Australian Nonprofit Cyber Security Is So Poor It Might Be Affecting Donations
Your email has been sent
Research from Infoxchange indicates that poor cyber security practices in Australia’s not-for-profit sector are putting its donors’ and communities’ data at risk.
The not-for-profit sector is one of Australia’s biggest employers and revenue sources. 1.4 million people work in the not-for-profit sector in Australia, and another 3.2 million people volunteer. The overall revenue of the sector is $190 billion, and that money goes directly into supporting critical causes across the country.
Unfortunately, according to new research by Infoxchange, the sector is ill-equipped to handle the security requirements of modern IT environments, and that is not only putting close to five million people at risk, but it’s also inhibiting the NFP sector’s ability to address Australia’s most pressing humanitarian and social justice challenges.
Jump to:
Infoxchange’s Digital Technology in the Not-For-Profit Sector offers a deep dive into the dominant trends facing charities and nonprofits with technology, based on a survey of more than 1,000 organisations in the sector. Insights include:
These NFPs do understand the importance of digital modernisation. Elsewhere in the report, 45% said they had already moved the “majority” of their IT to the cloud. NFPs are also deeply interested in the potential for technology to enhance their communications, with 38% saying that improving their website was their key priority looking forward. Meanwhile, 32% said that making better use of digital marketing was the main technology goal.
And yet with no cyber security question did the majority “agree” that they were operating according to best practices (Figure A).
Figure A
“Despite this massive footprint in our economy and in our lives, charities and not-for-profits have not been provided with the support they need to deal with an increasingly sophisticated level of cyber attacks,” said David Crosbie and Tim Costello AO, from the Community Council for Australia, in a joint statement. “Unlike businesses, charities spend every spare dollar they can find on serving their communities.
“Allocating more resources to strengthen cyber security would mean reducing the level of services available in our communities. Many charities and NFPs struggle to withdraw services, even though cyber security is clearly an important priority.”
In August, news broke that the data of as many as 50,000 donors — affecting up to 70 NFPs, including major charities such as Fred Hollows Foundation, Cancer Council and Canteen — had been leaked and published on the dark web.
This was due to the NFPs partnering with the wrong organisation — in this case, Pareto Phone for telemarketer services — but it highlights the low levels of security concern or awareness among many charities.
Organisations are obliged to ensure third-party partners are responsible shepherds for customer data.
Separately, in 2022, another major Australian charity, The Smith Family, was targeted directly by hackers and had critical data of around 80,000 donors, including credit card and personal information, stolen.
As noted by Moores, a legal firm that specialises in supporting charities and other “social good” organisations, the impacts of cyber breaches on NFPs are particularly damaging.
SEE: Australian enterprises are taking an “assume-breach” approach to cyber security.
“Unfortunately, many charities and NFPs are susceptible to cyber security attacks due to low levels of cyber resilience,” the firm noted in a blog. “For a charity or NFP, failing to take appropriate action to secure data could mean: The exposure of sensitive information of beneficiaries, donors or members; the loss of charity funds and resources; reputational damage; and breach of legal obligations.”
And yet, despite these concerns and the difficulties NFPs face in financing security, there appears to be little effort on any level to address the challenge.
For example, the Community Council for Australia is using Infoxchange’s report to lobby the Prime Minister, claiming that the 2023–2030 Australian Cyber Security Strategy discussion paper (including the “six shields” concept) fails to specifically acknowledge charities and not-for-profits, despite their significant contributions to the Australian workforce, GDP and community well-being.
“It has never been more important to build the digital capabilities and resilience of the not-for-profit sector,” Infoxchange CEO David Spriggs said in a release, supporting the calls for more strategic and national support for NFPs and cyber security. “As Australians bear the brunt of the cost-of-living crisis, this is putting greater pressure on not-for-profits and local community organisations who are at the front line in responding to record levels of service demand.”
It is unlikely that NFPs are going to see a sudden influx of budget to improve their security position. In lieu of that, IT professionals working in NFPs should adopt a “back-to-basics” approach to IT security and make sure that, at the very least, organisations are following these best practices.
The first line of defence in cyber security is often the users themselves. IT pros should conduct regular training sessions to educate staff about the latest cyberthreats and how to recognize them. This includes phishing scams, malware and ransomware attacks.
One area where there is strong awareness among NFPs is in the value of strong password and password management policies that include two-factor and multi-factor authentication. IT pros should be looking to roll out the most robust zero-trust policies possible, especially for those NFPs that are operating predominantly in the cloud.
Cyberthreats are constantly evolving, and outdated software can have vulnerabilities that hackers can exploit. Regularly updating and patching all systems is crucial to keeping them secure.
PREMIUM: Take advantage of this patch management policy.
Use reliable security software that offers real-time protection against malware and other cyberthreats. Many modern security software packages have artificial intelligence built in, which is critical to leverage when human resources are scarce.
Regular data backups are essential for recovering from cyberattacks. Backups should be made frequently and tested regularly to ensure they can be restored if needed. It’s also important to store backups securely, either off-site or in the cloud, to protect against physical damage or theft. As a defence against ransomware, security teams should be looking for backups that have an “air gap,” too, preventing the ransomware from reaching the backup data.
NFPs should consider investing in managed services to support their internal teams. The security upshot to moving work into the cloud is that security teams can support the organisation remotely, and many MSPs with a security bent do specialise in supporting small and under-resourced organisations.
Stay up to date on the latest in technology with Daily Tech Insider Australian Edition. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that are most relevant to AU markets that will help you stay ahead of the game. Delivered Thursdays
Stay up to date on the latest in technology with Daily Tech Insider Australian Edition. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that are most relevant to AU markets that will help you stay ahead of the game. Delivered Thursdays
Australian Nonprofit Cyber Security Is So Poor It Might Be Affecting Donations
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
This checklist from TechRepublic Premium consists of nine things you should do immediately after installing AlmaLinux. This list of items can be applied to all use-cases for your new server operating system. Although there will be plenty more to do (such as install the services and specific software you need), you can count on this …
Generative artificial intelligence refers to deep learning models that can generate content such as images, code, text and other forms of media. These algorithms are trained to identify patterns using large datasets, enabling them to produce similar output. TechRepublic Premium presents this explanation of generative AI, including its evolution, features, examples, drawbacks and benefits. From …
Businesses of all sizes are spending a good bit of time and energy digitizing their operations. While a business’s digital transformation may make systems more efficient and workers more productive, digital enterprises still require extensive documentation and the technical writers who create it. This hiring kit from TechRepublic Premium provides an adjustable framework your business …
Onboarding new employees and providing them with the equipment and access they need can be a complex process involving various departments. This New Employee Checklist and Default Access Policy from TechRepublic Premium enables the IT and HR departments to effectively partner and ensure new hires receive a standard set of equipment and features. From the …
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source