Cyber security and digital trust in the not-for-profit sector


Published: 

It’s important to acknowledge and celebrate the powerful role that not-for-profit (NFP) organisations play in building a more inclusive, compassionate, and equitable Australia. Whether supporting vulnerable communities, advancing medical research, protecting the environment, or fostering cultural identity - NFPs are the heart of our civil society.

But as these purpose-driven organisations embrace digital innovation to improve how they deliver services, engage donors, and scale their impact, they are also facing a stark reality: cyber security is no longer optional.

The growing threat: Why NFPs are now targets

Cyber threats were once focused on large corporations or government agencies, considered high-value targets for financial, strategic, and political gains. However, when large organisations improved their cyber defences, attackers focused on smaller, less protected entities using automated and scalable methods. The Australian Cyber Security Centre (ACSC) warns that attacks on small and medium-sized organisations (which include most NFPs) are rising, with the average cost of an incident exceeding $46,000.

What makes NFPs vulnerable?

  • High-value data: Donation records, health information, and personal identifiers are valuable for identity theft and fraud
  • Resource constraints: Many NFPs have limited IT budgets and rely on legacy systems. Additionally, they are often firmly focused on their purpose, leaving little time and resources to invest in adequate cyber security measures
  • Human risk: Volunteers and part-time staff may not receive regular security training
  • Third-party exposure: Outsourcing IT, fundraising, or data management increases the risk surface, especially if vendors lack robust protections.

There have been a number of attacks on NFPs recently:

  • A business email compromise (BEC) incident resulted in payments being redirected to fraudulent accounts, exploiting compromised staff emails and gaps in financial approval processes
  • A ransomware attack disrupted aged care and financial operations within a NFP, likely caused by phishing or unpatched system vulnerabilities, leading to potential data exposure and a lengthy recovery
  • A NFP’s reputation was damaged following a third-party data breach through a fundraising partner, even though its internal systems remained unaffected. The incident raised questions about vendor data security and privacy compliance
  • A humanitarian organisation suffered a data breach when an external party accessed a supporter database. The incident damaged trust, disrupted operations, and required significant resources to investigate and respond.

Digital innovation brings both opportunity and risk

NFPs are leveraging digital tools to improve operations, engage supporters, and deliver services more efficiently. Cloud platforms, CRM systems, online donation portals, and social media campaigns are now common.

Many are also adopting artificial intelligence (AI) for tasks like:

  • Drafting grant proposals and donor emails
  • Automating responses via AI-powered chatbots
  • Using analytics to improve fundraising outcomes and service targeting.

But this innovation introduces new cyber risks:

  • Shadow AI use, where staff feed sensitive information into public tools like ChatGPT without oversight
  • Data leakage through AI prompts or unsecured cloud storage
  • Chatbot manipulation, where attackers exploit poorly secured bots to access internal information.
  • Deepfake voice cloning and AI-generated phishing emails are more convincing and harder to detect.

The evolving regulatory landscape

Increased cyber risk is matched by heightened regulator obligations. NFPs are now expected to meet similar standards as their corporate peers.

  • Cyber Security Act 2024: Introduced in late 2024, this Act imposes obligations on NFPs with annual revenue over $3 million, including:
    • Mandatory ransomware payment reporting within 72 hours
    • Incident disclosure for those operating in aged care, health, or other critical service sectors
    • Preparation for future breach disclosure laws, signalling a shift toward proactive cyber maturity.
  • Privacy Act Reforms & NDB Scheme: Any NFP that handles sensitive information - health data, information about children, or financial records - is subject to:
    • The Notifiable Data Breaches Scheme requiring prompt reporting to the OAIC and affected individuals
    • Reasonable security controls, including encryption, access controls, and breach response processes
    • Regular review of privacy practices and retention policies.
  • ACNC Governance Expectations: The Australian Charities and Not-for-profits Commission (ACNC) now explicitly treats cyber security as a governance issue where boards are expected to:
    • Oversee risk management strategies for cyber threats
    • Safeguard sensitive donor and beneficiary data
    • Assess third-party security postures
    • Ensure incident response plans are in place and tested.

Cyber security is no longer just something for the IT team to worry about - it’s now part of the board and management’s responsibility because it affects public trust and the NFP’s overall responsibility to protect stakeholder data.

Practical and achievable steps for NFPs

You don’t need a big budget or a full-time security team to make meaningful improvements. Here are some foundational actions that every NFP can take:

  • Enable Multi-Factor Authentication (MFA): This prevents most account compromise attempts with minimal disruption
  • Train your people: Teach staff and volunteers how to recognise phishing, handle data properly, and report suspicious activity
  • Update and patch systems: Keep software, applications, and devices up to date to protect against known vulnerabilities
  • Back up your data: Ensure critical information is securely backed up and recovery plans are tested
  • Review access rights: Remove unused accounts, limit admin privileges, and enforce strong, unique passwords
  • Plan for incidents: Have a response plan in place - and test it
  • Check your suppliers: Make sure that your suppliers have appropriate security measures in place, especially if they handle donor or client data

These are not just IT tasks - they are risk management and governance essentials.

Supporting your mission through digital security

Cyber security may not feel core to your mission, but in today’s world, it is critical to protecting it. It preserves your ability to serve, safeguards the trust of donors and communities, and protects sensitive data at a time when reputational risk has never been higher.

A breach can undo years of impact, while digital trust can elevate your organisation to new levels of confidence, capability, and credibility.

Icon of lightbulb

Tip: Cyber security isn’t about perfection; it’s about progress and every step counts.

 

How BDO can help

BDO’s cyber security team offers a comprehensive suite of cyber security services designed to safeguard your organisation. Our approach includes thoroughly assessing your cyber security maturity level, testing your network for vulnerabilities, and comprehensively assessing risk.

If you're unsure where to start, BDO’s cyber security team can help assess your current posture and guide you toward a more protected and resilient future.

Key takeaways

Cyber security is now a governance priority for NFPs
  • Not-for-profit organisations are increasingly targeted by cybercriminals due to valuable donor and beneficiary data, limited IT budgets, and reliance on third-party vendors. Cyber security is no longer just an IT issue, it’s a board-level responsibility tied to governance, risk management, and maintaining public trust.
New regulations demand stronger compliance
  • The Cyber Security Act 2024, Privacy Act reforms, and ACNC governance expectations require NFPs to implement robust security measures, report ransomware incidents, and protect sensitive data. Compliance now includes mandatory breach notifications, encryption, and third-party risk assessments.
Practical steps to strengthen digital trust
  • NFPs can significantly reduce cyber risk with cost-effective measures like enabling multi-factor authentication (MFA), training staff to spot phishing, patching systems, backing up data, and reviewing vendor security. These foundational actions help safeguard donor trust and ensure mission continuity.

Read the full article for further information or contact our cyber security team to discuss your options.

Subscribe to receive the latest insights.

Authors