As we’ve discussed over a number of weeks, good information governance provides a platform for other things, including both cyber security and information security. Cyber and information security are often used interchangeably; in reality, they are related and overlapping concepts.
Information security addresses protecting information (that is, data with meaning or context) in both analogue and digital forms. The focus is typically on the confidentiality, integrity and availability of information. For the layperson, it’s most akin to privacy.
Cyber security is about protecting things that are vulnerable through IT and communications systems. This can be information and a variety of other things such as physical assets: the classic bad-guy-taking-over-the-traffic-lights scenario.
For the purposes of this blog post, we will limit ourselves to information held digitally. Good practice on cyber/information security is an organisation-wide imperative building out from the governance framework. It’s not simply about establishing ‘good IT security’; it is also about having a well-developed, understood and tested response to prospective breaches.
In its 2018 Risk Report for Local Government, AON discusses cyber risk profiling:
"Assessing cyber risk is a moveable feast. As organisational boundaries extend in response to employee expectations regarding flexible work practices and remote access, patrolling the perimeter is no longer sufficient protection. Firewalls and passwords remain essential – but they are not foolproof. Nor is the potential for accidental breach by employees or contractors. Like the rest of the country councils need to understand when, not if, they will suffer a cyber breach.
A mismanaged data breach can wreck a council’s reputation making it hard to rebuild trust with the community."
That quote highlights both the need for good practices and also the severe potential consequences of a breach. It makes clear that good practice doesn’t stop with “patrolling the perimeter” and that how an organisation reports and remediates a breach is critical.
This is a theme to which the Office of the Auditor General returned repeatedly in its May 2019 Information Systems Audit Report:
"Ensuring good security practices are implemented, enforced and regularly tested should be a focus and key responsibility for all entities’ executive teams. Continually raising staff awareness, at all levels, about information and cyber security issues is another proven way to embed good practice and security hygiene into everyday operations."
The Auditor General makes very clear that good security practice is not limited to nor the responsibility of the IT Department – particularly not in isolation. Good practice is organisation wide and ongoing. It affects all parts of the organisation at all times and is the responsibility of every internal resource and external supplier to understand and continually maintain and reinforce.
It is worth highlighting that this is an ‘everywhere’ problem. The Auditor General’s report shows a year-on-year decline in four of the six categories for which it audits, including information security. Of the entities that the Auditor General reviews annually, only four (Premier and Cabinet, Racing and Wagering, Landgate and Curtin University) have consistently demonstrated good practices across all control categories assessed.
Let’s finish up with a recent example of a breach.
Australian National University is consistently ranked in Australia’s and the world’s best universities. It was 49th in the most recent Times Higher Education World University Rankings.
It was subjected to a coordinated and sophisticated cyber attack involving 10-15 people that gained access to the ANU’s systems for more than six weeks and put the personal data of 200,000 current and former staff and students at risk.
The initial access was achieved after a spear-phishing email recipient previewed the email. They did not open the message, nor click on any links or attachments. Merely previewing the email was sufficient to deliver malware.
The breach was detected by a planned threat hunt. An investigation confirmed a breach on 17 May 2019 – six months after the spear-phishing email was sent.
ANU released its report on the breach in early October 2019 after massive national and international media attention following the disclosure of the breach in June.
ANU claims that it has “heavily invested in and increased cybersecurity efforts since the [unrelated] May 2018 breach”. And that it is “investing in training and enhancing cybersecurity knowledge, awareness and actions among its own community”.
ANU’s response appears to be full and frank with an emphasis on the prospective damage to their students and staff. One can only imagine the cost of this process to the University – in money, in time and in reputation.
Time to review the state of your organisation’s information and cyber security?