And a recent major cyber security attack on the Queensland University of Technology — resulting in the data of 11,405 staff and students being compromised — was evidence the state’s education sector needed to act with “greater urgency” to boost security.

Queensland Auditor General Brendan Worrall, in an audit report into the state’s education sector, also found public universities knew managing risks across cyber, academic integrity and finance were important — but most still used spreadsheets to record and monitor them.

The report revealed the auditor-general was finding “deficiencies” in universities information systems faster than the organisations could plug gaps, with the latest discoveries of the audit pushing the number of issues still “open” and unfixed to 60.

The Australian Cyber Security Centre, a branch of the federal government’s intelligence agency, recently revealed the education and training sector had become the most attacked sector as of 2020-21.

“We continue to identify weaknesses in the entities’ information systems,” Mr Worrall warned in the report.

“While the entities are addressing deficiencies identified in prior years and improving the security of their systems, the risk of cyber attacks continues to increase, which highlights the need for greater urgency.”

A total of 11,405 students and current and former employees were impacted after QUT was hit by a cyber security attack in December 2022.

The attack also caused parts of the university’s services to be disrupted for more than four weeks

The report noted the incident happened while QUT was in the process of implementing its overall cyber security strategy, which included addressing recommendation the QAO had made to improve the system.

“This highlights the need for education entities to address recommendations – from audits and other assurance providers – with greater urgency, particularly their security practices, as cyber threats continue to increase in frequency and sophistication,” Mr Worrall noted.

It was also revealed the state’s seven public universities had “generally well documented” risk and mitigation strategies, but just one had risk management software and “most use spreadsheets to record and monitor risks”.

QUT Vice-Chancellor Margaret Sheil said of the deficiencies highlighted by the QAO only three applied to the university and only one had yet to be fully addressed though there is a risk mitigation strategy in place.

“We have further increased our already substantial investment in cyber security with an additional $8 million investment in 2023 and fast tracked a further $15 million in expenditure for 2023 to accelerate other IT improvements,” she said.

Griffith University and James Cook University affirmed it had a cyber security incident response plan, with the former investing in a “multi-year” improvement program.

A CQUniversity spokesman said the school took “cyber security seriously and has invested accordingly” and that it was committee to “creating a culture that understands cyber security risks and how to prevent them”.