NSW Auditor General slams NSW Universities on Cyber Security and Essential 8

NSW Auditor General slams NSW Universities on Cyber Security and Essential 8

//www.audit.nsw.gov.au/sites/default/files/documents/Final%20report%20%20-%20Universities%202019%20audits%20tabled%204%20June%202020.P

Extract from page 32 of the report:

Cyber threats are becoming increasingly common and sophisticated as the global interconnectivity between computer networks has increased.
Cyber security comprises technologies, processes and controls that are designed to protect IT systems and sensitive data from cyber attacks. The cyber security framework consists of threat identification, protection, detection, response and recovery of IT systems.
Cyber incidents can harm universities’ service delivery and may involve:
• theft of information such as intellectual property or sensitive personal data
• denial of access to critical technology
• hijacking of systems for profit or malicious intent
• financial losses.
Two NSW universities have not yet implemented a cyber risk policy.
Recommendation. NSW universities should strengthen cyber security frameworks and controls to protect sensitive data and prevent financial and reputational losses.
The trend in adoption of common cyber security controls at NSW universities is detailed below.

The number of cyber incidents recorded in 2019 by the seven universities ranged from two to 982.
The disparity in the number of recorded incidents is because:
• there are different definitions of what a ‘cyber incident’ is
• some registers include intercepted or blocked attempts, while others do not.
On average, universities incurred $4.6 million in costs in managing cyber security in 2019 ($4.0 million in 2018).

NSW Auditor-General’s Report to Parliament | Universities 2019 audits | Internal controls.
The Australian Cyber Security Centre (ACSC) has published mitigation strategies and recommended controls for protecting against cyber threats. This set of controls is referred to as the ‘Essential Eight’. Some of these controls are not expensive to implement, yet provide important
protections. Whilst universities are not required to adopt these controls, some aspects of the Essential Eight have been implemented at some NSW universities.
ACSC Essential Eight mitigation strategies Number of
universities that apply.

  1. Application whitelisting
    All non-approved applications (including malicious code) are prevented from
    executing. 5
  2. Check and apply security patches
    Security vulnerabilities in applications can be used to execute malicious code on
    systems. 8
  3. Configure Microsoft Office macro settings
    Microsoft Office macros can be used to deliver and execute malicious code on
    systems. 5
  4. User application hardening
    Flash, ads and Java are popular ways to deliver and execute malicious code on
    systems. 3
  5. Restrict / review administrative privileges
    Administrative user accounts have extensive access to systems and may be
    compromised. 9
  6. Patch operating systems
    Security vulnerabilities in operating systems can be used to further the
    compromise of systems. 10
  7. Multifactor authentication
    Stronger user authentication makes it harder for external parties to access
    sensitive information and systems. 9
  8. Daily backups and test for restoration
    Ensure information can be accessed again following a cyber security incident. 10
    Source: Provided by universities (unaudited).
    Our 2018 performance audit report on Detecting and Responding to Cyber Security Incidents
    includes several findings that may be useful for universities to enhance their controls around cyber
    security risks.