How Non-Profits Can Become Cyber Resilient & Ensure Compliance

Sixty percent of nonprofits in Australia and New Zealand do not have a documented plan to improve their cyber protection, according to the Digital Technology in the Not-for-Profit Sector Report.  

Statistics also reveal that: 

• 57% have moved or are in the process of moving to the cloud 
• 63% of NFP staff are confident about using technology (when devices are configured well) 
• 66% of support staff who work remotely have a technology environment that is working well or “nearly there” 

These show how nonprofits have become increasingly reliant on technology, making them attractive cyber targets. NFPs are also subject to funding constraints, lack of expertise, and operational challenges. 

It’s therefore crucial for nonprofits to implement stronger security measures and ensure cyber resilience. How can this be achieved? 

Cyber Resilience and Nonprofits

Cyber resilience refers to an organisation’s ability to anticipate, withstand, respond to, and recover from cyber threats and incidents while maintaining the confidentiality, integrity, and availability of its digital assets.  

For Australian nonprofits, cyber resilience is critical due to: 

• Sensitive Information: Nonprofits are attractive cyber targets because of the personal data they keep, related to social welfare, aged care, education, and medical treatment. 
• Financial Transactions: Raising funds involves handling sensitive financial details of donors, including credit card information. Ensuring secure transactions is essential. 
• Digital Transformation: Nonprofits are increasingly digital and offer online fundraising and service delivery – thus becoming more vulnerable to threats. 
• Economic Impact: Charities affect the national economy and disruptions can have far-reaching consequences, like in providing essential services.

Benefits of Cyber Resilience to Nonprofit Organisations

When a nonprofit is cyber resilient, it can enjoy the following advantages: 

• Reduced risk of data breaches 
• Enhanced stakeholder trust 
• Operational continuity, less downtime in case of a cyber incident 
• More efficient use of resources, as less time and money go to crisis management 
• Donor confidence and higher likelihood of donor support 
• Better compliance with legal and regulatory obligations 
• A competitive advantage in securing grants and partnerships 
• Staff empowerment due to cyber awareness training programs 
• Long-term financial savings, by avoiding costs associated with cyber incidents 
• A secure environment that encourages digital innovation 

Overview of Relevant Regulatory Standards for Nonprofits

Nonprofits are required to adhere to the Australian Charities and Not-for-profits Commission (ACNC) Governance Standards, which ensure lawful operation and responsible management.  

The ACNC provides resources to help charities and nonprofits manage cyber security risks. These include a cyber security assessment and checklist as well as a Governance Toolkit, which offers comprehensive guides and templates to assist in mitigating cyber risks. 

In addition, the Australian Institute of Company Directors (AICD) provides a checklist for NFP directors to enhance cyber security resilience. 

Charities must also adhere to the Privacy Act 1988, ensuring proper collection and storage of personal and sensitive information as defined by the Australian Privacy Principles (APP) guidelines.  

Finally, it is recommended that staff and volunteers gain a basic understanding of cyber security issues through regular training to prevent vulnerabilities. 

How Nonprofits can Develop Cyber Resilience

Nonprofits can take the following steps to enhance cyber resilience and regulatory compliance. 

1. Risk Assessment 

A thorough risk assessment must identify vulnerabilities, potential threats, as well as potential impacts. Nonprofits could face specific risks which is why it is important to consider their sector-specific needs and interests. 

For these to be effective, risk assessments must be conducted regularly. Identified risks should be prioritised and addressed, and mitigation strategies implemented. Maintaining compliance with risk assessments ensures your organisation remains resilient against potential threats. 

2. Education and Training 

Regularly train staff and volunteers on cyber security awareness and best practices. Training programs can help prevent common mistakes and improve overall security posture. Simulations can help participants learn incident handling procedures.  

Building a cyber aware culture must be a priority, with encouragement of security-conscious behaviour and reporting of suspicious activities. 

3. Cyber Security Solutions Strengthening  

The Essential Eight is a useful framework for Nonprofits to attain their required cyber security maturity level. A nonprofit can establish a robust security foundation at Maturity Level 1 even with limited resources. This level includes basic controls such as regular application patching and strong password policies.  

As an organisation handles sensitive data more often, they can aim for higher maturity levels to enhance protection. The key is to have an ongoing journey towards enhancing cyber resilience. 

4. Incident Response Plan 

It is imperative for organisations to develop an incident response plan. This may include procedures for detecting, containing, and recovering from cyber incidents. Regularly test and update the plan as needed. 

5. Data Backup and Recovery Plan 

Implementing a data backup and recovery plan is crucial to safeguard their critical information. This must include: 

• Assessing data criticality 
• Backup strategy 
• Recovery procedures 
• Robust Security measures such as the one recommended by the Essential Eight  
• Regular review and updates 

Your Compliance Journey to Cyber Resilience 

Cyber resilience is an ongoing process. It involves regular assessments, continuous improvement, and adaptability to maintain a strong cyber security posture. Regulations and standards play a vital role in enhancing an organisation’s cybersecurity resilience. By aligning compliance efforts with cybersecurity objectives, nonprofits can effectively mitigate cyber risks and protect their data and stakeholders. 

Our eBook, 8 Cyber Essentials to Safeguard Your Organisation, breaks down eight strategies NFPs can implement to enhance their security. Check it out!