banner image
Press Release

Cybersecurity a major vulnerability in the Not for Profit sector

Grant Thornton New Zealand’s latest Not for Profit report reveals some alarming statistics about cybersecurity practices in the sector.

As phishing attempts and ransomware attacks show no signs of abating in all sectors of the economy, Grant Thornton’s research into the Not for Profit sector has revealed charities are particularly vulnerable:

  • Only 43% of NFPs invested in cyber security over the past two years to 2022.
  • Just 27% plan to invest in cyber security over the next two to three years.
  • 37% of NFPs do not have effective procedures to detect and report data breaches.

Barry Baker, Partner and Co-Lead of Not for Profit services at Grant Thornton New Zealand says, “NFPs face unique challenges that make it harder for them to invest in cyber security. Naturally, they are always trying to minimise spending, as there’s a lot of pressure to spend as much as possible on frontline assistance to those in need, and as little as possible on the behind-the-scenes processes that deliver that assistance.

“This often means eking an extra year or so out of technology. NFPs are still using laptops that should be replaced, relying on outdated software, and legacy platforms – creating greater vulnerability to cyberattacks.
“Cyber security can also seem like a non-priority. When there hasn’t yet been a data breach or hack, that can give NFPs a dangerous false sense of security.”

The potential risks cannot be overstated

Baker says it’s not a matter of if an organisation will be hacked, it’s a matter of how bad it will be.

“For a charity, this could result in a complete halt on operations, snarling up frontline services and potentially demanding a ransom to restore systems.

“Worryingly, that ‘smash and grab’ approach by bad actors is being superseded by a more insidious attack: the actors can get into your systems, look around undetected, and steal any of your data, including donors’ and/or members’ personal data.

“Then there’s the reputational fallout. Donors who see your name connected with a data breach can easily switch their contributions to another organisation”, says Baker.

How NFPs can start improving cyber security 

Baker says, “The vital first step to improving cybersecurity is to start taking the risks seriously. Cyber risk is often buried in the risk register, but it should be given the same attention as health and safety.

“And, if a charity stores private data from donors or processes donor transactions, it needs to comply with certain PCI DSS standards. It may be well worth investing in a third-party payment gateway to take over processing credit cards, which reduces the data you’re keeping and the level of compliance required of the organisation.

“It’s also important to understand that tech problems aren’t really about technology – they’re about people. This means thinking about not only systems, but upskilling everyone who works in the organisation, including the board, and encouraging teams and suppliers to work together harmoniously. Only with cooperation and education can your organisation protect itself from the ongoing risks of cyberattacks.”

Read Barry Baker's full article here.

Access Grant Thornton New Zealand's Not for Profit report, Here for good? here.

Copy text of article