The not-for-profit sector is one of Australia’s largest employers and revenue generators. In Australia, 1.4 million people work in the not-for-profit sector and 3.2 million people volunteer. The sector’s overall revenue is $190 billion, and that money goes directly to supporting crucial causes across the country.
Unfortunately, according to a new study from Infoxchange, the industry is ill-equipped to meet the security demands of modern IT environments, which not only puts nearly five million people at risk, but also hampers the NFP industry’s ability to respond to Australia’s needs. most pressing humanitarian and social justice challenges.
Jump to:
NFP Cybersecurity Insights from Infoxchange
Infoxchange’s Digital Technology in the Nonprofit Sector offers an in-depth analysis of the dominant trends facing charities and nonprofits in technology, based on a survey of over of 1,000 sector organizations. Information includes:
- One in eight organizations surveyed experienced a cybersecurity incident in the past year.
- Only 23% had effective information security processes in place, enabling staff and volunteers to protect organizational data.
- Only 39% had implemented multi-factor authentication for internet systems containing sensitive data, while only 13% had a documented plan to improve cybersecurity protection.
- Only 12% of nonprofits regularly provided cybersecurity awareness training, and only one in five had a cybersecurity policy.
These NFPs understand the importance of digital modernization. Elsewhere in the report, 45% said they had already migrated the “majority” of their IT to the cloud. Nonprofits are also very interested in the potential of technology to improve their communications, with 38% saying that improving their website was their top priority for the future. Meanwhile, 32% said better use of digital marketing was the top technology goal.
Lack of support leaves NFPs with poor security practices
And yet, without any question of cybersecurity, the majority “agreed” that they were operating according to best practices (Figure A).
Figure A
“Despite this massive footprint in our economy and our lives, charities and nonprofits have not received the support they need to deal with an increasingly sophisticated level of cyberattacks,” they said. said David Crosbie and Tim Costello AO, of the Community Council of Australia, in a joint statement. “Unlike businesses, charities spend every available dollar to serve their communities.
“Allocating more resources to strengthen cybersecurity would mean reducing the level of services available in our communities. Many charities and non-profits are struggling to withdraw services, even though cybersecurity is clearly an important priority.
The impact of poor security
In August, news broke that data from as many as 50,000 donors – affecting up to 70 nonprofits, including major charities such as the Fred Hollows Foundation, Cancer Council and Canteen – had been leaked and published on the dark web.
This is because nonprofits are partnering with the wrong organization – in this case, Pareto Phone for telemarketing services – but it highlights the low level of security concern or awareness of the from many charities.
Organizations are required to ensure that third-party partners are responsible stewards of customer data.
Separately, in 2022, another major Australian charity, The Smith Family, was directly targeted by hackers and had the critical data of approximately 80,000 donors stolen, including credit card information and personal.
Lack of security awareness of NFPs exposes them to legal action.
As Moores, a law firm specializing in supporting charities and other “social good” organizations, points out, the impacts of cyberattacks on nonprofits are particularly damaging.
SEE: Australian businesses are taking a ‘presumptive breach’ approach to cybersecurity.
“Unfortunately, many charities and nonprofits are vulnerable to cybersecurity attacks due to their low levels of cyber resilience,” the company noted in a blog post. “For a charity or non-profit, failing to take appropriate steps to secure data could mean: Disclosure of sensitive information about beneficiaries, donors or members; loss of charitable funds and resources; damage to reputation; and violation of legal obligations.
And yet, despite these concerns and the difficulties NFPs face in financing security, there appears to be little effort, at any level, to address this challenge.
For example, the Community Council for Australia is using the Infoxchange report to pressure the Prime Minister, claiming that the Australian Cyber Security Strategy 2023-2030 discussion paper (including the “six shields” concept) does not recognize not specifically charities and non-profit organizations. , despite their significant contributions to the Australian workforce, GDP and community wellbeing.
“It has never been more important to build the digital capabilities and resilience of the nonprofit sector,” Infoxchange CEO David Spriggs said in a statement, supporting calls for more support. strategic and national non-profit and cybersecurity. “As Australians bear the brunt of the cost of living crisis, it puts increased pressure on local not-for-profit and community organizations who are on the frontline of meeting record levels of demand for services. »
A back-to-basics approach
NFPs are unlikely to experience a sudden influx of budget to improve their security situation. Instead, IT professionals working in nonprofits should take a “back to basics” approach to IT security and ensure that at least organizations follow these best practices.
Educate and train staff
The first line of defense in cybersecurity is often the users themselves. IT professionals should conduct regular training sessions to educate staff on the latest cyber threats and how to recognize them. This includes phishing scams, malware and ransomware attacks.
Implement strong password policies
One area where NFPs are strongly aware is the value of strong password policies and password management that include two- and multi-factor authentication. IT professionals should look to deploy the most robust zero trust policies possible, especially for NFPs that operate primarily in the cloud.
Regularly update and patch systems
Cyber threats are constantly evolving, and outdated software may have vulnerabilities that hackers can exploit. It is essential to regularly update and patch all systems to ensure their security.
PREMIUM: Take advantage of this patch management policy.
Install and update security software
Use reliable security software that provides real-time protection against malware and other cyber threats. Many modern security software incorporates artificial intelligence, which is essential to take advantage of when human resources are scarce.
Back up data regularly
Regular data backups are essential to recovering from cyberattacks. Backups should be performed frequently and tested regularly to ensure they can be restored if necessary. It is also important to store backups securely, offsite or in the cloud, to protect them from physical damage or theft. To defend against ransomware, security teams should also look for backups that have an “air gap,” preventing ransomware from reaching backup data.
Invest in Managed Services
Nonprofits should consider investing in managed services to support their internal teams. The security result of moving work to the cloud is that security teams can support the organization remotely, and many security-minded MSPs specialize in supporting small organizations with limited resources.