With reports of cyber attacks continuing to rise, the importance of cyber security for education and research organisations of all sizes cannot be overstated. In this blog post AARNet’s cyber security team provides best practices organisations across the sector can implement to help safeguard their people, assets and sensitive information from cybercrime.
Conduct a cyber security risk assessment
Identify your security and privacy risks and mitigation strategies. Document your risks and any controls that are in place to manage them. Identify any additional controls that are required to further reduce the risk. Monitor and report on your risks and their status on a periodic basis.
Find out more about implementing a cyber security risk assessment plan.
Document and implement strong security policies and processes
Understand and document the current state for your people, processes, data and technologies and what the future state is going to look like. Develop a plan for how to achieve the future state and implement it.
Your policies and processes should include, but are not limited to, identity and access management, asset management, information classification and handling, and physical security controls.
Leverage widely-used international security frameworks and standards, such as the National Institute of Standards (NIST) Cyber Security Framework, ISO27001, or the Australian Cyber Security Centre (ACSC) Essential Eight baseline mitigation strategies, to understand the security domains and controls that are relevant to your organisation.
Perform periodic audits (internal or by a third party) to assess compliance with your policies and processes to ensure that the controls are operating effectively. Where there are gaps, assess the risk and identify treatments to mitigate them.
It’s important to have roles and responsibilities agreed, documented and communicated to ensure that individuals know what is expected of them and what their responsibilities are for tasks and outcomes related to security policies and processes.
Maintain a data inventory
Understand and catalogue the data assets your organisation holds, including who has access to it, where it is stored, how it is protected, how long the data needs to be retained and how it is to be disposed of. Keep your data inventory up to date.
Use strong security solutions
Use security solutions relevant to your requirements to protect your systems and networks. This includes identify and access management (including privileged access management) firewalls, intrusion detection / prevention systems, application control, endpoint detection and response solutions and password management solutions.
Keep software up to date
Understand the software and technologies your organisation uses and ensure security patches are installed as soon as vendors make them available.
Use the ACSC Essential 8 for guidance on timeframes for the patch management of applications and operating systems.
Educate employees and students about cyber security
Educate employees and students about cyber threats and what they can do to protect themselves. This includes training them in how to recognise phishing attacks, create strong passwords and keep devices secure. This is about building online safety skills and digital citizenship for your organisation.
Monitor and respond to cyber incidents
Develop and test cyber incident response plans with your internal subject matter experts, or in collaboration with external service providers if the expertise is unavailable inhouse. Have people, processes, and technologies in place to detect and contain cyber attacks to minimise the impact and damage, and to recover from the incident. Perform root cause analysis and lessons learned as per your incident management procedures (at least for major or critical security incidents) to improve your organisation’s cyber security posture and resilience.
By following these best practices, and continually updating, testing and refining your plans and processes, you can more effectively manage cyber risk.