Universities are increasingly more connected and accessible to global research and industry partners, which creates significant value for our society. An individual academic (for good reason) may collaborate and share data across multiple institutions and companies in many countries. It is more important than ever for universities, as knowledge holders, to champion and protect the rights of data owners.

However, how do you remain open to the community and partners while ensuring intellectual property, critical infrastructure, students and staff remain safe and the university remains resilient in the longer term?

This is the challenge that university management and council members have been grappling with, even before recent cyber attacks in corporate Australia.

As cyber attacks increase, the ability to protect research, intellectual property, and personal or confidential information using risk-based security strategies at a “whole-of-organisation” level will be highly critical for universities.

They will need to invest in capabilities to ensure future shocks are treated less like emergencies and more like foreseeable challenges to overcome as part of the day to day.

Universities have a complex network of users, including staff, students, alumni, industry partners and community groups. The complexity and sheer number of users make it more difficult to properly secure and manage access across an often distributed technology environment with bring-your-own devices and siloed systems.

The Office of the Australian Information Commissioner indicates education is one of the top five sectors for data breaches. The number of attacks on educational institutions has grown rapidly. The total recovery cost from a ransomware attack in the sector – considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, and more – was, on average, $US3m ($4.7m), according to a report, The State of Ransomware in Education 2022, from IT security firm Sophos.

The higher education sector has seen a wave of cyber attacks in recent years, from ransomware through to espionage motivated actors. Attacks have typically focused on theft of research or personally identifiable information.

For many organisations, investing in cyber security historically meant buying digital tools. But investing in such technology is only half the battle. Cyber security needs to strike a balance between technology, process and people.

Universities can help address these threats through greater investment in cyber capability, the sharing of threat intelligence, strengthening of security controls and establishing the right governance over their security program.

Furthermore, universities will need to understand the root causes driving particular behaviour and asking themselves whether their culture encourages good security practices. If not, why not? And what can be done to encourage a more secure culture?

In 2022, cyber threats present a clearly foreseeable organisational risk – when it comes to cyber-attack victimisation, organisations including universities should see that it is not a matter of “if”, but as a matter of “when”.

To help bolster cyber resilience, university council members and management should focus efforts on five key areas:

1. Measuring resilience: you can only improve resilience and sustain it if you can measure the success of your efforts and investments.

2. Defining value: knowing what an attacker might find valuable (e.g. student data, money movement, intellectual property) and the impact of that information or asset being compromised at any moment.

3. Controlling access: understanding where critical information is stored (on a cloud provider or on laptops or mobile devices) and limiting access to the purpose intended and only the permitted individuals.

4. Software updates and backups: operating systems and technology software needs to be regularly updated, restoring from backed-up data should be tested.

5. Culture of resilience: making sure staff and students are continuously educated on business contingency plans and cyber security.

We are seeing more and more the importance of cyber capability as an integral part of a broader resilience capability being built by universities. For universities to continue to have a significantly positive impact on society, they need to successfully address these challenges in the best interests of all Australians.

Chris Matthews is education and skills lead partner and Peter Johnson is a cyber security and digital trust practice partner at PwC Australia.