more exposed than we should be.
Last year, a large Australian university was subject to a cyber-attack. A trusted insider – an international student – had exfiltrated large amounts of sensitive data. Given the nature of the data, there was a national security implication, and a risk to sovereign research and IP. What the university did next is a real example of what resilience looks like in 2022 – more on that later.
When we talk about resilience, we’re primarily talking about trust. Being resilient, according to the Government’s Cyber Security Strategy, means people have trust in the ‘online world’. To have an effective online economy and ecosystem, businesses and individuals need a degree of confidence that their data and interests will be protected. And all nations want to be strong players in the digital economy and in a highly connected digital society.
But this bountiful online ocean is teeming with sharks. Cybercrime has reached unprecedented levels and continues its steep trajectory in terms of economic cost and social impact. Citizens and companies are right to be distrustful of an environment where shark nets are patchy and the appetite for causing havoc, be it stealing money or online abuse, insatiable. The anonymity of online interaction further erodes trust, and the lack of accountability leaves us feeling exposed.
So, what is the impact on the trust of students, faculty, and stakeholders when a university is hit by a predator?
Let’s consider as a precedent the Australian National University hack in 2018. This was instigated by a foreign state actor and 19 years' of staff and student records were exfiltrated, including my own. The intrusion went undetected for months and was so sophisticated it was almost impossible to prevent. The perpetrator’s email didn’t even have to be clicked on – just previewing it in the reading pane was enough. A breach like this targets the personal information of Prime Ministers, international students, and tech founders like me. With personal information exposed we are vulnerable to identify theft and social engineering. All this is with a view to more effective foreign interference.
This was a major and serious breach, but how did it impact trust in the ANU? The breach wasn’t publicly acknowledged until October 2018, by which time 2019 enrolments were locked in. And the restrictions imposed by the COVID-19 pandemic in early 2020 made it difficult to understand if the breach had a material impact on the declining fortunes of the university, which lost 17.4% of its revenue in 2021.
Hacks of this scale do not seem to make much dent in the engagement of consumers. Paradoxically, the more we’re online the more likely we are to be breached, but the less likely we are to reduce our online activities. The internet is extremely ‘sticky’ – once we have started banking or studying online, we’re unlikely to go back. We may consider switching universities if ours was hacked, but we soon discover most of them have experienced hacks. And if we read the reports, we’ll probably be fairly forgiving. Threat actors are very sophisticated. The ANU hack was, broadly, unavoidable. So too was the data spill by the trusted insider at the larger Australian university mentioned earlier.
When the government talks about resilience, it isn’t really talking about avoiding every hack. It’s talking about defensibility: how egregious was the mistake that led to the breach? How unmitigated was the impact? It has to be a catastrophic lapse in governance to make real waves on public opinion.
So, back to the large Australian university impacted last year. When the spill was detected, they made one call. Within 24 hours we had indexed all the spilled data and mapped it for risk – answering the questions: what documents included PII? How many credit card numbers were involved? What data was subject to legal secrecy provisions, with civil or criminal penalties for disclosure? What should have been destroyed under recordkeeping rules? Note, if the ANU had correctly destroyed my file after seven years, it wouldn’t have been in their breach. Resilience in 2022 is less about preventing a breach and more about minimising its impact. If organisations don’t know their obligations, they risk much larger breaches. Knowing what data you have, where it is, what risk it has, are all key steps in defensible cybersecurity.
Castlepoint AI makes this possible, at scale, for the first time. We can read every word in every item in every system in an organisation’s entire network, and automatically map it for risk and value. We see who does what to it and whether that breaches any rules, and take steps to protect the most important data and reduce our threat surface.
When the sharks circle, we can minimise the impact of an inevitable breach with an intimate knowledge of our data – preferably before an attack than after one.
For more information, visit www.castlepoint.systems