What do you think Australian not-for-profits would list as the top three challenges facing the industry right now?
Staying up-to-date with the ever-changing digital landscape? Identifying new and innovative revenue sources? Adapting to new staff expectations around work-life balance? These are, and remain, high priorities. But how many would think of cyber security as an issue they need to keep front of mind?
Recent cyber-attacks on high profile corporates highlight the need for all organisations holding confidential personal and financial information to make security a top priority.
While a multi-national with annual revenue in the billions has the resources to address cyber security, this can also mean they are a more attractive target for hackers. The saying goes “more money, more problems” could really be re-imagined as “more money, more risk.”
A look at the top 10 hacks reported in Australia in 2022 provides for startling reading. Among the list are companies many of us use regularly including Optus, Woolworths, Telstra and Energy Australia. (“Biggest Cyber-Attacks in Australia in 2022”, powernet, 14 February 2023).
Last week I was fortunate to attend the Exclusive Not-for-Profit (ENFP) Technology & Cyber Security seminar as part of the Commonwealth Bank and HLB Mann Judd series of industry presentations. This event was an opportunity for not-for-profits and technology experts to not only learn about the need for cyber security, but to place the issue front and centre for the charity sector.
The top cyber security issues for charities
The seminar’s main speaker was Brian Holder from Tecala Group, a respected provider of technology and IT solutions to mid-market companies and community organisations. Brian positioned the content at that sweet spot between layman and amateur tech buff, making for an engaging and fascinating presentation.
Key takeaways:
- In-house training is key to raising awareness and enhancing security across an organisation. Many security breaches are the result of employees clicking on links in emails sent by malicious parties. Staff need to be made aware of red flags and indicators of possible breaches.
- An organisation’s cyber security needs to be regularly assessed, examined and tested. Setting up a new system will never be a case of “set and forget”, particularly now with hacking technology constantly evolving. Hackers and other malicious actors are 100% committed to bringing down a network, so organisations need to make cyber security a priority, much as they would for any key part of the business.
- NFPs should take a “when, not if” approach to their cyber security. It is naïve to assume an organisation will be sufficiently nimble to react and adapt their IT systems after an attack. All staff need to be vigilant. As high-profile cyber security breaches happen more regularly, hackers will be increasingly motivated to cause damage to IT systems seeking a financial reward.
- Corporates and NFPs need to view their cyber security as a selling point. The immediate cost to Optus to immediately address the cyber-attacks was estimated to be upwards of $140m, but damage to the brand has been estimated to run into the billions in the longer-term as customers seek assurance from other providers. In the same way, NFPs need to be able to provide assurances that donors’ personal information will not be compromised when, for example, using an online donor portal.
Cyber security from charity experience
The next presenter was Thomas Pinn, ICT Manager for Royal Far West, a mid-size not-for-profit specialising in supporting children’s developmental, mental and behavioural health. Thomas delivered a lively interesting address, outlining some of the challenges facing community organisations. It was fascinating to listen from the perspective of a NFP, who make up SG’s main client base.
- The rise in cyber security breaches has led to a similar increase in companies claiming to provide all-purpose solutions. NFPs should be mindful of approaches from tech companies making ambitious claims.
- In much the same way we are encouraged to diversify our investments to reduce risk, so too should organisations diversify their IT security and administration. IT managers should be looking fo a range of options when identifying suitable providers for different parts of their tech infrastructure. No IT provider can provide a comprehensive one-size-fits-all solution.
- NFPs should share and collaborate with cyber security as much as possible. While NFPs are all vying for the same donors and grants, they will all benefit from sharing knowledge and experiences.
The seminar wrapped with a Q&A session involving Brian, Thomas and Matthew Salmon (also from Tecala). This trio were very open and generous with their responses to some very insightful questions from the floor. It was great to hear about the experiences different organisations were having and to recognise they shared many challenges.
In short, cyber security needs to shift up the list of charities’ strategic priorities. Cyber-attacks are on the rise and data breaches are becoming more frequent. NFPs must invest in in-house training, regularly assess their cyber security, and take steps to assure donors and stakeholders that their confidential information is safe.