A report assessing cybersecurity at a B.C. university could improve cybersecurity at all provincial post-secondary institutions and beyond.
At least that is the hope of Auditor-General Michael Pickup after presenting his audit of cybersecurity risk management at Vancouver Island University Tuesday (Aug. 1) at a news conference in the provincial legislature.
The audit — first of its kind since Pickup assumed his current role three years ago and the first involving a post-secondary institution in more than a decade — finds VIU’s board failed to oversee policies and strategies critical to protecting information systems and data.
Pickup said the audit did not consider the day-to-day technical issues of cybersecurity at the university, but rather the role of the university board, which according to the report, serves as “a line of defence” to protect the university and improve its response to cyber threats.
“For example, the board of governors can evaluate whether management has implemented strategies to mitigate risks to its technology infrastructure,” it reads.
VIU has an enrollment of 12,000 students spread across four campuses and employs 1,500 faculty and staff.
As such, VIU represents only a small sample of the 25 publicly-funded post-secondary institutions in British Columbia and their nearly 180,000 full-time students in 2021-2022.
But if Pickup’s office only audited VIU because of its relative size, the implications of the audit promise to touch the other 24 post-secondary institutions as well, given the crucial and growing importance of IT in post-secondary learning and not just since the COVID-19 pandemic.
Accordingly, Pickup urged other post-secondary institutions to review his findings and the criteria it used.
“We can’t be everywhere auditing everything, but there is no reason why other organizations, universities (and) post-secondary institutions can’t pick this audit up and look at it and do some self-assessment,” Pickup said.
According to the report, VIU’s board failed in three areas. First, the board lacks a training program in cybersecurity risk management to increase their subject knowledge in areas of risk, including cybersecurity risk.
“Board members need to have up-to-date knowledge of cybersecurity risk management to be effective in their oversight role,” it reads.
Second, the board has updated its current risk management policy since 2012, so more than a decade ago, which may be nothing short of eternity in the world of IT.
“During the audit period, the board of governors reviewed, but didn’t approve, an updated risk management policy,” it reads.
Third, for most of the last fiscal year, the board of governors had not reviewed cybersecurity risk mitigation strategies, which include compliance with legal and regulatory requirements.
Pickup praised the board for adopting his office’s four recommendations, but noted his office will review their implementation.
He also expressed hope that the findings of the report will inform broader political changes with effects for cybersecurity at large.
Improving oversight of cybersecurity policies and strategies does not reduce risks to zero, he said.
“But it should reduce the likelihood of a risk of bad things happening,” he said. “So you want to do all the appropriate things that one would expect.”