When the Australian National University faced its own Optus-style data leak in 2019, it did what was unthinkable to some in the cyber security space: it went public.
Three years on, chief information security officer Suthagar Seevaratnam stands by the decision to put the details of the attack into a public report.
"One of the reasons we chose to be so transparent about the breach was so that we as an organisation and our community could talk about it," Mr Seevaratnam said.
"No one showers themselves in glory from a data breach, but it helped frame the narrative."
At the time, his team was already working on a plan to improve the security of the institution. The importance of this work was put into sharp relief when hackers accessed personal records of 200,000 staff and students.
Since then, the ANU has rolled out a strategic information security program to both improve the infrastructure and the culture around cyber security.
"That shift has been quite dramatic in the last few years. Yes, we've improved some of the security technology components, but to me the cultural shift is the most important one," Mr Seevaratnam said.
The cyber criminals
Higher education is an enticing target for cyber criminals because of the large amount of sensitive personal data and research data stored across decentralised organisations.
Garrett O'Hara, technology officer at cyber security company Mimecast, said universities were constantly under attack from cyber criminals, who range from teenagers experimenting in their basement through to well-resourced nation states that have armies of people working on penetrating organisation.
"It's unbelievable when you see how they [cyber criminals] operate. It's almost like a legit corporation where they've got different departments and to the point where they've even got customer service," Mr O'Hara said.
One such cautionary tale emerged from the United States where a 157-year-old college was shut down by a ransomware attack. Lincoln College reportedly paid a ransom of up to $100,000, but the attack paralysed the enrolment systems going into the summer break and the institution didn't have enough funding to continue operating.
Mr O'Hara said about nine out of 10 successful breaches start with an email where someone someone clicks a link, opens an attachment or gives their credentials to a fake website.
"Quite often it's actually weeks or months that the attackers are within inside an organisation, navigating their way through to find a way to ultimately then execute an attack," he said.
Stronger together
Since 2019 cyber security has been the number one priority for Australian universities - even above student success - according to the Council of Australasian University Directors of Information Technology (CAUDIT) annual survey. Cyber security director Nikki Peever said it was an ever-evolving field.
"Our job is to uplift the sector as a whole because you're only as strong as your weakest link," she said.
The chief information security officers from universities meet monthly to discuss the latest issues and to share information.
For example, University of South Australia and Deakin University made presentations to the group after their respective data breach incidents.
"It's no longer about just trying to go it alone and hiding your mistakes. In our group if someone's made an error or someone has had to respond to an incident, other institutions call and say, 'Hey, can we help'?" Ms Peever said.
Evolving response
Responding to the challenge requires universities to grow the skills needed to protect Australia's critical infrastructure.
The University of Canberra has recently inked a deal with international technology company Cisco to help address the skills shortage and to invest in applied research into cybersecurity.
Universities are also cutting down the amount of data being stored and are trialling new ways to secure it.
The ANU has begun rolling out a new secure platform for sharing files and is also looking at getting rid of usernames and passwords for good. They are testing a new system called Cypherise by Australian technology firm Forticode.
It presents the user with a unique, ephemeral QR code to scan with their phone to identify them and ensure they are using a genuine website.
How does an organisation know when enough money, time and energy has been spent on technology and training to keep criminals out? It's an impossible question to answer and one that keeps information security professionals up at night, as Mr Seevaratnam can attest.
"I don't know for sure if there is an end state. It's a perpetually evolving frontier," he said.
We've made it a whole lot easier for you to have your say. Our new comment platform requires only one log-in to access articles and to join the discussion on The Canberra Times website. Find out how to register so you can enjoy civil, friendly and engaging discussions. See our moderation policy here.
