One third of the recommendations the NSW audit office made to the state’s universities about fixing their shaky cyber defences last year have been ignored, according to auditor-general Margaret Crawford.
The government-funded tertiary education sector appears to be making a habit of sweeping the auditor’s concerns under the rug, - the office last year also complained that 28 percent of its formal recommendations had not been acted upon.
Crawford, who took up the performance watchdog role in April, tabled her annual financial survey of the NSW universities today.
She revealed her audits "continue to identify information security issues, which if not addressed, expose universities to security attacks and can result in data integrity issues, fraud and identity theft”.
“It is disappointing that over a third of the issues identified in the 2015 audits had been reported to management in 2014 and not addressed," Crawford wrote.
More than half of the issues uncovered by the audit team this time around had already been noted as problems in past audits, and 91 percent of all the shortfalls related to IT security.
The universities' biggest weaknesses, the report said, are policy based.
Campuses are failing to properly limit privileged user access to their networks; failing to log who was accessing sensitive areas and why; and in many cases were failing to terminate user accounts when they left the organisation, the report stated.
They were also prone to setting weak password parameters.
The list of shortcomings echoes those uncovered in the 2015 report, establishing a hole that the uni administrators appear to be failing to fill.
NSW’s universities are not completely unfamiliar with the consequences of a weak perimeter.
In 2011 hackers successfully gained control of the homepage of the University of Sydney’s website, in order to launch a personal attack on a systems administrator employed at the campus.
More recently, the school was condemned for not having properly protected a laptop containing sensitive health information that was subsequently lost by a software developer.
The same university had its Facebook page defaced by intruders during last September’s student orientation week.