Cyber Security Risks for Not-For-Profit Organisations

Australian organisations have been in the news over the last 2 years for high profile Cyber Security breaches. Several Australian not-for-profit organisations have suffered significant cyber security breaches over this period, with up to 12% of Australian NFPs being impacted. Prominent attacks included St Vincent’s Health being targeted via apparently stolen login credentials and an attack which impacted Life Saving Victoria’s operations.

Australian Not-For-Profit organisations encompass a broad range of organisations pursuing a range of charitable purposes. They include organisations of all sizes in the health, social welfare, community services, education, sporting clubs, religious services, recreational activities, environmental, training, counselling sectors and many more. Many of them are economically significant.

Charities and Not-for-Profit organisations can be vulnerable to cyber incidents because they lack the technological expertise and resources to implement robust cyber security measures. Nevertheless, Cyber Security incidents for these organisations have led to the loss of sensitive and valuable information, service disruptions, unauthorised alterations to systems, reputational damage and long recovery processes.

Key cyber security risks that Charities and Not-for-Profit organisations face include:

1. Volunteers have access to sensitive personal or organisational information

Volunteers may inadvertently misuse their access to sensitive information. In many cases, Not-For-Profit Boards and some staff are comprised of volunteers. However, the fact that they are not being remunerated does not reduce their legal responsibilities and duties as officers and directors. Lack of financial or human resources does not provide legal protection or an excuse for a Board’s failure to fulfil its duties, including in Cyber Security, particularly when a data breach can result in direct harm to individuals.

2. Improperly Stored Donor Information

Many Not-for-Profit organisations rely on donors and supporters to function. Mishandling donor and supporter personal information can lead to privacy breaches and significant reputational damage which can take years to recover from. It is vital that donor information be securely stored and managed.

3. Third-Party Supplier Data Breaches

Lacking internal resources and infrastructure, Not-for-Profit organisations often collaborate with third-party suppliers for services or software. If these suppliers are compromised or experience a data breach, it can impact Not-for-Profit organisations’ information and operations. Two of Australia’s acute cyber security breaches in recent times resulted from third-party suppliers being compromised, so it is not an issue limited to Not-for-Profits.

CyBiz’s earlier blog provided insights into Managing Third-Party Cyber Security Risk (cybiz.au).

4. Ransomware Attacks and Email Phishing Schemes

Cybercriminals target Not-for-Profit organisations as they do all other organisations in Australia. They are equally vulnerable to data theft and ransomware.

Cyberattacks can lead to significant financial losses, which can be particularly devastating for organisations with limited resources, as well as disrupting operations and hindering their ability to deliver services and fulfil their mission. The Australian Government’s cyber security recommendations for Charities and Not-for-Profit organisations include:

CyBiz has provided services for many organisations in the Not-for-Profit sector and offers special pricing for Cyber Security Hygiene Assessments, Penetration Testing, Development of Policies and Materials, and Incident Response.

Contact CyBiz for further information about how we can help your Charity or Not-for-Profit organisation manage Cyber Security risks.

Posted in Blog, General, Governance and Strategy