UW System audit reveals risk of cyber attacks, data theft

GREEN BAY, Wis. (WBAY) A state audit finds the UW System could be an easy target for cyber attacks or hacks if changes are not made to information technology (IT) security systems.

Auditors found risks to accounting, payroll and student data.

The UW System has until the end of August to submit plans to the Joint Legislative Audit Committee on ways to improve security.

In our digital world, think about how much of your personal information and identity lives online.

It's why lawmakers are concerned after the state auditor put a microscope on UW System's IT security.

Auditors found what they label a 'significant deficiency...' with UW's IT policies, procedures and controls, saying 'weaknesses... increase the risk that unauthorized or erroneous transactions could be processed; accounting, payroll, and student data could be changed; or personally identifiable information could be accidentally or maliciously exposed.'

Auditors presented their findings to lawmakers in a summer hearing.

"Further weaknesses in IT security, policies and controls may lead to increased risk of cyber attacks and loss of data," Carolyn Stittleburg, who oversaw the information technology audit, told lawmakers.

What exactly the problems are, we can't know.

Auditors say making that public would make the system even more vulnerable, but it has the attention of UW administrators who've come up with a plan for improvements.

"This issue is a challenge for every higher education institution throughout the country," said Ray Cross, UW System President. "I've asked for a complete Gantt Chart. How many FTEs do you need? How much money do you need? Which of these are of greater priority? We're trying to understand that while dealing with the people's money responsibly while mitigating risk."

"Staying ahead of the threat is incredibly important and our agility is key, but incidents will occur, so our ability to respond and recover quickly is part of the program we're trying to implement," said Katherine Mayer, UW Associate Vice President for Information Security, when lawmakers asked about UW's efforts to reduce cyber threats.

Auditors say they've reported IT security concerns since the early '90s, and improvements have been made, but they say it's not enough.

"That requires an ever constant vigilance on top of a changing environment, which I think is a challenge in general, to be able to put the right kind of policy in place today that can both handle today and anticipate tomorrow correctly," says State Auditor Joe Chrisman.

The UW System must tell lawmakers steps already taken and improvements yet to come by August 31st. It already has a corrective action plan with a long to-do list.

In a statement to Action 2 News, a UW System spokeswoman says:
Information technology security is a top priority for the UW System and its Board of Regents. This issue is a challenge for every higher education institution throughout the country, and every organization has had to enhance their efforts to protect their data and their digital infrastructure. UW System Administration and UW institutions continue to develop and maintain a comprehensive IT security program as recommended by the Legislative Audit. Our policies and practices are focused on continually tightening information security for our university communities.

To see the full report and UW's corrective action plan, click on the link to the right or below.