Universities in NSW copped from none to 1777 attacks last year, according the state Auditor General’s report on the system

The range is due to the different ways universities define “cyber incidents,” with one not recording blocked attempts anywhere.

The Auditor advises 31 per cent, did not require IT vendors to tell then about attacks – these must have occurred before July, when universities became required to report “cyber incidents”

Overall, however only two “entities” reported financial loss from such with the highest financial loss being from a single attack using “malicious software on a “faculty computer laboratory.”

So overall it could have been worse? Yes and two large noes.

The first is, “whilst most entities have not reported direct financial losses from cyber incidents, many required significant effort and costs to respond to known, but unsuccessful incidents.”

And the second is the volume of personally identifiable information universities hold and hold and hold

* personal information of employees held between seven years and indefinitely

* personal information of students – held between seven years and indefinitely

* personal information of others (research, commercial activities) – held between seven and 15 years.

“Entities that retain sensitive PII long-term can in time hold greater volumes of information, increasing their risk exposure,” the AG suggests.

Think its overstating the risk?

Ask the thousands of former QUT staff who had personal records stolen in the pre-Christmas hack, (CMM February 3).