Cyber security and digital trust in the not-for-profit sector
Cyber security and digital trust in the not-for-profit sector
It’s important to acknowledge and celebrate the powerful role that not-for-profit (NFP) organisations play in building a more inclusive, compassionate, and equitable Australia. Whether supporting vulnerable communities, advancing medical research, protecting the environment, or fostering cultural identity - NFPs are the heart of our civil society.
But as these purpose-driven organisations embrace digital innovation to improve how they deliver services, engage donors, and scale their impact, they are also facing a stark reality: cyber security is no longer optional.
The growing threat: Why NFPs are now targets
Cyber threats were once focused on large corporations or government agencies, considered high-value targets for financial, strategic, and political gains. However, when large organisations improved their cyber defences, attackers focused on smaller, less protected entities using automated and scalable methods. The Australian Cyber Security Centre (ACSC) warns that attacks on small and medium-sized organisations (which include most NFPs) are rising, with the average cost of an incident exceeding $46,000.
What makes NFPs vulnerable?
- High-value data: Donation records, health information, and personal identifiers are valuable for identity theft and fraud
- Resource constraints: Many NFPs have limited IT budgets and rely on legacy systems. Additionally, they are often firmly focused on their purpose, leaving little time and resources to invest in adequate cyber security measures
- Human risk: Volunteers and part-time staff may not receive regular security training
- Third-party exposure: Outsourcing IT, fundraising, or data management increases the risk surface, especially if vendors lack robust protections.
There have been a number of attacks on NFPs recently:
- A business email compromise (BEC) incident resulted in payments being redirected to fraudulent accounts, exploiting compromised staff emails and gaps in financial approval processes
- A ransomware attack disrupted aged care and financial operations within a NFP, likely caused by phishing or unpatched system vulnerabilities, leading to potential data exposure and a lengthy recovery
- A NFP’s reputation was damaged following a third-party data breach through a fundraising partner, even though its internal systems remained unaffected. The incident raised questions about vendor data security and privacy compliance
- A humanitarian organisation suffered a data breach when an external party accessed a supporter database. The incident damaged trust, disrupted operations, and required significant resources to investigate and respond.
Digital innovation brings both opportunity and risk
NFPs are leveraging digital tools to improve operations, engage supporters, and deliver services more efficiently. Cloud platforms, CRM systems, online donation portals, and social media campaigns are now common.
Many are also adopting artificial intelligence (AI) for tasks like:
- Drafting grant proposals and donor emails
- Automating responses via AI-powered chatbots
- Using analytics to improve fundraising outcomes and service targeting.
But this innovation introduces new cyber risks:
- Shadow AI use, where staff feed sensitive information into public tools like ChatGPT without oversight
- Data leakage through AI prompts or unsecured cloud storage
- Chatbot manipulation, where attackers exploit poorly secured bots to access internal information.
- Deepfake voice cloning and AI-generated phishing emails are more convincing and harder to detect.
The evolving regulatory landscape
Increased cyber risk is matched by heightened regulator obligations. NFPs are now expected to meet similar standards as their corporate peers.
- Cyber Security Act 2024: Introduced in late 2024, this Act imposes obligations on NFPs with annual revenue over $3 million, including:
- Mandatory ransomware payment reporting within 72 hours
- Incident disclosure for those operating in aged care, health, or other critical service sectors
- Preparation for future breach disclosure laws, signalling a shift toward proactive cyber maturity.
- Privacy Act Reforms & NDB Scheme: Any NFP that handles sensitive information - health data, information about children, or financial records - is subject to:
- The Notifiable Data Breaches Scheme requiring prompt reporting to the OAIC and affected individuals
- Reasonable security controls, including encryption, access controls, and breach response processes
- Regular review of privacy practices and retention policies.
- ACNC Governance Expectations: The Australian Charities and Not-for-profits Commission (ACNC) now explicitly treats cyber security as a governance issue where boards are expected to:
- Oversee risk management strategies for cyber threats
- Safeguard sensitive donor and beneficiary data
- Assess third-party security postures
- Ensure incident response plans are in place and tested.
Cyber security is no longer just something for the IT team to worry about - it’s now part of the board and management’s responsibility because it affects public trust and the NFP’s overall responsibility to protect stakeholder data.
Practical and achievable steps for NFPs
You don’t need a big budget or a full-time security team to make meaningful improvements. Here are some foundational actions that every NFP can take:
- Enable Multi-Factor Authentication (MFA): This prevents most account compromise attempts with minimal disruption
- Train your people: Teach staff and volunteers how to recognise phishing, handle data properly, and report suspicious activity
- Update and patch systems: Keep software, applications, and devices up to date to protect against known vulnerabilities
- Back up your data: Ensure critical information is securely backed up and recovery plans are tested
- Review access rights: Remove unused accounts, limit admin privileges, and enforce strong, unique passwords
- Plan for incidents: Have a response plan in place - and test it
- Check your suppliers: Make sure that your suppliers have appropriate security measures in place, especially if they handle donor or client data
These are not just IT tasks - they are risk management and governance essentials.
Supporting your mission through digital security
Cyber security may not feel core to your mission, but in today’s world, it is critical to protecting it. It preserves your ability to serve, safeguards the trust of donors and communities, and protects sensitive data at a time when reputational risk has never been higher.
A breach can undo years of impact, while digital trust can elevate your organisation to new levels of confidence, capability, and credibility.

Tip: Cyber security isn’t about perfection; it’s about progress and every step counts.
How BDO can help
BDO’s cyber security team offers a comprehensive suite of cyber security services designed to safeguard your organisation. Our approach includes thoroughly assessing your cyber security maturity level, testing your network for vulnerabilities, and comprehensively assessing risk.
If you're unsure where to start, BDO’s cyber security team can help assess your current posture and guide you toward a more protected and resilient future.