This important report concerning the hack on the ANU’s systems was released publicly last week by Brian Schmidt, Vice-Chancellor.
We commend the Vice-Chancellor for his open and forthright approach when he states:
“While it’s clear we moved quickly to implement hardening and security improvement measures following our first cyber-attack in May 2018, this report shows we could have done more.”
There are some valuable lessons to learn from the hack, so we’ve made 4 suggestions below:
- The first successful phishing attempt did not require anyone to click on a link or download an attachment. Credentials were obtained when someone at the university just previewed the email that had been received. So, do you really need to have any preview functionality turned on in your email program? It does present security risks. Speak with your IT department, if you think you should have it turned off.
- The hacker used “spearphishing” attacks. If you’re not familiar with the term, it refers to phishing emails specifically targeting a role and/or staff member, or organisation. It’s a good reminder to think carefully about what and how much information you publish on social media, or anywhere on the internet, about yourself or your work.
- The part of the “network breached is known as the Enterprise Systems Domain (ESD), which houses human resources, financial management, student administration and enterprise e-forms systems.” The hacker focussed on a handful of systems, whilst other valuable data was not accessed. Have you considered what data your team holds? Has the data been given a classification for handling? How much data is being held in one database? Who has access to the data?
- Does your IT team have an up to date and effective procedure document for Incident Management? The ANU experienced secondary attacks by other opportunistic hackers “within one hour of public notification of the breach”. Having a procedure your team is familiar with, to support your organisation to effectively manage an incident, is now an essential control.
Your policies and procedures are the documented controls that underpin awareness training for information security. If you need to update and/or develop new policies or procedures, or run an awareness program please contact ROI Solutions on 1300 264 946.