Cybersecurity: A vulnerable spot for NFPs

insight featured image
Is your Not for Profit enterprise prepared for a cyberattack? If the answer is 'no', you're not alone.

Our research report, Here for Good? uncovered some alarming statistics that highlighted cybersecurity as a major vulnerability in the sector:

  • Only 43% of NFPs invested in cyber security over the past two years.
  • Just 27% plan to invest in cyber security over the next two to three years.
  • 37% of NFPs do not have effective procedures to detect and report data breaches.

This data along with many high profile cyber attack events is a huge concern, so we recently hosted a roundtable event about cyber security with some local NFPs. We talked about why the sector is particularly prone to underinvesting in cybersecurity and what the sector can do to start addressing this weakness. Afterall, phishing attempts and ransomware attacks show no signs of abating, and it only takes one person to inadvertently click on a malicious link and give a cybercriminal access to all of your organisation’s sensitive information. The financial and reputational impacts can be devastating.  

Why do NFPs often underinvest in cyber security?

NFPs face some challenges that make it harder for them to invest in cyber security. First and foremost, NFPs are always trying to minimise spending, particularly on administrative and back-office costs. There’s a lot of pressure on charitable organisations to spend as much as possible on frontline assistance to those in need, and as little as possible on the behind-the-scenes processes that deliver that assistance.

This often means eking an extra year (or three!!) out of technology. NFPs are still using laptops that should be replaced, relying on outdated software, and legacy platforms – creating greater vulnerability to cyber attacks."

Cyber security can also seem like a non-priority. When there hasn’t yet been a data breach or hack, that can give NFPs a dangerous false sense of security. 

The problem of underinvesting in cybersecurity can be exacerbated by the Board – it’s rare to see a board member who has experience or knowledge of IT, let alone cyber security. Boards tend to recruit accountants and lawyers, who are experienced in their areas, but without expert guidance, it’s easy to inaccurately assess technical risks. And it’s unlikely board members are being trained in cyber risk, since our research found that 59% of boards do not undertake any board training. 

Even if you don’t know anything about cyber security, it is a major risk, and NFPs should commit more time and money to mitigating it. 

The potential risks cannot be overstated

It’s not a matter of if your business will get hacked, it’s a matter of when and how bad it will be. For an NFP, this could result in a complete halt on operations, snarling up frontline services and potentially demanding a ransom to restore systems. 

Worryingly, that ‘smash and grab’ approach by bad actors is being superseded by a more insidious attack: the actors can get into your systems, look around undetected, and steal any of your data, including donors’ and/or members’ personal data.  They also can compromise backups.

Then there’s the reputational fallout. Donors who see your name connected with a data breach can easily switch their contributions to another organisation. For example, in Australia, telecoms company Optus reported a data breach in 2022 that saw nearly 10 million customers’ personal details stolen; a few months later it was reported that 10% of customers had left since the attack. Just think how much easier it is to move your donation to another charity than it is to move your telecom provider.   

Five ways NFPs can start improving cybersecurity

  1. Change the mindset: Give cybersecurity the same attention as health and safety 

    The vital first step in improving cybersecurity is to start taking the risks seriously. It should be on par with health and safety – there’s just as much risk and the consequences for organisations can be just as severe. Instead, cyber risk is often buried in the risk register. 

  2. Improve relationships between IT and cybersecurity suppliers

    NFPs typically use three or four providers for their various IT and cybersecurity requirements, explained Martyn Newman-Hall, Director Core Business at the Nursing Council and an experienced commercial manager, who spoke at our roundtable event. Vulnerabilities are often created by gaps between the various services and human risks. Providers must work together, so each one understands its responsibilities and every risk has a provider who takes responsibility for it. Martyn explained the Council produced significant benefits by co-ordinating the relationships between their suppliers into a partnership model.

  3. IT collaboration is essential – internally and externally 

    A single head of IT at your organisation can be a powerful force for positive change, but they can’t do everything on their own. There is a risk they become reluctant to involve outsiders or internal management; someone at the roundtable described it as “the God complex IT guy” – protecting their patch. Your NFP’s IT people must work closely with suppliers & internal management and build trusting relationships. 

  4. Review your data practices 

    Do you keep private data from donors? Does your NFP process donor transactions? Then you need to comply with certain PCI DSS standards. For example, it may be well worth investing in third-party payment gateway to take over processing credit cards, which reduces the data you're keeping and the level of compliance required of your organisation.

  5. Look for tech expertise for your board

    We know that in the case of one high-profile health sector cyberattack, the board had been presented with a case for improving its cybersecurity a short time before the hack occurred. The board said no. 

    If your board doesn’t have any members with technical expertise, look for opportunities to appoint someone with a tech background. Alternatively, train your existing board members about technical risks. Your board and C-suite needs to know what questions to ask when they’re presented with options and solutions in the IT sphere. 

Tech problems are ultimately people problems 

Tech problems aren’t really about technology – they’re about people. NFPs need to take cyber risks seriously, which means thinking about not only their systems, but also their people. Upskilling everyone who works at the organisation, including the board, and encouraging teams and suppliers to work together harmoniously. Only with cooperation and education can your organisation protect itself from the ongoing risks of cyberattacks.