NSW universities have been told to improve their cyber security processes after the state’s auditor-general found “a significant under reporting of incidents”.
The NSW audit office today released its annual audit of the tertiary sector [pdf], which identified a number of common cyber security issues across the state’s ten universities.
It found “opportunities to improve cyber security controls and processes to reduce risks, including [those] relating to financial loss, reputational damage and breaches of privacy laws”.
Most worryingly, only two of the ten universities audited were formally training staff in cyber awareness.
Only half the universities were found to maintain a register of cyber incidents.
“Of those universities that did register cyber incidents, between three to 100 incidents were acknowledged during 2017,” the audit states.
“The range of reported incidents at universities ... indicates a significant under reporting of incidents.”
Four universities did not test cyber resilience in 2017, while three had no recovery plan in place following a cyber attack.
Three had also not considered the potential impacts of cyber attacks, including financial and on operations.
One was identified as having no cyber risk framework, which the audit office indicates “consists of identification, protection, detection, response and recovery of the IT system”.
The auditor said that those universities that had “started introducing cyber security control procedures, including staff training” had spent around $6 million doing so during 2017.
It has recommended universities “strengthen their cyber security frameworks to manage cyber security risks”.
In doing so the universities would be better placed to understand and assess their threat environment and develop and implement appropriate risk mitigation strategies, the auditor said.
“Ineffective management of cyber security threats and incidents exposes universities to risks including financial loss, reputational damage and loss of information.”
The findings by the audit office are the second time in recent months it has uncovered weak cyber security practices in NSW.
In March, it found only two of ten state government agencies had good detection and response processes, including “monitoring firewall logs, server logs, web filtering and antivirus software, and alerts and reports from IT service providers”.