Australian universities report financial losses following cyberattacks

An Audit Office of New South Wales (NSW) report revealed that two university-controlled entities reported financial losses from cyber incidents suffered during 2022, out of 13 that reported suffering an incident. The ten public universities in NSW control 51 Australian entities and 23 overseas entities. The number of cyber incidents or attacks identified by the entities in 2022 ranged from nil to 1,777. This is a big improvement from 2021’s 4,400. However, this difference could be due to different definitions of what is a cyber incident and while some may report blocked attempts others may not.

The ten public universities are: Charles Sturt University, Macquarie University, Southern Cross University, University of New England, University of New South Wales, University of Newcastle, University of Sydney, University of Technology Sydney, University of Wollongong, and Western Sydney University.

According to the report, the highest financial loss reported by universities in NSW was from a single attack on an entity that involved malicious software executed on a faculty computer laboratory. “Whilst most entities have not reported direct financial losses from cyber incidents, many required significant effort and costs to respond to known, but unsuccessful incidents,” the report read.

Universities hold gold mines of data

Recent major cyberattacks on Australian organisations that were followed by ransom requests have given Australians a taste of just how much personally identifiable information (PII) can cost. Australian universities hold such information including student and staff names, student numbers or staff ID, date of birth and ID records, billing addresses and banking details, and details of participants in research activities.

Entities tend to store PII using a combination of offshore, onsite, offsite and cloud environments. Over 65% of entities use cloud storage for personal information which relies on third-party IT service providers, and this has become a big problem. At least two of the three major attacks on Australian organisations occurred by what is a common method of using compromised third-party account login details.

Another issue identified regarding third-party providers is that 31% of entities did not require their providers to notify them of cyber incidents. This is a big concern since from 8 July 2022 universities became part of the Security of Critical Infrastructure Act 2018 (SOCI Act), which requires organisations with critical infrastructure assets to report cyber incidents to the ACSC within 12 hours of detection for critical incidents that have a significant impact on the availability of the asset, or 72 hours for other incidents that have a relevant impact on the asset

To avoid the risk of suffering new attacks, the Audit Office also suggested NSW universities review their PII retention policies to ensure such data is held only for the minimum duration required. Currently, personal information of staff and students are held between seven years and eternity, while personal information related to research and commercial activities are held between seven and 15 years.

The problem is in cybersecurity controls

Although all but one entity continues to assess their cybersecurity controls in the last 12 months, many crucial points are not being watched carefully. For example, the report found that 23% of entities are not performing reviews of their logs of privileged user activities and 77% of entities do not have automated notification systems to alert the IT function when user permissions are changed. More alarming is the idea that incidents may have occurred but gone undetected or, worse, were unreported to those charged with governance.

While NSW universities are providing cybersecurity training, 46% did not testing staff knowledge through awareness exercises. Those that performed simulated phishing attacks as part of their awareness exercises reported click-through rates ranging from 3% to 71%.