It’s no surprise that cyber crime is one of the biggest threats businesses today face. However, it may come as a shock to learn that not-for-profits are some of the most vulnerable organisations when it comes to to cyber threats. It’s time for not-for-profits to get serious about their cyber security, and we’ve got 5 big reasons why.
1. Cyber Attacks are on the Rise
Cyber crime in Australia is most definitely on the rise. In 2021 alone The Australian Cyber Security Centre (ACSC) received 67,500 reports of cyber crime activity. That’s a staggering 13% increase from the previous year. In fact, nearly a third of all Australian businesses will suffer a data breach at some point. Some of the most common cyber security risks faced by not-for-profits include:
- unauthorised access to devices, networks and/or systems
- viruses and other malicious software that can collect, change or delete information
- fake emails and websites that scam individuals into revealing personal and/or sensitive information
While not-for-profits may not think themselves a prime target for cyber criminals, the reality is that 43% of cyber attacks are committed against small businesses, with non-profit and for-profit organisations being equally affected. In addition, the 2017 study ‘Cybersecurity in Non-Profit and Non-Governmental Organizations’ by the Institute for Critical Infrastructure Technology, found that half of all the non-government organisations (NGOs) and not-for-profits who participated in the study had suffered a ransomware attack.
2. Not-For-Profits Collect a Lot of Valuable Data
Many not-for-profits underestimate the potential for a targeted cyber attack. Although a not-for-profit business typically won’t have large deposits of cash lying around, what they do have is even more valuable: information. For example, a large charity dedicated to supporting poverty stricken communities across the globe was the victim of a large scale cyber attack in February of last year. The breach resulted in 1.8 million individuals having their private details leaked. This data was then uploaded to to a hacker forum on the dark web and sold to the highest bidder.
Not-for-profit websites that include donation or fundraising portals are common victims of cyber attacks. Without adequate security measures to protect sensitive banking and credit card information, these portals may be exploited for financial gain. Financial data is made even more vulnerable when not-for-profits utilise flimsy third-party payment systems.
It’s not just financial information at risk either. Not-for-profits collect plenty of critical personal information relating to their clients, volunteers and supporters. Credit card numbers, email addresses, personal identifying information, health care records…not-for-profits are a veritable treasure trove for would-be hackers. Cyber criminals are notorious for using this kind of information for identity theft, fraud, extortion and other related criminal offences.
3. Legal Requirements
Depending on the location and nature of their operations, not-for-profits will likely need to adhere to some form of legal requirements. Data protection laws across Australia regulate the collection, storage and accessing of personal information. According to The Privacy Act, personal information refers to any, ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable.
a. whether the information or opinion is true or not; and
b. whether the information or opinion is recorded in a material form or not.’
The definition is purposefully broad and technologically neutral, allowing it to adapt to any future changes in information-handling practices. While the question of what is and isn’t personal information may not always be crystal clear, in most cases it will depend on context and circumstances. The most common examples include:
- Legal names
- Contact information (email addresses, phone numbers, etc.)
- Residential address
- Date of birth
- Health records
- Donation records
- Identity documents (birth certificates, passports, drivers licenses, etc.)
- Profession or trade
- Religious and/or political affiliations
- Device identifiers
- Cookie data
Not-for-profit organisations are often governed by The Privacy Act and must follow The Australian Privacy Principles (APPs). The Privacy Act applies to many entities within the not-for-profit sector such as trusts, cooperatives, body corporates and unincorporated associations. The APPs are the cornerstone of The Privacy Act and provide a framework for privacy protection. They consist of 13 legally binding principles that outline the basic requirements organisations need to follow when collecting, using, disclosing and storing personal information. These laws hold organisations accountable for the protection of personal information, and ensure that they work hard to prevent the risk of serious harm to individuals.
If found to be in breach of The Privacy Act, organisations could face the following penalties,
- $10 million (maximum penalty)
- Three times the value of any benefit obtained through the misuse of information
- 10% of a company’s annual domestic turnover
4. Not-For-Profits are Known for Having Subpar Cyber Security
It is often a lack of adequate security measures, spurred by an it-won’t-happen-to-me mindset, that puts not-for-profits at risk of cyber attack. Many not-for-profits don’t see the need to expend valuable resources towards cyber security, especially smaller organisations who lack the funds, manpower and expertise. In fact, 66% of not-for-profits polled in a 2016 survey had no future plans to allocate more funds to their cyber security budget, despite the rising threat of cyber attack. Even more concerning, nearly half of these organisations had not undergone a cyber risk assessment in over a year. It also doesn’t help that many not-for-profits typically like to cut costs by relying on free software and sketchy website hosting.
To make matters worse, The State of Nonprofit Cybersecurity Report published in 2018 by Nonprofit Technology Enterprise (NTEN), consistently found similar gaps in cyber security practices across a variety of small businesses in the not-for-profit sector. Some of the most concerning lapses in cyber security protocol included:
- No documented policies/procedures to follow in the event of a cyber attack
- No cybersecurity training provided for employees/volunteers
- No management tools for file organisation, password protection and the sharing of user IDs
- No dedicated IT security staff
This relaxed approach to cyber security leaves not-for-profits woefully underprepared to defend and recover from cyber attacks. Unfortunately, this makes not-for-profits a popular target for cyber criminals who know exactly how to exploit any weaknesses they come across. Ineffective cyber security measures not only leave not-for-profits vulnerable to attack, but also increase the time and cost of recovering from one. The longer it takes to detect and respond to a cyber security attack, the worse the damage will be.
In September of 2020, Anglicare Sydney had over 17 gigabytes of data transferred from their network to a remote location. The potentially sensitive information was then held for ransom. Luckily for the charity, who hold records detailing adoption, foster care, counselling and mental health services, the main system relating to its Out of Home Care program was not impacted. Ultimately, Anglicare Sydney was able to come away from the incident relatively unscathed, but other not-for-profits won’t always be as lucky. In fact, this was just one in a string of several illegal cyber incidents targeting organisations in the Australian health and aged care sectors. Furthermore, as one of the largest and most publicly recognisable charities in Australia, Anglicare Sydney were in a better position than most not-for-profits to handle such an attack.
5. Cyber Attacks Can Have Devastating Consequences
While some not-for-profits may have the resources to survive a cyber attack, the damage caused can be devastating and sometimes even permanent. Cyber crime incidents can result in some (and sometimes all) of the following consequences:
- theft of sensitive data
- disruption to daily operations
- unauthorised changes to information, network and/or systems
- costs of restoring data and/or daily operations
- costs of notification and investigation (such as legal expenses)
- costs arising from the attack itself (such as extortion, ransomware, etc.)
- financial penalties and/or regulatory action
- loss of public trust and damage to reputation
For most not-for-profits, some of the most devastating consequences of cyber attacks is the theft of sensitive information and the disruption to daily operations. When these incidents occur, organisations face costly expenditures in hopes of retrieving stolen information and regaining control of their IT systems. These expenses may include hiring IT professionals, replacing devices, implementing new IT infrastructure, procuring software and even paying legal fines. This is not to mention the loss of time and productivity not-for-profits endure when waiting for the issue to be resolved. In addition, not-for-profits may also have to make the difficult decision of whether to give in to cyber criminal demands in the event of a ransomware attack. In come cases, the financial burden of paying a ransom may seem like a quick and easy fix, but there is never a guarantee that the data will be returned. Cooperating with cyber criminals can also lead to further problems, as any potential hacker looking for an easy payday will now know exactly which organisation to target.
What most not-for-profits don’t consider however, is the costs of having to temporarily halt activity due to cyber attacks, as well as the overall damage to their reputation. For instance, if a not-for-profit’s website is impacted than it will need to be taken offline immediately. While this may only be a temporary situation, it will mean a loss of revenue as potential supporters will not be able to donate through the webpage, learn more about the organisation or even find them in Google searches. Furthermore, many individuals may be hesitant to provide the details necessary to donate after learning of any cyber security incidents. Not-for-profits can not continue to offer support and services without the trust and support of their public, to lose that would mean to lose everything.