Book An Appointment

Brisbane's Trusted IT Partner – Vent Tech

Menu
Contact Us

Why Not-for-Profits Need Cybersecurity More Than Ever

Leave a Comment / Cybersecurity, Not-for-Profits / By

If you run a not-for-profit, cybersecurity probably isn’t at the top of your priority list. You’re focused on delivering services, managing volunteers, writing grant applications, and stretching every dollar as far as it’ll go.

But here’s the uncomfortable truth: cybercriminals are increasingly targeting charities and NFPs — precisely because they know you’re under-resourced and under-protected.

NFPs Are Not Too Small to Be Targeted

There’s a dangerous myth in the not-for-profit sector: “We’re too small. We don’t have anything worth stealing.” That’s simply not true.

Your organisation likely holds:

  • Donor financial data — credit card details, bank account numbers, recurring donation information
  • Personal information — names, addresses, phone numbers, dates of birth of donors, volunteers, and service recipients
  • Sensitive case files — if you deliver social services, health support, or advocacy, you may hold deeply personal information about vulnerable people
  • Staff and volunteer records — tax file numbers, superannuation details, working with children checks

That’s a goldmine for identity theft and fraud.

Real-World Breaches That Hit Close to Home

This isn’t hypothetical. Major charities have been hit:

  • The Red Cross (ICRC), 2022 — A sophisticated cyber attack compromised the personal data of more than 515,000 vulnerable people, including those separated from families by conflict and disaster. The data included names, locations, and contact information of people in extremely vulnerable situations.
  • The Smith Family, 2023 — The Australian children’s charity confirmed a data breach that exposed personal information of donors and supporters, forcing them to notify affected individuals and the OAIC.
  • Pareto Phone, 2023 — A third-party telemarketing firm used by dozens of Australian charities was hit by a ransomware attack, exposing donor data from organisations including The Cancer Council, Canteen, and The Fred Hollows Foundation. Charities that had shared donor lists were left scrambling.

The Pareto Phone breach is particularly instructive. Those charities didn’t get hacked directly — their vendor did. And they still bore the reputational damage and had to face their donors.

DGR Obligations and Data Responsibility

If your organisation holds deductible gift recipient (DGR) status, you’re collecting financial information from donors who expect it to be protected. You’re also subject to the Australian Privacy Act if your annual turnover exceeds $3 million — but even below that threshold, charities registered under the ACNC are expected to demonstrate proper governance, which increasingly includes data protection.

A breach doesn’t just risk fines. It risks the one thing your organisation can’t afford to lose: donor trust. If supporters don’t trust you with their data, they won’t trust you with their money.

The Volunteer Access Problem

Most corporate environments have controlled user access — everyone has their own account, devices are managed, and there are clear policies about what people can access.

NFPs? Not so much.

Common scenarios we see:

  • Shared login credentials across multiple volunteers
  • Personal laptops and phones accessing organisational data with no security controls
  • Former volunteers who still have access to systems months after leaving
  • No multi-factor authentication on email or cloud platforms
  • Passwords written on sticky notes (yes, still)

Every one of these is a vector for a breach — not because your volunteers are malicious, but because convenience without controls creates risk.

The Essential Eight: A Practical Framework for NFPs

The Australian Signals Directorate (ASD) developed the Essential Eight — a set of baseline cybersecurity strategies that mitigate the vast majority of cyber threats. It’s not just for government and big business. It’s increasingly relevant for NFPs, especially those handling sensitive data.

The eight strategies cover things like application patching, restricting admin privileges, multi-factor authentication, and regular backups. They’re practical, prioritised, and achievable — even on an NFP budget.

You don’t need to reach the highest maturity level overnight. But you do need to start.

Five Things You Can Do This Week

  1. Turn on multi-factor authentication (MFA) — On every account. Email, CRM, cloud storage, banking. This single step blocks the majority of credential-based attacks.
  2. Audit who has access to what — Remove former staff and volunteers. Eliminate shared logins. Know who can see your donor data.
  3. Update everything — Operating systems, browsers, applications. Unpatched software is one of the easiest ways attackers get in.
  4. Back up your data — And test that you can actually restore from those backups. A backup you can’t restore is not a backup.
  5. Train your people — Phishing is still the number one attack vector. A 30-minute awareness session can dramatically reduce your risk.

You Don’t Have to Figure This Out Alone

Cybersecurity can feel overwhelming, especially when you’re already stretched thin. But ignoring it is no longer an option — not when the people you serve, and the donors who fund your work, are counting on you to protect their information.

If you’re not sure where your organisation stands, learn how Vent Tech supports not-for-profits with cybersecurity, managed IT, and strategic guidance — built for your budget and your mission.

Leave a Comment

Your email address will not be published. Required fields are marked *

Hello, World! Venturer technology
Subscribe to Our Newsletter

Join our newsletter for the latest updates.

Join our newsletter

Stay in the loop by filling out this form to receive our latest newsletters, updates, and offers by email.
 
 
 
I agree to receive marketing emails from Venturer technology
I agree to receive marketing emails from Venturer technology
*Required fields