In 2022, TEQSA received an unprecedented number of notifications relating to cyber security incidents. These included serious data breaches leading to unauthorised disclosures of personal information and cyber security incidents involving ransomware attacks.
The Australian higher education sector has extensive networks of IT systems and a wide network of users. Its significant holdings of personal information about staff and students and highly valuable repository of world-class research, including intellectual property and research data, present an attractive target for malicious cyber activity.
Maintaining information security was one of TEQSA’s five compliance priorities in 2022. Under the HES Framework, providers must:
- ensure that information systems and records are maintained, securely and confidentially to prevent unauthorised or fraudulent access to private or sensitive information (paragraph 7.3.3(b))
- promote and foster a safe environment, including by advising students and staff on actions they can take to enhance safety and security online (standard 2.3.4)
- have a critical incident policy and readily accessible procedures (standard 2.3.5)
- take preventative action to mitigate foreseeable risks to academic and research integrity (standard 5.2.2)
- exercise due diligence to identify, prevent, and manage risks within a provider’s remit of operations (domain 6).
Additionally, a cyber security incident or significant data breach would trigger an MCN, as there is a heightened risk to students and staff, academic and research integrity, and possible reputational damage.
Our key focus was on the providers’ response to cyber security incidents, including:
- whether the provider met its legal and regulatory obligations, for example, reporting under the Notifiable Data Breaches Scheme and the Security of Critical Infrastructure Act 2018
- how the incident was detected and whether the detection was through routine monitoring
- what the provider did to identify the extent of the problem, minimise the impact and mitigate further or future risks
- whether actions taken in response to the incident were guided by policies and procedures, and whether the framework is routinely reviewed to ensure it remains fit for purpose.
We noted that most cyber security incidents occurred due to the lack of vigilance in following security protocols. Staff agility and preparedness in addressing cyber security incidents were crucial to minimising disruption and further malicious activity.
Our assessment of providers’ responses depended on the information included in the initial notification. In most cases where the provider voluntarily disclosed the information outlined above, we had confidence that the provider was taking appropriate action and we closed the matter. However, in some cases where the notification contained scant information, we sought more information and provided guidance to assist their response. Undoubtedly, comprehensive MCNs build our confidence in the maturity of providers’ governance and the effectiveness of their risk management frameworks.
What providers can do
- Awareness is the first step to preventing cyber security incidents. Providers should ensure that students and staff (including sessional staff) are appropriately trained on how to safeguard sensitive information and access to it.
- Providers must have appropriate policies to identify and address cyber security incidents, and ensure that such policies translate effectively into practice and are embedded in daily operations.
- Providers should be mindful of cyber security threats associated with learning management systems (LMS), particularly if their courses are delivered by a third-party provider.
- Should a cyber security incident occur, providers should take prompt action in accordance with their security and incident response plans, paying close attention to the wellbeing and safety of all affected parties.