Safeguarding Not-for-Profit: Cybersecurity Risks and Solutions

Australian Not-for-profit organisations, much like their global counterparts, play a vital role in supporting vulnerable communities, such as low-income families, children, and the elderly. However, their noble missions make them prime targets for cybercriminals seeking to exploit sensitive data. In this blog post, we’ll explore the unique security challenges faced by Australian not-for-profits and provide actionable insights to help defend against these threats.

There are over four million nonprofits worldwide, many of which are small to medium-sized organisations with fewer than 50 employees.  There are approximately 60,000 registered charities in Australia. According to the Australian Bureau of Statistics, Australia’s population was 25,978,935 people at 30 June 2022. This equates to approximately one charity for every 433 Australians.

Australia’s charity sector comprises charities of different sizes – from tiny local community groups to large universities and international aid organisations.  For the 2021 Annual Information Statement, the ACNC (Australian Charities and Not-for-profits Commission) classified charities into three size categories:

• Small charities (annual revenue of under $250,000): 65%
• Medium charities (annual revenue of $250,000 or more but under $1 million): 16.1%
• Large charities(annual revenue of $1 million or more): 18.9 %

Despite their size, these nonprofits share similar goals with larger counterparts, such as saving lives, serving underserved communities, environmental protection, and more. However, they often face the challenge of limited resources, making it difficult to invest in cutting-edge technology, provide IT training for staff, hire IT support personnel, or enhance their cybersecurity measures.

Cybersecurity Wake-Up Call: Vulnerabilities Plague Australian Not-for-Profits Sector

A recent report from the Australian Nonprofits State of the Sector 2023 has uncovered worrisome concerns within the realm of Australian charities and not-for-profits. The study revealed that one in five of these organizations harbors fears that a cyber security attack could wreak havoc on their operations. Furthermore, the report disclosed that 8% of the survey participants acknowledged falling victim to a cyber security incident within the past year. These disconcerting revelations follow closely on the heels of the distressing Pareto Phone data breach incident, where cybercriminals released the personal information of over 50,000 charity donors into the dark corners of the web. This breach had severe repercussions, affecting as many as 70 charities, including well-known entities such as the Fred Hollows Foundation, Amnesty International, the Australian Conservation Foundation, and the Cancer Council.

The not-for-profit sector plays a crucial role in addressing societal challenges and making a positive impact on communities around Australia. However, nonprofit organisations face a myriad of challenges, from rising operating expenses to data security and privacy concerns. In this blog post, we will explore how not-for-profit leaders can overcome these challenges and maximise productivity through Microsoft’s discounted solutions, specifically the Microsoft 365 not-for-profit program.

Australian not-for-profits often operate on tight budgets, lacking the financial resources of for-profit companies. This financial constraint can leave them more vulnerable to cyberattacks. With cybercriminals targeting sensitive data, including social security numbers, the stakes are high.

Many not-for-profits rely on third-party vendors to manage sensitive data, like donor information and medical records. However, if these vendors suffer a breach, the not-for-profit’s data is also at risk. Mitigating this risk requires stringent vendor management practices.

Email phishing remains a significant threat. Cybercriminals use social engineering tactics to trick employees into revealing sensitive information. Awareness training and robust email filtering systems are essential defenses.

Internal data breaches often result from employee negligence or malicious actions. Australian not-for-profits should invest in employee training on security best practices and monitor login activities for unusual patterns.

Viruses and malicious software can infect not-for-profit computers and mobile devices. Ransomware, in particular, poses a severe threat by encrypting data and demanding payment for decryption. Regular software updates and employee awareness are crucial.

Natural disasters like storms and floods can disrupt not-for-profit operations by causing power outages and physical damage to infrastructure. Business continuity planning and secure data backups are vital.

Data breaches can lead to legal consequences, including fines and restitution. More importantly, they can tarnish an organisation’s reputation, affecting future fundraising efforts and overall mission support.

To defend against these threats effectively, Australian not-for-profits should tailor their cybersecurity measures to their unique risk profiles. Identifying likely attack vectors and prioritising security measures are essential steps.

At a general level, all not-for-profit organisations registered with the ACNC must continue to be not-for-profit and pursue charitable purposes. They must also keep financial records, and report information annually – including financial information.

Most Not-for-profit organisations must also comply with the ACNC Governance Standards and, for charities operating overseas, the External Conduct Standards.

Depending on the location and nature of your organisation’s operations, there may be other state, federal or overseas legislation with which your charity must comply. This means your charity may have legal obligations for the way it collects and stores information. This will depend on the location and nature of your not-for-profit organisation’s operations.

You should consider getting legal advice to fully understand what legal obligations there may be for your charity.

41% of Nonprofits are unsure how they handle data privacy and if they are compliant. 1 in 4 say they do not store data. Only 1 in 3 nonprofits say they are compliant with data privacy regulations.

-ACNC, Australian Nonprofits State of the Sector 2023 report–

It is not only large companies and government agencies that can fall victim to cyber attacks. Charities – even smaller ones – can be targeted too. And, often having weaker defences, smaller charities can be especially vulnerable.

Commons cyber security risks include:

• unauthorised access to a device, network or system
• viruses or other malicious software that can collect, change or delete information and spread throughout a network
• fake emails or websites set up to trick someone into revealing personal or sensitive information.

The consequences of an incident can be significant. They may include:

• loss of crucial information
• disruption to services
• unauthorised changes to your charity’s information and systems
• expensive costs to restore data and services
• costs of notification and investigation (including legal costs)
• costs arising from the attack itself (for example, extortion or ransomware)
• regulatory action and penalties
• loss of trust and reputation.

When a charity has inadequate security for its computer systems, it is more vulnerable to attacks and less likely to be able to detect them. This can then make responding to attacks more difficult and can increase the time and cost of recovery.

Not-for-profit organisations confront various cybersecurity risks that can severely affect their mission and expose them to legal consequences. Safeguarding donor privacy is paramount, preventing unauthorised disclosure of donor data. Stolen donor information may be exploited for marketing or other purposes. Inadequate security not only risks data exposure but also potential legal repercussions, including fines and restitution. Cybersecurity breaches can tarnish an organization’s reputation, impacting future fundraising and activities.

Mitigating these risks involves adhering to sound cyber security principles. To begin, understand your organization’s risk profile, identifying likely attack vectors and crucial assets requiring protection. Prioritise security measures accordingly, encompassing not only networked computers and servers but also connected devices like mobile gadgets and IoT appliances.

Multifactor authentication (MFA) is a security solution requiring users to verify or validate their identity using several ways to access accounts. It’s intended to increase account security and prevent unauthorized account access. That’s why it goes above the minimum degree of protection that can be accomplished with just one factor, often a password.

The fundamental advantage of using MFA to secure your accounts is that it increases the security of your business. This happens by forcing users to identify themselves with more than just a username and password. While using a name and password is crucial in security, this level of security is vulnerable to penetration by hackers. These account credentials can also be stolen easily by third parties. (2)

When you enforce the usage of an MFA element such as a fingerprint, one-time passwords (OTPs) sent on email or phone or by answering security questions increases your organization’s security. There’s also increased trust in your company’s ability to protect itself against cyber attackers.

Also: MFA Multifactor Authentication

Obsolete software and operating systems frequently serve as entry points for security breaches. Mitigating certain cyberattacks can be achieved by updating software to the latest version and patching known vulnerabilities. Network security commences with the firewall, a critical initial barrier against cyber threats. When opting for a firewall, choose one tailored to your organization’s size and security requirements. Small organisations may benefit from a DIY firewall solution, like an open-source firewall, while medium and large organisations are better served by commercial firewall solutions. It’s essential to maintain your firewall with up-to-date software and firmware.

Also: Technology, Cyber Security & the new modern workplace

Encrypt sensitive data, both in transit and at rest. This includes donor information, login credentials, and credit card numbers. Ensure that all web traffic is encrypted for secure communication. Using encryption and a secure website helps protect information during online financial transactions. Whether accepting donations or accepting payment through an online store, protecting customer and company data should be a top concern for nonprofit cybersecurity.

Also: A Guide To Securing And Storing Sensitive Information

Educate staff, donors, and website visitors about privacy and security best practices. A well-informed community is a powerful defence against cyber threats. The internet has transformed the landscape of fundraising for not-for-profits, presenting both opportunities and challenges. Ensuring the security of your website is paramount for safeguarding sensitive information.

However, it’s crucial to understand that while network security is a vital component, it should be part of a more comprehensive information security strategy. Each organisation’s security needs are unique, and there’s no universal solution.

Also: On-demand Cyber Security Best Practice Learning Centre

In an era of increasing cyber threats, Australian not-for-profit organisations must remain vigilant to protect their crucial work. By understanding the unique security challenges they face and implementing tailored cybersecurity measures, these organisations can continue to serve their communities while safeguarding sensitive data and preserving their reputations.

• Managing people’s information and data, ACNC
• Damn good advice on cyber safety and fraud prevention, Our Community
• Guide to conducting privacy impact assessments, OAIC
• Notifiable data breaches, OAIC
• Australian Cyber Security Centre, Australian Signals Directorate
• Creating a cybersecurity policy, Business.gov.au
• Cyber security: Small charity guide, National Cyber Security Centre (UK)
• Protecting charities from fraud and cyber crime, Charity Commission of England and Wales (UK)
• Cyber security, Digital Transformation Hub