After a year of high-profile hacks, the Federal Government and its corporate regulators are now moving to hold all board members accountable for the cyber resilience of their organisations. Increasingly school boards are no exception, and are being actively held to account. While there have been many hacks of various corporate and government entities in the past year, what is not so well known is that many of Australia’s most prestigious independent schools have also been hacked recently.
The landscape of cybersecurity has evolved dramatically, prompting a significant shift in responsibilities within educational institutions. Welcome to a new paradigm in education; school boards in Australia are now recognising the need to tighten their institution’s cyber preparedness. In this blog post, we delve into the dynamics that have propelled school boards to the forefront of cybersecurity strategy. We explore how this shift affects the education sector and how board members can ensure that cyber risk is more appropriately managed.
A nightmare scenario – breach of sensitive HR, financial and pastoral care data
For too long, schools have failed to prepare for the current generation of sophisticated attacks that NetStrategy security and industry researchers come across. According to James Boyle, CEO and long-time security researcher at NetStrategy, “In the past year, one of Australia’s most prestigious ‘sandstone’ independent schools was hacked, exposing highly sensitive financial, HR and pastoral care data.” What made this hack all the more concerning was that both the institution involved and the parents were extorted with the sensitive data exfiltrated by the hackers. This is by no means an isolated case.
Mr Boyle went on to say, “Our research shows that less than 1% of Australian Independent School Boards have board members with significant cybersecurity experience.” School boards need to actively recruit board members with the requisite experience, or more broadly better educate board members on their obligations and accountability in this area.
Historically many board members have delegated cybersecurity to the IT department and failed to ask appropriate questions to appropriately assess their cyber posture. The extent of any meaningful exploration of cyber risk would typically occur in the context of an annual review of the organisational risk register, often within the finance board subcommittee, with little time spent on cyber risk in particular. It is an area of risk that is poorly understood and often underreported.
Many schools also still do not have an IT board subcommittee, and often those that do, do not have the board member chairing that committee with the requisite cyber experience.
“Directors have a critical role to play and must seek to lift their own cyber literacy levels, recognising that this is a key risk that can never be eliminated but must be effectively managed.” – Hon Claire O’Neil MP, Minister for Home Affairs and Minister for cybersecurity.
Current research shows that the average dwell time for a hacker inside an organisation is more than 3 months before detection. This increased time is a result of an increased use of AI to generate sophisticated cyber attacks and the relative immaturity of most schools in cyber resilience. When you add these facts to the reality of how school boards are typically set up, it all amounts to a nightmare scenario for school boards.
Most schools are unprepared to face and respond to the sophisticated attacks we routinely see in the education sector. Mr Longo, the ASIC Chairman, has said that ASIC plans to target directors of entities that suffer a cyber breach, where it can be shown that there has been inadequate prior cyber preparation.
He also made it clear, as did Mr Penn (Federal Government Cybersecurity Strategy Review Chairman) that organisations need to lift their game. Schools are not exempt from this generalised need to improve digital defence.
School cybersecurity has fundamentally changed
Over the past few years, school use of IT has evolved at a breakneck pace. Even before COVID-19, IT has become a critical enabler of contemporary teaching and learning. Throughout COVID-19 it was crucial to provide learning continuity as schools looked to support teachers and staff from home. Since then, IT has become even more important. Throughout this time, many systems had to rapidly evolve, and many schools embraced cloud computing, hosted applications and a range of hybrid operating models. The rapid pace of IT innovation and change did not always provide the time for careful cybersecurity planning as part of this school IT evolution and change process. Even before this, many schools did not have a comprehensive understanding of their key applications and data. The current context is that most schools have a poor understanding of their key applications (whether hosted or on-premise) and the corresponding data. Increasingly, school leaders are recognising that cybersecurity needs to be considered in a new context around driving cyber resilience, with a more holistic approach.
Key cybersecurity changes include:
Increased risk and impact
The sophistication of contemporary attacks focuses more on weaponising data, extortion and where possible, degrading or denying access to key IT school platforms. AI coupled with nation-state hackers exponentially raise the risk to schools and existing controls and investment do little to deter these attacks. Education is one of the key sectors being targeted by hackers globally and is often regarded as a soft touch.
Government and regulator focus
Both ASIC and the Federal Government are moving to an enforcement mode of operation and are increasingly looking to hold directors to account. The spate of high-profile hacks has galvanised both Government and Regulators into action with more substantial penalties both for directors and organisations being foreshadowed.
Data Privacy Landscape
Proposed privacy amendments to existing privacy legislation being actively considered by the Federal Government will be far-reaching and will potentially propel Australia to be regarded as one of the countries with the most stringent data privacy regimes in the world, potentially even exceeding the European GPDR provisions. The impact on school key stakeholders including staff, students and parents is profound.
School and IT industry shortage of skilled cyber staff
Even before the record low unemployment in Australia, nationally it is generally expected that we need at least 10,000 more cybersecurity professionals across the country. Given the tight labour market, schools are increasingly unable to compete with businesses and the government to attract and retain suitably qualified cybersecurity staff. Schools continue to expect security to be a part-time function and often only have one or two people in their IT departments.
Complexity of a contemporary school IT hybrid environment
Schools have never had a more complex IT operating environment, with an increasing number of moving parts, often without a solid understanding of the true extent of the key application and data supporting the school. Less than 5% of schools have undertaken any meaningful IT application and data mapping exercise.
Failure to adequately prepare
Schools are, on the whole, underprepared to detect and respond to contemporary cyber threats. Schools usually do not develop and test cyber critical incident response plans and rely on general critical incident response plans that fail to adequately respond to cyber incidents.
Too often key strategic external partners, be they IT, cybersecurity, HR, police, marketing, public relations, legal, insurance and others are not identified and retained in advance and time is wasted attempting to bring together these specialist resources only when an incident is declared.
Some schools continue to rely on outdated approaches that are no longer fit for purpose and have outlived their usefulness in the current cyber landscape.
The need for a holistic and more considered approach
While IT may manage the technical cyber controls, they are not the risk owner. Directors need to develop and implement a comprehensive cyber strategy, underpinned by clear roles and responsibilities, and a relevant board reporting structure. Cybersecurity cannot be limited to technology solutions. It encompasses policies, processes, employee training, risk assessments, and incident response plans. This requires involvement from senior management and board members to ensure a comprehensive strategy.
How can a board ensure that they are taking sufficient responsibility for cybersecurity?
Boards need to ensure that:
- Cyber risk and cybersecurity are featured more prominently on the board agenda throughout the year
- Recruit suitable cyber expertise to the board and relevant subcommittees
- Board reporting was enhanced to feature cyber as a discrete area of interest beyond generic IT reporting. Reporting expenditure of IT and cyber should be separated
- External experts are engaged to provide an independent perspective and supplement internal capabilities
- Key digital assets and associated risks are identified
- Cybersecurity is incorporated into existing risk management processes
- Cybersecurity incidents are planned for, and simulations are regularly conducted to test the plan
Collaborating with IT professionals and experts
Boards can allocate the necessary resources and set the tone for a security-conscious culture. They have the power to do this by engaging external contractors and conducting audits and ICT reviews. Risk assessment can then be made to identify and assess potential cybersecurity risks specific to the educational context, such as student data, research data, and online learning platforms. They can develop a robust incident response plan that outlines the steps to take in case of a cyber incident, ensuring a swift and effective response to minimise damage. Boards can engage in policy development to enforce cybersecurity policies that outline acceptable use, data protection, incident response, and employee training. They can also enable ongoing cybersecurity education and training for staff, students, and board members to ensure everyone understands their roles in maintaining security.
To effectively address the challenges of cybersecurity, school boards should consider:
- Resource allocation
- Risk assessment
- Cyber Incident Response Plans
- Increased readiness and cyber posture testing
- Mandating that cyber expenditure be reported separately from IT expenditure
- Policy development
- Education and training
- External reviews of cyber risk controls and strategy
The role of school boards in ensuring cybersecurity
In a continuously evolving digital landscape, the responsibility for cybersecurity in educational institutions has undergone a shift. As Australia’s National Cyber Security Coordinator has emphasised, the days of boards being able to delegate cyber risk to the IT function have long gone. As our reliance on technology deepens, cyber threats become more intricate and prevalent. Cloud computing, increased Wi-Fi access, and open-source software further complicate the cybersecurity landscape, demanding a collaborative effort between schools and external experts. By allocating resources, formulating policies, prioritising education and training and engaging external expertise school boards can ensure cybersecurity.
To learn more or initiate a dialogue on bolstering your institution’s cyber defences, contact NetStrategy today. Let’s forge a future where our educational spaces are sanctuaries of safety and innovation in the digital realm.