campusreview . com . au
TECHNOLOGY
There was also a specific example identified of a university that lacked proper access controls for accounts payable and payroll files , leaving the files accessible and editable by too many people .
VICTORIA Victoria ’ s most recent audit found one-third of IT control weaknesses in 2021 were issues with privileged and user access management , and that was consistent with the prior year .
“ We continue to find a high number of deficiencies in this area ,” the audit stated , adding that third-party access , as well as “ logs of access to administration / privileged user accounts ”, were deficient at some universities .
WESTERN AUSTRALIA Western Australia ’ s most recent analysis is also based on 2021 figures , where it observed a 20 % increase in information systems control weaknesses year-on-year .
Out of 124 weaknesses identified , 49 % related to information security issues , including system and network vulnerabilities and weak access controls , while 38 % covered “ the monitoring and logging of user activity , processing and handling of information , and review of access privileges .”
Occurrences were marginally higher than in 2020 , again showing the challenge universities face in mitigating user access weaknesses .
QUEENSLAND The Queensland Audit Office , meanwhile , has uncovered issues such as “ ineffective management of access to the systems ” and “ not enough monitoring of the access and activities of privileged users .”
In total , information systems security and access deficiencies increased from 36 in 2020 to 55 in 2021 .
Australia ’ s universities , as a general rule , are aligned with the need to invest in cybersecurity , particularly after several high-profile attacks against participants in the sector over the last couple of years .
In addition , where universities are taking on government-related projects , they are often required to meet minimum cybersecurity standards .
However , as Queensland ’ s auditors noted , while universities are “ continually improving the security of their systems , the risk of cyberattacks continues to increase ”.
GETTING AHEAD OF THE GAME The sector will maintain its stature as a valuable target , given “ the sensitive nature of the information the entities hold about students and research ”.
It ’ s clear that some universities , more than others , are ‘ ahead of the game ’ when it comes to addressing cybersecurity risks and embracing industry best-practice — such as the Australian Cyber Security Centre ’ s Essential Eight — to uplift their controls .
Federal education authorities recommend Essential Eight and NIST as obvious framework choices . In NSW , all but two universities use either of these frameworks or a hybrid of both .
Unique and complex , the sector remains a significant target for cybercriminals and foreign interference attacks
In Queensland , auditors said “ some education entities ” had made progress , setting more complex password requirements and implementing MFA on user accounts , though auditors rightly concluded that more could still be done .
For universities that struggle , there are often clear signs that point to relative immaturity , and that put their access control and privilege user problems into perspective .
In NSW , for example , 54 % of cyber training is untailored to staff positions and levels , meaning those in elevated positions , with access to sensitive information or systems , receive the same training as someone who is less of a target or who has more locked-down permissions .
To improve access control and privileged user account management , an access review at least once a year is advisable .
This can identify who has access to what and whether that access is needed ; and uncover instances of privilege creep , where people continue to accumulate privileges or system access as they change jobs internally .
Universities should also work to adopt Privileged Access Management ( PAM ) technology that is capable of securing every privileged user , asset , and session that can automatically discover and onboard all privileged accounts , secure access to privileged credentials and secrets , and audit all privileged activities .
There is also a growing adoption amongst Australian universities of solutions that provide endpoint controls that remove the use of high-risk local administrative accounts along with application control to monitor and block unwanted applications , including malware .
With broader adoption of these kinds of capabilities , universities have a better prospect of moving the needle on access control and shrinking their threat landscape . ■
27