The education sector in Australia continues to be a prime target of cyber security attacks, with digital transformation heightening its risk exposure and vulnerabilities. In a recent public statement, the National Student Ombudsman stated that more than 140,000 university students have been affected by malicious cyber incidents over the past five years.
The widespread use of Artificial Intelligence (AI) in classrooms and faculties is exposing the sector to new risks to data privacy and security. These converging trends make one point clear: cyber security education is no longer just an IT issue. It now demands that boards set clear cyber security initiatives, policies, and investment plans.
Explore in this article the state of cyber security in Australia’s higher education, including top priorities and challenges the board of trustees face. Strengthen resilience against cyber attacks by learning about board management software and how it empowers directors in safeguarding data, systems, and stakeholder trust.
Why is cyber security in Australian higher education now a board-level priority?
Boards must prioritise cyber security because the scope of cyber threats is growing. Between 2020 and 2025, several high-impact cyber incidents highlight this urgency.
One notable case is Western Sydney University. Since 2021, it has been a target of credential compromise, data exfiltration, and system manipulation. The perpetrator, a former student of the university, unlawfully published stolen personal and administrative information on the dark web. In response, the university implemented a comprehensive remediation programme and worked with the NSW Police Force Cybercrime Squad to facilitate the arrest.
In a more recent incident, Loyola College in Watsonia, Victoria, was attacked by the ransomware gang Interlock in August. The group exfiltrated 591 GB of data, or over 430,000 files, stealing with them passport information, financial records, tax details, and court documents.
These types of incidents intensify the demand for boards to enforce stronger practices around digital innovation, threat detection, incident response, and regulatory compliance. By upholding robust governance, boards can foster a culture centred on security, where staff are empowered with proper training and tools to prevent data breaches and academic disruptions.
Australia’s Regulatory Framework for Higher Education Cyber Security
The education sector in Australia is highly competitive, marked by rigid accreditation programmes and rivalries. However, over the years, it has become more regulated as authorities implement new laws or frameworks to enhance the cyber security in Australia.
Here’s a brief list of regulations boards should know to ensure compliance.
1. Cyber Security Act 2024
This major law was passed to implement certain measures proposed by the 2023-2030 Australian Cyber Security Strategy. Under this, organisations are mandated to:
- Maintain minimum security standards for smart devices.
- Report ransomware and cyber extortion payments.
- Establish a Cyber Incident Review Board to lead the production of incident reports.
The Cyber Security Act created mandatory reporting obligations for higher education institutions, ensuring they process every incident with proper investigation and documentation.
2. Higher Education Standards Framework (HESF) 2021
This is a set of quality standards implemented by the Tertiary Education Quality and Standards Agency in 2021. For institutions to receive and remain accredited, they must be guided by these seven domains:
- student participation and attainment,
- learning environment,
- teaching,
- research and research training,
- institutional quality assurance,
- governance and accountability, and
- information and information management
Domain 7 specifically highlights the importance of overseeing communication and data systems to prevent breaches and fraudulent access to sensitive information.
3. Security of Critical Infrastructure Act 2018 (SOCI)
SOCI is Australia’s sector-specific cyber security-related law. It applies to 11 sectors with critical infrastructure, including communications, financial services and markets, data storage or processing, the defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage.
Given the role of higher education institutions in advancing national research and innovation, SOCI mandates enhanced security protocols, risk management practices, and incident reporting processes. Additionally, in cases of severe cyber threats or attacks, the law grants assistance to help institutions manage the crisis.
4. APRA Prudential Standard CPS 234
The CPS 234 mandates APRA-regulated entities, such as banks and insurance institutions, to build strong cyber resilience. To maintain confidentiality and integrity, boards must uphold the following requirements:
- Define the roles of the board of directors, senior management, governing bodies, and individuals in overseeing the organisation’s information security;
- Maintain information security measures in accordance with the organisation’s size, risk exposure, and operations;
- Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
- Notify APRA of material information security incidents.
Note that this CPS 234 doesn’t directly apply to higher education; however, many institutions adopt it as a benchmark for information security governance.
Why do cyber attackers in Australia target colleges and universities?
Colleges and universities are open, collaborative environments where individuals normally generate and exchange data. The high volume of data these institutions handle is valuable, making them more lucrative for cyber attacks.
In most cases, they target colleges and universities to:
Obtain stakeholders’ personal data
Students, teachers, staff, parents, and suppliers provide personal information to institutions for academic or administrative purposes. Cyber attackers target this information because it is useful for identity theft and fraud.
Intercept research outputs and intellectual properties
One of the most common ways educational institutions are recognised is through research outputs. While students and faculty produce research for awards, cyber attackers view their outputs as high-value intellectual properties. They can be sold to corporations or governments seeking early access to innovations, especially in biotechnology, engineering, military, medicine, and artificial intelligence.
Exploit third-party vulnerabilities
Institutions acquire third-party services for various functions, including learning management systems, cloud storage, research tools, payment, library systems, and HR platforms.
When these decentralised IT infrastructures are poorly governed, they can create “back door” entry into university systems, which cyber attackers can take advantage of to disrupt transactions and processes.
Capitalise on insufficient cyber security investment
Higher education institutions are primarily funded by the state and teaching grants. This puts pressure on boards to align their goals with those of the funders — improving the quality of education by investing in high-quality teaching resources. In some instances, this causes boards to narrow strategic focus, leading them to overlook other critical parts, such as cyber security. When that happens, they become less resistant to cyber attacks in Australia.
Top Cyber Threats in Australian Higher Education & What Boards Can Do
Cyber attacks take many forms, and boards should be knowledgeable to recognise these threats and ensure their institutions are prepared to detect and prevent them. Here are some of the most common cyber attacks threatening Australian colleges and universities today.
Social Engineering
Sending phishing emails to individuals is a rampant threat to institutions. When individuals divulge sensitive information to spoofed websites, attackers may use it to execute malware attacks across the institution.
What Boards Can Do
- Utilise email filtering tools and anti-virus solutions for proper management of spam emails.
- Use firewall filtering to show only reputable domains.
- Conduct regular security awareness training to stakeholders to help them identify, resist, and report phishing emails.
Distributed Denial of Service (DDoS) Attacks
DDoS attacks happen when a large amount of network traffic overwhelms a website, degrading its services and functionality. Once flooded, legitimate users are then denied access. When cyber attackers take over, they can sell the whole infrastructure to other attackers or hacktivists.
What Boards Can Do
- Build a backup site for users to redirect to when traffic on the main website is clogged up. By implementing network redundancy, institutions can ensure a smooth user experience even during peak hours or attacks.
Cyber Espionage
This happens when individuals or organisations use digital tools to bypass system access to obtain valuable information. The motive for cyber espionage may vary. It could be for financial gain, insider threat, hacktivism, market advantage, or even state-sponsored.
Whatever the motive, educational institutions are vulnerable to this type of attack due to the amount of research archives, intellectual property, and personal information they store.
What Boards Can Do
- Implement strong access controls over critical documents and systems (e.g., multi-factor authentication (MFA), role-based access permissions, and document encryption).
- Monitor network traffic and user activity using intrusion detection and prevention systems (IDPS) to instantly flag unauthorised access attempts.
Compliance Risk
Given the stringent regulatory landscape in which Australia’s higher education sector operates, institutions with weak compliance and information infrastructure are likely to face penalties or loss of accreditation. By referencing outdated policies, enforcing ineffective internal controls, or mishandling data, institutions are at high risk of non-compliance.
What Boards Can Do
- Define roles and expectations for uncomplicated policy implementation and stronger accountability across the board and among executives.
- Compliance has to start at the top. Encourage senior management to campaign for compliance by being an example to staff.
Strategic Priorities for Cyber Security Governance in Australian Higher Education
Cyber risks are no longer confined to the IT department. They now extend to other business functions, particularly in finance, compliance, and governance. As a result, the priorities of boards have shifted towards stronger oversight and informed decision-making.
Ensure effective cyber security governance in 2026 and beyond by:
Strengthening compliance oversight
Regulators are focused on building a stronger cyber governance framework, causing them to pass new laws or amendments faster. This challenges boards to have robust monitoring systems that could inform and refine their strategic decisions. Without clear visibility into compliance gaps, they may struggle to respond quickly to regulatory changes, thereby increasing compliance risks.
Modernising legacy systems to reduce vulnerability
Modernising information infrastructure requires a significant amount of budget. For institutions relying on grants and government funds, allocating sufficient amounts to transition from legacy systems may not be possible instantly.
The financial constraint often forces boards to prioritise short-term goals over the long-term impact of digital transformation. As a result, legacy systems remain in the process for longer, further heightening vulnerability to cyber attacks.
Enhancing AI governance and ethics
The rate of AI adoption across Australian universities is outpacing institutional controls and governance maturity. As more institutions allow generative AI into teaching, research, and administration, they are likely to encounter more gaps in AI ethics and policies — a concern that regulators are actively trying to resolve.
For example, according to ABC News, the Australian Catholic University registered almost 6,000 cases of alleged academic misconduct in 2024, of which 90% were referrals related to AI use.
Closing cyber security skills gaps
The recently published 2025 State of Cybersecurity Report by ISACA found that 54% of cyber security Australia teams are understaffed, highlighting the widening skills gap in the country.
While the demand for technical cyber security professionals is high, 36% of respondents said it usually takes three to six months to find the right fit for entry-level roles. What does this mean? Australia’s cyber security landscape is changing so fast that only a handful of professionals are well-equipped to help organisations.
For ISACA’s Oceania Ambassador, Jo Stewart-Rattray, boards should prioritise rebuilding the talent pipeline by investing in training despite economic challenges. According to her, “The data shows fewer organisations are training non-security staff into cyber roles, even though most organisations acknowledge they are understaffed. This approach is unsustainable. Boards need to prioritise cyber training and cross-skilling programmes and recognise that developing people is the fastest, most sustainable path to resilience.”
How Board Management Software Strengthens Cyber Governance
What is cyber governance in higher education? It refers to a strategic framework that structures policies, roles, and processes to guide institutions in managing cyber risks in alignment with their mission and vision. There are many digital tools in the market that promise stronger cyber security measures to boards. Board management software stands out because it not only comes with enterprise-grade security but also features to enhance governance, risk management, and compliance.
Discover how board management software helps boards in improving overall oversight and cyber security education resilience.
Robust encryptions and access controls
Board management software secures every document that circulates within its environment with end-to-end encryption, both in transit and at rest. This protects sensitive board discussions and resolutions, preventing interception and unauthorised access. In addition, it enables role-based user permissions, granting boards granular controls over who can edit, view, or download board papers. This reduces the risk of malicious or accidental breaches, strengthening document security and cyber security governance.
Centralised data collection and decision-making
The platform becomes the single entry point for proposals, meeting minutes, agendas, and policies. This streamlines governance practices by eliminating disjointed workflows and “back door” entry points that cyber attackers commonly exploit.
During strategic planning, board management software enhances the board’s visibility into key reports and materials, enabling more informed and collaborative decision-making among executives. For example, the board can facilitate the approval and monitoring of cyber security investments within the same environment, where all supporting documents are readily linked.
Secured on-premise and cloud hosting
For secure, flexible, and compliant data management, board portal software offers hosting built on high-quality IT infrastructure, whether on-premises or in the cloud. The tool undergoes rigorous audits to meet international certifications such as ISO, IRAP, and SOC. This also ensures they are compliant with key data protection regulations like the General Data Protection Regulation (GDPR) and the Australian Privacy Principles (APPs).
Improved audit trails and accountability
Board management software is built with tamper-resistant audit logs that trustees can utilise to identify foreign or suspicious activities. For institutions, audit trails shorten incident investigation and reporting, in support of various regulations that require it, such as the Cyber Security Act and SOCI. As a result, the board can lead with greater transparency and confidence even in a highly regulated environment.
Frequently Asked Questions About Cyber Security in Australian Higher Education
Do Australian colleges and universities need a cyber security committee?
Yes. Australian colleges and universities should establish a committee to assist boards in executing and monitoring cyber security initiatives. Given the growing complexity of cyber risks due to cloud adoption, AI, and digitalisation, having a dedicated team would help:
- Promote security awareness across academic and administrative units
- Monitor compliance with Australian regulations and international standards (e.g.,Cyber Security Act, HSEF, and SOCI)
- Align cyber security plans with overall strategic plans
- Integrate risk management in key processes to improve operational resilience and business continuity
How can the board of trustees evaluate its cyber security governance in Australia?
The board of trustees can evaluate cyber security governance by first determining the institution’s overall cyber security posture. This involves assessing the maturity of security policies, controls, and processes to reveal gaps. Key areas to review when evaluating cyber security performance include threat and response management, incident response, governance and compliance, and security awareness.
Convene Board Portal: Your Partner in Secure and Compliant Cyber Governance for Higher Education
By now, it’s clear how the scope of cyber security for schools has widened. To achieve holistic cyber governance, higher education boards must move beyond reactive risk management and adopt purpose-built governance tools to support informed and timely decision-making.
Convene Board Portal empowers boards to do exactly that. Built with enterprise-grade security and intuitive governance workflows, our board management software ensures that cyber risks and compliance obligations aren’t overlooked. It offers e-signatures, real-time voting, audit trails, and AI-driven features, enabling boards to resolve issues faster and investigate cyber incidents with full transparency.
Compliant with leading industry best practices, Convene Board Portal is a CMMI Level 5 company that aligns with the Australian Institute of Company Directors (AICD) and is accredited by the Australian Government’s Information Security Registered Assessors Programme (IRAP). This means boards can fully trust the platform to handle their data with the highest levels of integrity and compliance.
Book a demo of Convene Board Portal and take the first step towards proactive and transparent cyber governance.
Jean is a Content Marketing Specialist at Convene, with over four years of experience driving brand authority and influence growth through effective B2B content strategies. Eager to deliver impactful results, Jean is a data-driven marketer who combines creativity with analytics. In her downtime, Jean relaxes by watching documentaries and mystery thrillers.
- Connect:
-
-
