NSW universities are facing mounting cybersecurity challenges and struggling with artificial intelligence governance despite achieving record revenue of $A14.3 billion in 2024, according to a new report from the NSW Auditor-General.

The comprehensive audit of 10 public universities reveals a sector vulnerable to cyberattacks while grappling with the rapid adoption of AI technologies without adequate oversight frameworks.

The report found cyber security incidents are highly prevalent across NSW universities, with seven out of ten institutions experiencing incidents in 2024. The most common types include compromised user accounts, malware from emails, data breaches and scams.

One NSW university was subject to numerous and pervasive cyber security attacks from 2023 to 2025, resulting in data breaches that affected up to 10,000 individuals. These included breaches of personally identifiable information.

The data breaches requiring mandatory notification under NSW law were "mainly caused by phishing attacks and human error", highlighting fundamental security weaknesses that persist despite increased investment.

Universities are failing to follow their own cybersecurity procedures, with the audit finding that:

• One university did not follow procedures when recording cyber incidents
• Three universities failed to properly document cybersecurity data breaches
• Three universities inadequately recorded privacy data breaches

Universities' cyber security training completion rates are low and the training excludes students, despite students representing a significant insider threat vector. Completion rates among staff ranged from just 35% to 95%, with four universities reporting rates below 60%.

Alarmingly, three universities do not use simulated phishing attacks for training, despite phishing being the most prevalent cyber attack method.

AI Adoption Outpaces Governance

The report reveals widespread adoption of artificial intelligence across universities without adequate oversight. Four universities do not have a complete picture of which AI products have been implemented in their respective universities.

Among institutions that track their AI usage, deployment varies dramatically - from as few as five AI tools to as many as 60, including pilot programs. Yet none of the universities that documented their AI tools captured all the essential information about purpose, intended use, and limitations.

Three universities have yet to establish formal AI policies or embed the consideration of AI into existing policies, despite the technology's strategic importance and associated risks.

The governance gaps are particularly concerning given universities' role in training the next generation and their handling of sensitive research data. Only four universities have an overall owner responsible for AI adoption and use, and only four provide guidance on pre- and post-implementation product testing.

Financial Recovery Masks Underlying Vulnerabilities

While universities celebrated a return to surplus with combined net income of $583 million in 2024 - a dramatic improvement from the $93 million deficit in 2023 - the financial recovery appears to mask significant operational vulnerabilities.

The revenue surge was driven primarily by a 25.5% increase in overseas student fees, with enrollment jumping 18.9%. However, this success brings concentration risk, as over 43% of fees and charges revenue came from overseas students from just three countries: China, India and Vietnam.

Despite the financial turnaround, operational security weaknesses persist. The audit identified 98 audit findings across the 10 universities, with 62% of control deficiencies related to information technology/cyber security, governance and payroll.

Seven universities had deficiencies in managing user access to key systems, including controls over privileged user accounts - a fundamental security control that should be routine.

The full report is available here.