Little progress has been made with securing Western Australia universities and TAFEs against cyber security attacks, according to the Audit Results Report 2012 tabled by Western Australian Auditor General, Colin Murphy.
The report (PDF) said that audits were carried out at four universities, four state training providers and three regional providers.
The Auditor General’s department identified 132 information system (IS) control weaknesses in 2012. This compared to 85 weaknesses in 2011 and 108 in 2010.
The increase was due to a greater focus on security and the audit of a newly created state training provider in 2012.
Murphy found that 70 per cent of the weaknesses were rated as moderate, requiring action to be taken as soon as possible. Another 29.5 per cent were identified as minor.
The majority of IS control weaknesses related to access privileges, password controls and physical security.
Murphy said it was “of concern” that 52 of the issues raised in 2012 were unresolved ones from previous audits.
“Most disappointing is the fact that many of the IS issues can be resolved with minimal effort and little expense- and yet if left unresolved, have the potential to compromise the confidentiality, integrity and availability of computer systems and information,” he said in a statement.
“I encourage all the universities and state training providers to act on the issues identified in this report to ensure the continuing integrity of their finances and systems.”
Government departments in the state have also come under scrutiny by Murphy for lax security in his annual Information Systems Audit Report.
In 2012, cyber attacks were carried out against six test agencies – including the WA Police Service, the Department of the Premier and Cabinet, and the Department of Finance—via the Internet while USB devices containing software that would send network specific information across the Internet if plugged in and activated were scattered across the agencies to test their staff.
Murphy found that while the government’s internet service provider (ISP), ServiceNet, had improved its blocking of common attack methods since his 2011 report, once this layer of security was removed the six agencies were vulnerable to attack.
Follow Hamish Barwick on Twitter: @HamishBarwick