Since the conflict started in the Ukraine, there has been an escalated tension in the Cyber Security regime that could impact UNE. Prevailing advice from government security agencies is that organisations should be on a Cyber Security defensive footing. This has multiple facets, technical, individual and procedural.

As a university, we have a duty to protect UNE sensitive information and sensitive research data. Boards and line managers have a unique role in helping manage Cyber Security threats. Don’t leave any questions about critical vulnerabilities for tomorrow after the event. As line managers and users, we all have a responsibility to ensure UNE assets and data are protected.

The following is an extract from a research article prepared by Dr. Keri Pearlson and Nelson Novaes Neto of MIT. They undertook a survey to better understand how boards deal with Cyber Security. As a result, they have raised 7 questions executives should be able to answer. These questions should permeate through the leadership teams within the organisation.

7 Questions for Executives and Managers

The following questions should be able to be answered by all of the management team.

What are our most important assets?
The Directors and line Managers must make sure the organisation’s most important assets are secure at the highest reasonable level. Asking what is being protected and what needs to be protected is an important first step. If there is no agreement on what to protect, the rest of the Cyber Security strategy is moot.

What are the layers of protection in place?
Protection is done with multiple layers of defence, procedures and policies, and other risk management approaches. Executives don’t need to make the decision on how to implement each of these layers, but they do need to know that effective layers of protection are in place.

How do we know if we’ve been breached?
Executives would be ignoring an important part of their fiduciary responsibility if it does not ensure that the organisation has both protection and detection capabilities. Since many breaches are not detected immediately they occur, those in the management team must make sure they knows how a breach is detected and the level of risk the breach exposes.

What are the response plans in the event of an incident?
Although not likely to be part of the detailed response plan itself, the executives will want to be sure that there is a plan. Which executives and leaders are part of the response plan? What is their role? What are the communications plans? Who alerts authorities? Which authorities are alerted? Who talks to the press, customers, suppliers?

What are the Directors’ responsibilities in the event of an incident?
It would be helpful for the Executives to know what their role will be and to practice it. Is the policy defined to decide on paying a ransom or not, to talk to the largest customers, to be available for emergency meetings with organisation execs to make just-in-time decisions?

What are the business recovery plans in the event of an incident?
There can be significant differences in the recovery from a business disruption due to a cyber incident than a normal outage. Recovery might be different if all records are destroyed or corrupted by a malicious actor. Have the plans been tested?

Is our Cyber Security investment enough?
You can’t invest enough to be 100% secure. But since a budget must be set, it is crucial that companies guarantee they have an excellent security team with the appropriate expertise to tackle technical problems and understand risks and vulnerabilities inside the critical functions of the business. By doing that, the company will be better prepared to allocate investment where it is most needed.

Summary
We all have a role in helping their organisations manage Cyber Security threats. Don’t leave any questions about critical vulnerabilities for tomorrow. Asking the smart questions at your next meeting might just prevent a breach from becoming a total disaster.

As always, we are reliant on people being vigilant and reporting suspicious activity on their systems to servicedesk@une.edu.au, +61 (2) 67735000.
If you haven’t already, we would encourage you to visit the UNE Cyber Security webpage and undertake the UNE Cyber Security Awareness training.

Thanks for your support in helping us maintain the cyber security integrity of UNE.