Our research report, Here for Good? uncovered some alarming statistics that highlighted cybersecurity as a major vulnerability in the sector:
This data along with many high profile cyber attack events is a huge concern, so we recently hosted a roundtable event about cyber security with some local NFPs. We talked about why the sector is particularly prone to underinvesting in cybersecurity and what the sector can do to start addressing this weakness. Afterall, phishing attempts and ransomware attacks show no signs of abating, and it only takes one person to inadvertently click on a malicious link and give a cybercriminal access to all of your organisation’s sensitive information. The financial and reputational impacts can be devastating.
NFPs face some challenges that make it harder for them to invest in cyber security. First and foremost, NFPs are always trying to minimise spending, particularly on administrative and back-office costs. There’s a lot of pressure on charitable organisations to spend as much as possible on frontline assistance to those in need, and as little as possible on the behind-the-scenes processes that deliver that assistance.
This often means eking an extra year (or three!!) out of technology. NFPs are still using laptops that should be replaced, relying on outdated software, and legacy platforms – creating greater vulnerability to cyber attacks."
Cyber security can also seem like a non-priority. When there hasn’t yet been a data breach or hack, that can give NFPs a dangerous false sense of security.
The problem of underinvesting in cybersecurity can be exacerbated by the Board – it’s rare to see a board member who has experience or knowledge of IT, let alone cyber security. Boards tend to recruit accountants and lawyers, who are experienced in their areas, but without expert guidance, it’s easy to inaccurately assess technical risks. And it’s unlikely board members are being trained in cyber risk, since our research found that 59% of boards do not undertake any board training.
Even if you don’t know anything about cyber security, it is a major risk, and NFPs should commit more time and money to mitigating it.
It’s not a matter of if your business will get hacked, it’s a matter of when and how bad it will be. For an NFP, this could result in a complete halt on operations, snarling up frontline services and potentially demanding a ransom to restore systems.
Worryingly, that ‘smash and grab’ approach by bad actors is being superseded by a more insidious attack: the actors can get into your systems, look around undetected, and steal any of your data, including donors’ and/or members’ personal data. They also can compromise backups.
Then there’s the reputational fallout. Donors who see your name connected with a data breach can easily switch their contributions to another organisation. For example, in Australia, telecoms company Optus reported a data breach in 2022 that saw nearly 10 million customers’ personal details stolen; a few months later it was reported that 10% of customers had left since the attack. Just think how much easier it is to move your donation to another charity than it is to move your telecom provider.
Tech problems aren’t really about technology – they’re about people. NFPs need to take cyber risks seriously, which means thinking about not only their systems, but also their people. Upskilling everyone who works at the organisation, including the board, and encouraging teams and suppliers to work together harmoniously. Only with cooperation and education can your organisation protect itself from the ongoing risks of cyberattacks.
