NewsBite

Advertisement

This was published 5 years ago

Universities across NSW at 'significant' risk of further cyber attacks, audit finds

By Carrie Fellner

Universities across NSW are vulnerable to cyber attacks because of "repeated" failures to fix weaknesses in their IT systems, with one university deemed at high risk of the theft of sensitive data, an Auditor-General's report has warned.

The audit also raises questions over transparency in alerting the public to data breaches, with revelations one university recorded eight breaches last year and another experienced 286 "cyber incidents".

An audit has found universities in NSW are vulnerable to cyber attack.

An audit has found universities in NSW are vulnerable to cyber attack. Credit: Jessica Hromas

Cyber incidents can involve theft of information, the denial of access to critical technology or the hijacking of systems for malicious intent, as well as blocked attacks.

The NSW Auditor-General's report raises fresh concerns about the capacity of universities to defend against cyber attacks, after revelations this week that hackers stole 19 years' worth of highly sensitive personal data from the Australian National University in Canberra.

Loading

The audit scrutinised 10 universities for the year ending December 31 2018, including the University of Sydney, University of NSW, Macquarie University, UTS and Western Sydney University.

The report red-flagged Charles Sturt University as being at high risk, due to "ineffective or absent controls to restrict access to sensitive data maintained by the university."

Charles Sturt disputed this, arguing the finding related to 2017 and was included in the 2018 report in "error".

"A remediation plan was put in place ... and it was accepted by the NSW Audit Office in September 2018," a spokeswoman said. "We are following this through and await a response from the NSW Audit Office on this matter."

Advertisement

The university received a letter from the audit office last month stating the matter had been resolved, she added.

Thirty-five weaknesses posing a "moderate risk" were uncovered in the risk controls of the remaining universities.

Among them, 28 were "repeat findings", where the university had not acted on a previous audit recommendation.

Problems included a lack of monitoring of user access, such as for terminated employees, and password settings that did not align with security policies.

The weaknesses presented "significant" vulnerabilities for the universities and could lead to financial or reputational losses, the Auditor-General warned.

"Poor IT controls increase the risk of inappropriate access, cyber security attacks, data manipulation and misuse of information and assets," the audit said, adding that the need for "specialist skill" and "extensive testing" could make the problems slow to resolve.

Education Minister Dan Tehan said he would invite all university vice-chancellors to a briefing at the Australian Cyber Security Centre to ensure they were using the latest and most comprehensive cyber security.

The University of Sydney.

The University of Sydney. Credit: Louise Kennerley

“Universities have a responsibility to protect the information they hold about individuals and the research they are conducting," Mr Tehan said.

In 2016, the University of Sydney was involved in a major privacy breach as it admitted to "losing" a notebook computer containing sensitive student information. A year earlier, the University of NSW's Facebook page was hacked twice in two days.

Loading

UNSW was alerted to three "moderate" IT control risks in the audit. A spokeswoman said it was working "closely and collaboratively" with the NSW Audit Office to address the risks.

Two low-level IT risks - both "repeat" findings - were identified at the University of Sydney.

It's understood they did not relate to personal data, and the university has changed or is in the process of changing its policies.

"[We] are acutely aware of the sector's vulnerability to cyber-attacks," a spokeswoman said. "In 2017 we began a program to significantly enhance our capabilities to match such threats ... to date, we have no evidence of any significant data breaches."

Seven universities reported data breaches, generally resulting from human error, system fault or malicious attack.

Three universities had not developed formal policies to manage data breaches and had not trained their staff in data protection.

Combined, the universities across NSW spent $24 million in managing cyber security in 2018.

Tom Uren, a senior analyst at the Australian Strategic Policy Institute's International Cyber Policy Centre said cyber security was generally "pretty poor" across a broad range of organisations where there were "other priorities and limited budgets".

Most Viewed in National

Loading

Original URL: https://www.smh.com.au/link/follow-20170101-p51vba