Vancouver Island University’s board fell short in its oversight of cybersecurity risk management, in one case not updating its policy in over a decade, according to a new report from the province’s auditor general.
“Cyberattacks are on the rise,” Michael Pickup said at a news conference at the B.C. legislature press theatre on Tuesday.
Ransomware, data breaches, and other threats can affect individuals, organizations, and critical infrastructure, said Pickup, noting that B.C. university boards have “critical oversight responsibilities” in holding university management to account for cybersecurity risks in their institutions.
The auditor’s office found VIU’s board failed in three categories: failed to oversee mitigation strategies throughout the year; failed to approve an updated risk management policy in over 10 years — since 2012; and failed to properly train new board members on cybersecurity risk management oversight and to update current members on new risks.
“Outdated policies become ineffective and weaken accountability,” Pickup said. Board members must keep up to speed in the evolving area, he said.
Vancouver Island University stores the personal information of 12,000 students and 1,500 faculty and staff who are at its campuses in Nanaimo, Duncan, Parksville and Powell River.
“It is vital for VIU to do everything it can to protect your information and the IT systems that are so important to how the university functions,” said Pickup.
The 15-member VIU board includes eight members appointed by government; five members elected by faculty, staff and students; the university chancellor; and the university president.
Pickup said the audit was approached with an eye to what is practically expected of the university board rather than ideal best practices.
The VIU board said it will act on the four recommendations focused on cybersecurity risk mitigation and responses, board training and development, and updating and regular reviewing of policies and strategies.
VIU was viewed as a “typical size” university suitable for review but Pickup hopes other institutions including government will also review the audit for ways in which they can improve.
“We just picked one and we only looked at this one,” said Pickup. “We can’t be everywhere, auditing everything, but there’s no reason why other organizations, universities, post-secondary institutions can’t pick this up and look at it and do some self assessment, the criteria is there.”
In March 2012 then B.C. information and privacy commissioner Elizabeth Denham found that the University of Victoria failed in its legal obligation to protect the privacy of thousands of its employees after it was discovered that a USB flash drive had been stolen.
The memory card included un-encrypted names, social insurance numbers, as well as banking information for almost 12,000 current and former employees and contractors.
At that time Denham called encryption the “minimum standard for devices like laptops and USB drives.” Denham said the privacy breach, which caused huge costs and stress, was both foreseeable and preventable.
The two-years worth of information dating to 2010 was stolen from UVic after thieves broke into the university’s administration office on Jan. 7, 2012. The flash drive was never recovered.
The office of the auditor general will follow up next year on the implementation of the recommendations for VIU.
Some of the changes are already underway, Pickup said. “Nobody wants to be in a cybersecurity mess, people want this stuff to work well.”
