NSW universities have been told to strengthen their cyber security frameworks for a third year in a row after persistent issues with key controls were uncovered by the state’s auditor-general.
The annual audit of the tertiary sector also calls into question the adequacy of data breach reporting mechanisms, with revelations one institution recorded 12 breaches last year.
The report [pdf], released on Thursday, looked at the performance of ten universities in 2019, including the University of Sydney, the University of NSW, Western Sydney University.
Like the previous audits, it found ongoing concerns with key cyber security controls at several undisclosed universities, many of which are likely to be repeat offenders given previous audits.
The most concerning finding was only eight of the ten universities having implemented a cyber risk policy, leaving two institutions exposed at one of the most fundamental levels in 2019.
All other cyber security controls, however, saw some improvement on the 2018 audit result, with a cyber attack recovery plan now in place for all ten universities.
Nine universities also now maintain a cyber incidents register, compared with just seven in 2018.
But despite this the audit office said there was still a “disparity in the number of recorded [cyber] incidents”, with between “two and 982” incidents recorded by the seven universities in 2019.
It said this was down to the “different definitions of what a ‘cyber incident' is” and “some registers include intercepted or blocked attempts, while others do not”.
Other areas that saw improvement in 2019 include staff cyber awareness training, assessment of the financial/operational impacts and cyber resilience testing.
But this improvement has come at a cost, with the audit indicating that universities spent an average of $4.6 million on managing cyber security during 2019 - a 13 percent increase on 2018.
A number of the Australian Signals Directorate’s voluntary essential eight cyber security strategies have also been implemented by the institutions.
All ten universities have patched operating systems and are performing daily backups and are testing for restoration.
User acceptance hardening is less pervasive, with the control in place at only three institutions.
The audit office has recommended that “NSW universities should strengthen cyber security frameworks and controls to protect sensitive data and prevent financial and reputational losses”.
Data breach reporting concerns
The audit also reveals that eight universities “recorded and reported the number of data breach incidents in 2019 that ranged from nil to 12”.
“The cause of data breaches was generally from human error, system fault, or malicious attack,” it states.
But with two universities yet to “maintain a register of data breaches or incidents”, the complete number of breaches experienced by the sector is not visible to the audit office.
Two universities were similarly found to have “not developed formal policies on data breach management”.
“Two NSW universities have not analysed the risks of data breach management and have not developed a formal policy on data breach management,” it said.
Five universities were also found to have a “full or partial register of data that is managed by third-party service providers”, up from two in 2018.
Under the state’s Privacy and Personal Information Protection Act, universities are required to abide by personal information security principles.
Some also have obligations under the European Union’s General Data Protection Regulation (GDPR) for their international students.
Six universities have now introduced staff training on data protection and breach management.
“Universities that have not assessed the data held by their service providers may be at greater risk of data breaches,” the report states.