Charities at risk of being left defenceless in cyber-crime battle

“The Australian Cyber Security Centre (ACSC), which monitors and provides advice on cyber threats, received more than 76,000 reports during the 2021–22 financial year. On average, this equates to a cyberattack every seven minutes. Self-reported losses for one year totalled in excess of $35 billion.” (ACSC Annual Cyber Threat Report, July 2021 to June 2022)

The Australian government is finalising a new cyber security strategy.

The Minister for Home Affairs, Clare O’Neil, outlined the government's intention in a speech to the Australian Financial Review Cyber Summit this week.

Leading into her description of the new cyber security policy, Minister O’Neil said, “Cyber security is the fastest changing national security threat that our country faces... we have an urgent economic and security imperative to make a step change as a country for how we deal with cyber issues.”

The new Cyber Security Strategy will include six "shields" across the following areas:

• Cyber security awareness – community and business
• Safe technology – cyber safe products (software, phones etc)
• Blocking threats – active national anti-hacking initiatives
• Protecting critical infrastructure – additional protections for some high-risk facilities
• Building cyber capacity – across business and the community
• Global engagement – actively supporting global cyber security initiatives.

Cyber security is now a priority concern for governments and business.

Unfortunately, the same cannot be said for all charities, even though the potential for damaging cyber security hacks in this sector is just as real and pressing.

In a joint Community Council for Australia (CCA) and Australian Council for International Development (ACFID) webinar this week, Lyn Morgain from Oxfam and Doug Taylor from the Smith Family outlined their experiences as CEOs of organisations that had experienced a cyber attack.

Their presentations were made more poignant by the fact that both these charities had invested considerable time and energy ensuring they had good cyber security and systems protections in place before they were attacked.

Between them Oxfam and the Smith Family had to spend hundreds of thousands of dollars addressing the hacks, and both also had to deal with the reputational risk as they made full public disclosures.

The lesson we all learnt listening to Lyn and Doug describe their experiences was that no matter how well prepared you think you are, an attack is a case of when, not if.

Even a small hack could have devastating consequences for an organisation. In some cases, the data held within charities and NFPs is much more sensitive than in many businesses.

David Spriggs, the CEO of Infoxchange, pointed out that according to his organisation's surveys of the sector, Oxfam and the Smith Family were in the top 20% of well-prepared charities and NFPs when it comes to cyber security.

Almost 50% of charities and NFPs do not have multi-factor authentication as standard in protecting access to their systems and devices. The same number do not train their staff in cyber security awareness.

Many charities and NFPs suggest cost is the issue preventing them from putting in place cyber security protection, while others indicate it is simply not their highest priority.

Either way, it seems the sector is a sitting duck for bad actors seeking to disrupt and capitalise on weak cyber security.