NSW unis facing significant cyber risks

By Dylan Bushell-Embling
Wednesday, 12 June, 2019

Universities across NSW are exposed to cyber attacks due to significant deficiencies in IT internal controls, an audit has found.

An audit of 10 universities conducted by the state’s Auditor General also found that three universities are still developing a strategy to safeguard against cybersecurity risks, and two have yet to establish a recovery plan following a cyber attack.

In addition, only six of the universities reported that their staff are formally trained in cyber awareness. Two had not tested their cyber resilience in the last three years, two had not assessed the potential financial or operational impact of a cyber attack, and three were not yet maintaining a cyber incidents register.

According to the report, 51 of the 99 internal control deficiencies identified in the audit are related to IT, and these deficiencies can represent significant vulnerabilities for the universities.

One institution — Charles Sturt University in Sydney — was found to be at high risk due to ‘ineffective or absent controls to restrict access to sensitive data maintained by the university’.

The audit also identified 35 IT-related moderate risk control deficiencies, including a lack sufficient user access review and monitoring, poor password settings for applications, and inadequate reviews and approval of change management processes.

A total of 28 of the IT control deficiencies were repeat findings originally identified in prior annual audits. The audit report notes that universities have agreed to draft implementation plans to address these repeat issues.

The audit found that universities spent around $24.2 million managing cybersecurity in 2018.

But seven of the 10 universities experienced at least one cyber incident in 2018, with one recording 286 incidents. Universities faced attacks including phishing, credential stuffing, denial of service, exploits, malware, network reconnaissance and phishing.

No university had implemented all of the Australian Cyber Security Centre’s Essential Eight threat mitigation strategies. Most universities have adopted measures including regularly patching operating systems (10 universities), restricting and reviewing administrative privileges (nine), checking and applying security patches (eight) and conducting daily backups (seven), and disabling or restricting Office macro settings (six).

By contrast, only three universities engage in user application hardening such as controls for Flash, ads and Java, only four had implemented application whitelisting, and only five have adopted multifactor authentication.

The audit also identified significant gaps in NSW universities’ IT contract management practices, such as the absence of risk assessment practices, vendor phase-out plans and review by independent auditors.

Image credit: ©stock.adobe.com/au/Lasha Kilasonia

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.