• Your shield in Cyber Security

Why Universities Need to Prioritize Cyber Security: A Look at DISP

Paul A. Watters, Strategic Cyber Consultant, Ionize

In Australia, the Defence Industry Security Program (DISP) is an initiative administered by the Department of Defence that is responsible for protecting classified information and technology in the possession of Defence contractors and other private sector organisations that have been granted access to such information and technology (https://www.defence.gov.au/security/industry). The DISP serves to protect classified information and technology from unauthorised disclosure and to ensure that contractors and other private sector organisations handling such information and technology have appropriate security measures in place. The DISP also helps to ensure that contractors and other private sector organisations are able to maintain the trust of the government and the public by demonstrating their commitment to safeguarding classified information and technology.

DISP requirements include:

  • Establishing and maintaining a security management system that meets the requirements of the DISP

  • Ensuring that all personnel with access to classified information and technology have the necessary security clearances (https://www.defence.gov.au/security/clearances/about/overview) and have been trained in the proper handling of such information and technology

  • Protecting classified information and technology from unauthorised access, use, reproduction, and disclosure

  • Reporting any security breaches or other incidents involving classified information and technology to the appropriate authorities

  • Complying with all applicable laws, regulations, and policies related to the handling of classified information and technology

  • Working with the Department of Defence to continuously improve security practices and procedures.

DISP benefits include:

  • Maintaining the trust of the government and the public: By demonstrating their commitment to safeguarding classified information and technology, contractors and other private sector organisations participating in the DISP are able to maintain the trust of the government and the public. In simple terms – if you want a Defence contract, you will need to be a DISP member.

  • Promoting collaboration and innovation: By ensuring that contractors and other private sector organisations have the necessary security measures in place to handle classified information and technology, the DISP promotes collaboration and innovation within the Defence industry.

  • Enhancing the security of Defence systems and technologies: By protecting classified information and technology from unauthorised disclosure, the DISP helps to enhance the security of Defence systems and technologies.

  • Facilitating the exchange of classified information and technology: The DISP helps to facilitate the exchange of classified information and technology between the government and contractors and other private sector organisations, which can be important for the development and implementation of Defence systems and technologies.

 

Universities may benefit from DISP membership, yet, cybersecurity risks remain significant for the sector. Why is it important for universities to protect against cyber-attacks? Universities have large user bases which are particularly susceptible to:

  • Phishing attacks: Universities are often targeted by phishing attacks, in which attackers send fake emails or other communications that appear to be from a legitimate source, in an attempt to trick individuals into revealing sensitive information or installing malware.

  • Malware: Universities are vulnerable to malware attacks, in which attackers use malicious software to gain access to or disrupt computer systems.

  • Ransomware: Universities may also be targeted by ransomware attacks, in which attackers encrypt or otherwise lock access to data and demand payment in exchange for the keys to unlock it.

  • Data breaches: Universities may experience data breaches, in which attackers gain unauthorised access to sensitive data such as student or faculty records.

  • Insider threats: Universities may also face risks from insider threats, in which employees or other insiders use their access to sensitive information or systems for malicious purposes.

  • Weak passwords: Universities may be vulnerable to cyber attacks if employees use weak passwords or reuse passwords across multiple accounts.

More broadly, universities are very susceptible to foreign interference, and present a risk to DISP membership. Like other organisations, universities may be targeted by foreign governments or other entities seeking to influence research or steal intellectual property. Universities may also be targeted by foreign actors seeking to gain access to sensitive information or technologies. This is particularly true if the university receives defence funding, contracts or grants, or conducts research which could endanger national security if disclosed to adversarial foreign governments.

To protect against foreign interference, universities should implement strong cybersecurity measures such as email filtering, antivirus software, and employee training programs. Universities should also be aware of the potential for foreign interference and take steps to safeguard against it, such as carefully vetting external partnerships and funding sources. Additionally, universities can work with government agencies and other organisations to identify and respond to potential threats.

One strategy that universities can develop is a counterintelligence program. While this approach may be at odds with the historically open and liberal nature of higher education, nonetheless, some foreign governments are actively targeting universities.

A counterintelligence program is a set of measures designed to detect, prevent, and mitigate threats to an organisation’s information, personnel, and operations from foreign intelligence agencies, terrorists, and other adversaries. A counterintelligence program may include the following elements:

  • Threat assessment: A thorough understanding of the threats faced by an organisation, including the capabilities and motivations of potential adversaries.

  • Security measures: Physical, technical, and administrative measures to protect against threats to information, personnel, and operations.

  • Counterintelligence activities: Activities designed to detect and disrupt the efforts of foreign intelligence agencies and other adversaries to gain access to sensitive information or compromise personnel.

  • Employee training: Training programs to educate employees about the threats faced by the organisation and how to protect against them.

  • Intelligence collection and analysis: Gathering and analysing information about potential threats to the organisation.

  • Collaboration with other organisations: Working with other organisations, including law enforcement agencies and the intelligence community, to share information and coordinate efforts to protect against threats.

It is possible that universities may find it challenging to implement a counterintelligence program due to a variety of factors. For example:

  • Limited resources: Universities may have limited resources, including budget and personnel, to devote to counterintelligence efforts.

  • Complex organisational structure: Universities may have a complex organisational structure, with many departments, centres, and institutes, which can make it difficult to coordinate counterintelligence activities across the entire organisation.

  • Open and collaborative culture: Universities are generally characterised by an open and collaborative culture, which can make it difficult to implement security measures and restrict access to sensitive information.

  • Large number of external partnerships: Universities may have a large number of external partnerships and collaborations, which can make it difficult to manage and mitigate potential threats.

  • Despite these challenges, it is important for universities to take steps to protect against threats to their information, personnel, and operations. Universities can work with security experts and other organisations to develop a counterintelligence program that meets their unique needs and resources.

The Department of Education provides guidelines for universities to follow to counter foreign interference (https://www.education.gov.au/guidelines-counter-foreign-interference-australian-university-sector). While comprehensive, it is important to note that guidelines are not a counterintelligence program in their own right, and there are only four templates provided to even begin the process of developing a counterintelligence program.

Ionize assists a number of universities with DISP membership, cybersecurity program development and implementation, and implementing strategies to counter foreign interference. If you would like more information contact Ionize below.

Stay Up to Date

Latest News

How much should you spend on Cybersecurity?

Paul A. Watters – Ionize
and Simon Brown

It’s a question that is asked time and time again, and it may well be the most important commercial question in relation to cybersecurity investment: how much should I be spending on cybersecurity? As with the answer to most questions, this needs to be broken down into a number of sub-questions, some of which are easier to answer than others. Rather than offering a simple answer to a complex problem, we analyse the question as follows:

  • Should you follow a fixed percentage guideline of revenue? Or profit? It depends on whether you are trying to protect profits or revenue. As always, we would advocate a risk-based approach – if cyber threats affect your revenue, eg, by denying service to your customers, then calculate a budget as a percentage of revenue. On the other hands, if you have stable revenue but variable costs that reduce profits, eg, by having to pay ransoms, then calculate as a percentage of profit.
  • Is your financial management approach traditional or modern? Is this dictated by business practices, eg, an agile, high growth business, or by a regulator, eg, banks and financial services companies?
  • Are some risks worth spending a fixed cost against to prevent cyber incidents, eg, endpoint protections, or should investment be weighted towards response which may have variable costs, eg, third party incident response?
  • Is it worth investing anything at all if the potential consequences are low or negligible? Or to put another way, do you know what your “crown jewels” are, versus systems, networks and data that are peripheral and not worth protecting?
  • Is it worth investing anything at all if the potential consequences are low or negligible? Or to put another way, do you know what your “crown jewels” are, versus systems, networks and data that are peripheral and not worth protecting? o $10m for critical infrastructure o $14m for financial services o $8m for government entities o $16m for industrials The difference between the smallest entities and the largest was considerable, ranging between $2m and $65m. As a percentage of overall IT budgets, the average was 7.5%. Internationally, Prosegur[2] report an average 10%, suggesting that Australian entities are still underinvesting in cybersecurity.
  • What percentage of revenue should be spent on ICT, will then determine the percentage spent on cybersecurity. Computer Economics published data in 2019 across 25 industry sectors, but the summary (as a percentage of revenue) was as follows, using the 25th, 50th and 75th percentiles: o Manufacturing: 1.4, 2.3, 3.2% o Financial Services: 4.4, 7.9, 11.4% o High Tech: 2.6, 3.65, 4.7% o Retail: 1.2, 2.1, 3.0% o Health Care: 3.0, 4.45, 5.9% The average across all sectors at the 50th percentile was 2.5% of revenue. So in the Australian context, cybersecurity budgets should be roughly 2.5% of 7.5% of revenue. For a $100m company, this suggests a budget of only $187,500. Given that the average salary for even a single cyber analyst in Melbourne is $128,778 (with 35% on-costs, this rises to $173,850), it seems obvious that adopting an average of averages approach would not even begin to address the resourcing needed for an internal cyber team. If you really want to break down cybersecurity costs further, Cynet have developed a very detailed budget template which is freely available[3]. Does this mean that Australian entities are likely underinvesting in cybersecurity on average? We believe that this simple exercise indicates that this may be the case. However, it’s also important to note that not all companies – even with $100m revenue – may need full-time cybersecurity staff. Using a Managed Security Service Provider (MSSP), for example, may be one way to access a broad range of services on an “as needed” basis, which could prove cost effective. RSI[4] suggest that an MSSP budgets per user range from US$99-250 per month, or A$141-357. As an average, this conveniently works out at $A249 per month, or $2,988 per annum. Taking our budget of $187,500, the implies that something on the order of 62.75 could be supported by an MSSP. Multiplying out the ABS data on SMEs (50 employees or $25m revenue), a $100m company may employ something on the order of 200 people[5]. So while the average case of 62.75 employees on the highest package seems expensive, in fact, the cheapest case is quite close: $141 per month would cover 98.99 employees. Can we then conclude that Australian business should be doubling their cybersecurity spend, even using the cheapest case? It’s hard to draw such a broad conclusion from some simple numerical modelling. Yet it is also true that some Australian entities are repeatedly attacked, while others seem to be better able to defend and prevent. This is almost certainly a function of overall investment, but also investment in the right categories. Further research is required to fully prove the case for cybersecurity investment to protect both revenue and profits. It’s important to note that Boards an executives must manage a number of competing demands when devising budgets, and not just cyber budgets – every dollar spent on cybersecurity controls may be perceived as reducing profits and shareholder returns. In the current market, Boards may be willing to tolerate higher levels of cyber risk, to maximise profits. At the end of the day, a good CISO will be able to amplify and clarify which elements of cybersecurity spend will have the greatest impact within a given context.

 

Additional Resources

CISO Lens Benchmark: https://www.cisolens.com/benchmark

Prosegur Cyber Budget Report: https://cipher.com/blog/three-approaches-to-setting-cyber-security-budgets/

Cynet Cyber Budget Template: https://go.cynet.com/the-ultimate-security-budget-template

RSI MSSP Budgeting: https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/#:~:text=When%20looking%20for%20a%20managed,dollars%20per%20user%20per%20month.

 

[1] https://www.cisolens.com/benchmark

[2] https://cipher.com/blog/three-approaches-to-setting-cyber-security-budgets/

[3] https://go.cynet.com/the-ultimate-security-budget-template

[4] https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/#:~:text=When%20looking%20for%20a%20managed,dollars%20per%20user%20per%20month.

[5] https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/pubs/rp/rp1819/SmallBusinessSector

 

Stay Up to Date

Latest News

IDENTITY THEFT – Consumer Support

Paul Watters – Ionize

 
 

The Optus data breach has shown just how exposed everyday Australians are to identity theft. The prospect of millions of customer records – including such sensitive information as driver’s license and passport numbers, security questions, birthdates and so on – falling into the wrong hands exposes the weaknesses in the way our corporate information systems are designed and managed. Note that there is nothing unusual or particular to Optus in these comments – every company you deal with is capturing and storing your information in a way that makes it easy for them to service your needs. You do this every day – banking, insurance, superannuation, even online shopping – your personal data needs to be shared in order for you to function in today’s society.

While you can do a lot to prevent identity theft – such as checking privacy statements, only sharing information where and when you should, and so on – the Optus case clearly shows that data breaches are inevitable. So what can YOU do to respond? In cybersecurity terms, we would say protect yourself as much as you can, but accept the “residual risk” of a data breach, and make sure you respond. Here’s our step-by-step guide to support you:

 

1. Check if your passwords have been compromised: check haveibeenpwned.com regularly to see if your passwords have been shared in a data breach, or are for sale on the black market. Generate complex passwords where you can, and use a password manager to store them.

 

2. Monitor your credit score(s): by law in Australia, you have the right to check your credit score. Equifax.com.au and others provide free credit report checking which won’t affect your right to apply for credit in the future. Credit agencies keep track of when people apply for loans, so this will be the first indicator that someone may be trying to take out credit in your name. If you find mistakes or errors, or don’t recognise a check, you can ask that the records be removed. This is one of the most serious issues for consumers – a data breach and an attacker repeatedly trying to get credit in your name could stop you from getting a home or car loan.

 

3. Block credit applications: using an app like Credit Savvy will block all applications for credit in your name for 21 days. DO THIS NOW if you are an Optus customer. This will give you breathing space to make any necessary changes (such as passwords) that may prevent data breaches. Every 21 days, you can request a further extension. Unless you plan to apply for credit, keep this door shut at all times.

 

4. Monitor SMS and authentication codes: if you see a suspicious text or authentication message asking for access, this may indicate that someone has accessed one of your accounts and is trying to get authenticated using “two factor” authentication. With two factor authentication, you can only gain access by using both a password and a one time code sent to your phone or an app. Didn’t request a login? Then don’t authenticate, and make sure you contact the company whose service is being targeted.

 

5. If your data is breached: you can’t change your date of birth, but anything you can change – such as a mobile phone number that is used to receive authentication codes, or a driver’s license number – should be changed if you know that your data has been breached. While doing this may be costly and time consuming, you need to make sure that criminals can’t do much damage to your financial health and wellbeing.

 

Last words

As we say in the industry, the real cost of security is eternal vigilance – expect an attack, be prepared to respond, and you can minimise any damage or losses.

 

Further Reading

Ten High Impact Things You Can Do To Improve Cyber Security

Stay Up to Date

Latest News