Universities across NSW are exposed to cyber attacks due to significant deficiencies in IT internal controls, an audit has found.
An audit of 10 universities conducted by the state’s Auditor General also found that three universities are still developing a strategy to safeguard against cybersecurity risks, and two have yet to establish a recovery plan following a cyber attack.
According to the report, 51 of the 99 internal control deficiencies identified in the audit are related to IT, and these deficiencies can represent significant vulnerabilities for the universities.
No university had implemented all of the Australian Cyber Security Centre’s Essential Eight threat mitigation strategies. Most universities have adopted measures including regularly patching operating systems (10 universities), restricting and reviewing administrative privileges (nine), checking and applying security patches (eight) and conducting daily backups (seven), and disabling or restricting Office macro settings (six).