As Not-For-Profit (NFP) organisations become more reliant on technology to manage their operations, they also become more vulnerable to cyber threats. Understanding and adapting to current trends in cyber security is vital for protecting sensitive donor data and mitigating any potential reputational risks.
The importance of data privacy and compliance is becoming more pronounced with the reforms to the Australian Privacy Act 1988. These reforms are one component of the 2023-2030 Australian Cyber Security Strategy, with a focus on robust and secure data handling practices. In line with this strategy, all organisations including NFPs, should consider conducting regular risk assessments, updating privacy policies, and implementing data minimisation strategies. It is also important to look at regular strategies to reduce the data that is held to minimise the risk of unauthorised data access and the potential impact if a breach occurs. The first tranche of reforms was introduced to parliament in September 2024, with further consultations and amendments likely to occur after the 2025 election.
Integration of cyber security into the overall governance framework of the organisation is another critical consideration. This involves the board of directors and overall management, taking an active role in cyber security oversight and ensuring that there is a clear strategy in place.
One practical approach to align with best practices and improving security controls within organisations is adoption of the Essential 8 framework, developed by the Australian Cyber Security Centre (ACSC). The framework provides several recommendations across eight core areas the ACSC have identified as critical in defending against cyber threats. There are three levels of cyber maturity controls, providing a roadmap for increasing maturity as time and budgets permit.
In addition to internal measures, organisations should collaborate closely with their providers to identify any under-utilised tools and explore opportunities to enhance their security posture. Aligning to frameworks, such as the Essential 8, can be useful starting points for conversations with providers to help identify how established cyber controls are in the current environment and identify any potential gaps exist.
Targeted phishing attacks are becoming more prevalent and a constant threat as NFP organisations often possess different forms of personal and financial information, making them attractive targets for cybercriminals. These attacks typically involve deceptive emails or websites designed to trick employees into divulging confidential information. To protect against these types of threats, organisations are investing in comprehensive training programs to educate their staff on recognising and responding to phishing attempts, as well as general awareness over the types of threats out there. This includes regular workshops, simulated phishing exercises, and the development of a strong cyber security culture within the organisation.
As cyber threats continue to evolve, organisations must stay vigilant and proactive in their approach to cyber security. By staying informed about current trends and adopting best practices, they can protect their valuable data and reputation, maintain trust with their stakeholders, and ultimately, continue to fulfill their missions.
Cyber security set and forget strategies are no longer viable. To stay ahead of the game involves a number of key considerations including continuous education, strategic partnerships with the right providers, compliance with data privacy regulations, and integrating cyber security into governance. It is an important topic that needs be a priority for management and boards.
Key takeaways:
- Invest in training to ensure staff remain vigilant against targeted attacks
- Conduct regular risk assessments
- Update privacy policies
- Implement data minimisation strategies – what to keep and what to let go
- Assess current software tools – are they fulfilling your requirements and protecting your organisation
- Familiarise yourself with the Essential 8 Framework
- Ensure that cyber security is a regular topic in board meetings and at management level
- Educate everyone in the organisation to understand that it is cyber security is everyone’s responsibility, not just your IT team or IT providers
- Hold regular conversations with your external providers so you are across the detail
- Get the right external help to ensure you have all bases covered
