Technology touches every aspect of our lives. From using smartphones to keep in touch with people, to buying goods or services, banking, or making online donations – swathes of data are processed and stored as a result.
While the digital economy has opened a world of opportunities to do things faster and more conveniently, there has also been the proliferation of cyber attacks where personal and organisational data is put at risk of misuse. Around the world there are more devices with a connection to the internet than there are people. As with other sectors (business and government), charities are vulnerable to malicious attacks—with cyber security now a fundamental pillar in maintaining organisational integrity.
It’s why we’re focusing on the way charities manage cyber security challenges as part of our compliance and enforcement focus for 2024-25.
Common cyber security risks for charities can range from unauthorised access to devices, accounts and systems, to viruses and malicious software that can collect, change or delete information. The tactics of cyber criminals can be so brazen and sophisticated that they can trick a charity into transferring funds or revealing sensitive information.
The consequences of an incident cannot be understated. Not only can there be a loss to a charity’s sensitive information which can disrupt and prevent it from carrying out its mission, but there can also be loss of trust which may have serious reputational consequences and flow on to the reputation of the sector more broadly.
Thankfully, there are simple things charities can do to prevent or weather an attack.
First and foremost, your charity needs to cultivate a culture of cyber security awareness.
Cyber security is not solely the responsibility of IT professionals, but the collective duty of those who work and volunteer in your organisation. This is especially true for small charities, that often don’t have the resources to employ people dedicated to overseeing IT systems and processes.
Everyone, from board members (who have the overall governance responsibility) to volunteers, should have the knowledge and tools to identify and mitigate potential cyber risks. Education and training initiatives can empower staff to recognise phishing attempts, safeguard sensitive data and adhere to best practice in digital hygiene.
There are some practical things you can do to help protect your charity – such as turning on automatic software updates and ensuring that these run successfully. You can also use a free reputable password manager to help you create strong and unique passwords across all your accounts and devices. Rather than memorising all these different passwords, you just need to remember your master password - and the password manager will take care of the rest.
Remember there is free help for charities including resources developed by the Australian Signals Directorate – Australia’s lead agency for developing cyber resilience. They have developed a checklist for charities to complement their more comprehensive security guide.
The ACNC’s Governance Toolkit: Cyber Security has more practical tips and information to help you shore up your charity’s cyber defences. You may also like to complete our free information asset register template. The template is useful to identify your charity’s valuable knowledge, data and information and to catalogue the potential risks for each asset. This can help identify strategies to mitigate those risks.
Getting your head around cyber security can at times feel overwhelming – particularly for small organisations with limited time and resources. However, undertaking even some of the recommendations outlined here can make the world of difference in preventing cyber criminals from targeting your charity.
Warm regards,
Sue Woodward AM