TECHNOLOGY campusreview . com . au
Data at risk
The state of access control across Australia ’ s universities
By Scott Hesford
The education and training sector reported the fifth highest number of cyber security incidents — and the most ransomware incidents — of any industry sector in the 2021-22 financial year .
It is particularly challenged by having a dynamic , highly distributed and open environment , which has an impact on enforcing access control .
Size also plays a part ; universities comprise over 1.3 million students ,
130,000 employees , and a vast amount of valuable data .
“ Unique and complex , the sector remains a significant target for cybercriminals and foreign interference attacks ,” a recent report by RMIT to the government states . A desktop review of annual reports by state auditors shows that universities have some key areas around IT controls , and specific management of access controls and privileged user account monitoring , that need to be urgently addressed if ongoing cybersecurity threats and risks for the sector are to be remediated .
While not all states and territories publish an audit of universities ’ annual reports each year , at least four do , and it is quickly apparent from those four that there are shared weaknesses that are indicative of the challenges faced by the sector .
NSW The most recent NSW audit found “ many repeat issues ” related to IT controls around privileged user activity monitoring and user access management .
These included : 23 % of universities not reviewing logs of privileged user activities , 62 % “ not quarantining activities of privileged users to environments that do not have internet-facing capabilities , and 77 % “ not having automated notification systems to alert the IT function when user permissions are changed ”.
26