Interested in discovering how a cyber-first Managed Service Provider can transform your business? Dive into the transformative advantages of specialized cybersecurity and IT support. Utilize our customized resources crafted to steer your business towards a future that’s more secure, efficient, and aligned with your objectives. Embark on your journey with us today.
Australian Not-for-profit organisations, much like their global counterparts, play a vital role in supporting vulnerable communities, such as low-income families, children, and the elderly. However, their noble missions make them prime targets for cybercriminals seeking to exploit sensitive data. In this blog post, we’ll explore the unique security challenges faced by Australian not-for-profits and provide actionable insights to help defend against these threats.
There are over four million nonprofits worldwide, many of which are small to medium-sized organisations with fewer than 50 employees. There are approximately 60,000 registered charities in Australia. According to the Australian Bureau of Statistics, Australia’s population was 25,978,935 people at 30 June 2022. This equates to approximately one charity for every 433 Australians.
Australia’s charity sector comprises charities of different sizes – from tiny local community groups to large universities and international aid organisations. For the 2021 Annual Information Statement, the ACNC (Australian Charities and Not-for-profits Commission) classified charities into three size categories:
- Small charities (annual revenue of under $250,000): 65%
- Medium charities (annual revenue of $250,000 or more but under $1 million): 16.1%
- Large charities(annual revenue of $1 million or more): 18.9 %
Despite their size, these nonprofits share similar goals with larger counterparts, such as saving lives, serving underserved communities, environmental protection, and more. However, they often face the challenge of limited resources, making it difficult to invest in cutting-edge technology, provide IT training for staff, hire IT support personnel, or enhance their cybersecurity measures.
of Australian NFPs are not considering or have made no progress on establishing a cybersecurity and privacy uplift program
-PwC’s 3rd Annual Not-for-profit CEO Survey-
of charities are extra small, with annual revenue of less than $50,000.
-ACNC, AUSTRALIAN CHARITIES REPORT – 9TH EDITION-
What Does It Take to Secure the Future of Australian Not-for-Profits (NFPs) in Cyberspace?
Cybersecurity Wake-Up Call: Vulnerabilities Plague Australian Not-for-Profits Sector
A recent report from the Australian Nonprofits State of the Sector 2023 has uncovered worrisome concerns within the realm of Australian charities and not-for-profits. The study revealed that one in five of these organizations harbors fears that a cyber security attack could wreak havoc on their operations. Furthermore, the report disclosed that 8% of the survey participants acknowledged falling victim to a cyber security incident within the past year. These disconcerting revelations follow closely on the heels of the distressing Pareto Phone data breach incident, where cybercriminals released the personal information of over 50,000 charity donors into the dark corners of the web. This breach had severe repercussions, affecting as many as 70 charities, including well-known entities such as the Fred Hollows Foundation, Amnesty International, the Australian Conservation Foundation, and the Cancer Council.
Security Challenges Faced by Not-for-Profit Organisations
The not-for-profit sector plays a crucial role in addressing societal challenges and making a positive impact on communities around Australia. However, nonprofit organisations face a myriad of challenges, from rising operating expenses to data security and privacy concerns. In this blog post, we will explore how not-for-profit leaders can overcome these challenges and maximise productivity through Microsoft’s discounted solutions, specifically the Microsoft 365 not-for-profit program.
1. Limited Resources, Heightened Vulnerability:
Australian not-for-profits often operate on tight budgets, lacking the financial resources of for-profit companies. This financial constraint can leave them more vulnerable to cyberattacks. With cybercriminals targeting sensitive data, including social security numbers, the stakes are high.
2. Third-Party Vendor Risks:
Many not-for-profits rely on third-party vendors to manage sensitive data, like donor information and medical records. However, if these vendors suffer a breach, the not-for-profit’s data is also at risk. Mitigating this risk requires stringent vendor management practices.
3. The Threat of Email Phishing:
Email phishing remains a significant threat. Cybercriminals use social engineering tactics to trick employees into revealing sensitive information. Awareness training and robust email filtering systems are essential defenses.
4. Insider Threats and Employee Negligence:
Internal data breaches often result from employee negligence or malicious actions. Australian not-for-profits should invest in employee training on security best practices and monitor login activities for unusual patterns.
5. Malware and Ransomware Attacks:
Viruses and malicious software can infect not-for-profit computers and mobile devices. Ransomware, in particular, poses a severe threat by encrypting data and demanding payment for decryption. Regular software updates and employee awareness are crucial.
6. Natural Disasters and Connectivity Disruptions:
Natural disasters like storms and floods can disrupt not-for-profit operations by causing power outages and physical damage to infrastructure. Business continuity planning and secure data backups are vital.
7. Legal Consequences and Reputation Damage:
Data breaches can lead to legal consequences, including fines and restitution. More importantly, they can tarnish an organisation’s reputation, affecting future fundraising efforts and overall mission support.
8. Tailoring Cybersecurity Measures:
To defend against these threats effectively, Australian not-for-profits should tailor their cybersecurity measures to their unique risk profiles. Identifying likely attack vectors and prioritising security measures are essential steps.
Download eBook and strengthen your nonprofit’s digital security
In this ebook, we will delve deeper into the multifaceted implications of data breaches for nonprofits and demonstrate how you can establish a secure, contemporary, and efficient cloud-based work environment.
Legal Obligations for Australian Not-for-Profit
At a general level, all not-for-profit organisations registered with the ACNC must continue to be not-for-profit and pursue charitable purposes. They must also keep financial records, and report information annually – including financial information.
Depending on the location and nature of your organisation’s operations, there may be other state, federal or overseas legislation with which your charity must comply. This means your charity may have legal obligations for the way it collects and stores information. This will depend on the location and nature of your not-for-profit organisation’s operations.
You should consider getting legal advice to fully understand what legal obligations there may be for your charity.
What is Personal and sensitive information?
Personal information and sensitive information are defined in the Privacy Act 1988 (Cth) (the Privacy Act).
- Personal information is information or an opinion about an identified person (or a person that can reasonably be identified), regardless of whether the information or opinion is true or recorded in a material form.
- Sensitive information is a subset of personal information and may include, for example, a person’s religious or philosophical beliefs, sexual orientation or health information.
The Privacy Act has requirements for the way personal information and sensitive information are collected and stored. The Office of the Australian Information Commissioner’s (OAIC) Australian Privacy Principles guidelines have information about these requirements.
41% of Nonprofits are unsure how they handle data privacy and if they are compliant. 1 in 4 say they do not store data. Only 1 in 3 nonprofits say they are compliant with data privacy regulations.
Risks and possible consequences
It is not only large companies and government agencies that can fall victim to cyber attacks. Charities – even smaller ones – can be targeted too. And, often having weaker defences, smaller charities can be especially vulnerable.
Commons cyber security risks include:
- unauthorised access to a device, network or system
- viruses or other malicious software that can collect, change or delete information and spread throughout a network
- fake emails or websites set up to trick someone into revealing personal or sensitive information.
The consequences of an incident can be significant. They may include:
- loss of crucial information
- disruption to services
- unauthorised changes to your charity’s information and systems
- expensive costs to restore data and services
- costs of notification and investigation (including legal costs)
- costs arising from the attack itself (for example, extortion or ransomware)
- regulatory action and penalties
- loss of trust and reputation.
When a charity has inadequate security for its computer systems, it is more vulnerable to attacks and less likely to be able to detect them. This can then make responding to attacks more difficult and can increase the time and cost of recovery.
Protecting your Not-for-profit organisations from cyber attacks
Not-for-profit organisations confront various cybersecurity risks that can severely affect their mission and expose them to legal consequences. Safeguarding donor privacy is paramount, preventing unauthorised disclosure of donor data. Stolen donor information may be exploited for marketing or other purposes. Inadequate security not only risks data exposure but also potential legal repercussions, including fines and restitution. Cybersecurity breaches can tarnish an organization’s reputation, impacting future fundraising and activities.
Mitigating these risks involves adhering to sound cyber security principles. To begin, understand your organization’s risk profile, identifying likely attack vectors and crucial assets requiring protection. Prioritise security measures accordingly, encompassing not only networked computers and servers but also connected devices like mobile gadgets and IoT appliances.
Implement Multi-Factor Authentication (MFA):
Multifactor authentication (MFA) is a security solution requiring users to verify or validate their identity using several ways to access accounts. It’s intended to increase account security and prevent unauthorized account access. That’s why it goes above the minimum degree of protection that can be accomplished with just one factor, often a password.
The fundamental advantage of using MFA to secure your accounts is that it increases the security of your business. This happens by forcing users to identify themselves with more than just a username and password. While using a name and password is crucial in security, this level of security is vulnerable to penetration by hackers. These account credentials can also be stolen easily by third parties. (2)
When you enforce the usage of an MFA element such as a fingerprint, one-time passwords (OTPs) sent on email or phone or by answering security questions increases your organization’s security. There’s also increased trust in your company’s ability to protect itself against cyber attackers.
Embrace Regular Software Updates:
Obsolete software and operating systems frequently serve as entry points for security breaches. Mitigating certain cyberattacks can be achieved by updating software to the latest version and patching known vulnerabilities. Network security commences with the firewall, a critical initial barrier against cyber threats. When opting for a firewall, choose one tailored to your organization’s size and security requirements. Small organisations may benefit from a DIY firewall solution, like an open-source firewall, while medium and large organisations are better served by commercial firewall solutions. It’s essential to maintain your firewall with up-to-date software and firmware.
Encrypt Sensitive Information:
Encrypt sensitive data, both in transit and at rest. This includes donor information, login credentials, and credit card numbers. Ensure that all web traffic is encrypted for secure communication. Using encryption and a secure website helps protect information during online financial transactions. Whether accepting donations or accepting payment through an online store, protecting customer and company data should be a top concern for nonprofit cybersecurity.
Promote Privacy and Security Best Practices:
Educate staff, donors, and website visitors about privacy and security best practices. A well-informed community is a powerful defence against cyber threats. The internet has transformed the landscape of fundraising for not-for-profits, presenting both opportunities and challenges. Ensuring the security of your website is paramount for safeguarding sensitive information.
However, it’s crucial to understand that while network security is a vital component, it should be part of a more comprehensive information security strategy. Each organisation’s security needs are unique, and there’s no universal solution.
Budgets for Cybersecurity - A Cause for Concern
There is a concerning lack of funding allocated to cybersecurity solutions for nonprofits across to cyber security solutions for nonprofits across the board. More than two times the number of DGR registered organizations have a budget compared to Non-DGR, however 85% and 93% of DGR and Non-DGR have no budget respectively.
This clarifies why organisations have demonstrated what is perceived to be a low-understanding of data handling privacy and what the potential impacts of a cyber security incident may have on their organisation. Fundraising organisational operations are expected to continue to transition online as fundraising digital payments, and government reporting systems all transition from analog methods.
The potential for cyber attacks to devastate nonprofit organisations, erode trust in donors who support the organisations ad beneficiaries who rely on their services is significant.
This could lead to the exploitation of Australia’s most vulnerable people and the loss of life saving services and jobs. If sensitive data about beneficiaries such as those receiving assistance for medical diseases or mental health were to be breached, this could result in severe damages to the people whose data has been breached.
In an era of increasing cyber threats, Australian not-for-profit organisations must remain vigilant to protect their crucial work. By understanding the unique security challenges they face and implementing tailored cybersecurity measures, these organisations can continue to serve their communities while safeguarding sensitive data and preserving their reputations.
Cyber Security Solutions made easy
with Kaine Mathrick Tech
More information and resources
- Managing people’s information and data, ACNC
- Damn good advice on cyber safety and fraud prevention, Our Community
- Guide to conducting privacy impact assessments, OAIC
- Notifiable data breaches, OAIC
- Australian Cyber Security Centre, Australian Signals Directorate
- Creating a cybersecurity policy, Business.gov.au
- Cyber security: Small charity guide, National Cyber Security Centre (UK)
- Protecting charities from fraud and cyber crime, Charity Commission of England and Wales (UK)
- Cyber security, Digital Transformation Hub