Charities at risk of being left defenceless in cyber-crime battle

Posted on 20 Sep 2023

By David Crosbie

The federal government appears to be taking the risk of cyber-crime seriously – just not when it comes to the concerns or vulnerability of the charities and not-for-profit sector, writes Community Council for Australia CEO David Crosbie.

“The Australian Cyber Security Centre (ACSC), which monitors and provides advice on cyber threats, received more than 76,000 reports during the 2021–22 financial year. On average, this equates to a cyberattack every seven minutes. Self-reported losses for one year totalled in excess of $35 billion.” (ACSC Annual Cyber Threat Report, July 2021 to June 2022)

The Australian government is finalising a new cyber security strategy.

The Minister for Home Affairs, Clare O’Neil, outlined the government's intention in a speech to the Australian Financial Review Cyber Summit this week.

Leading into her description of the new cyber security policy, Minister O’Neil said, “Cyber security is the fastest changing national security threat that our country faces... we have an urgent economic and security imperative to make a step change as a country for how we deal with cyber issues.”

The new Cyber Security Strategy will include six "shields" across the following areas:

Cyber security awareness – community and business
Safe technology – cyber safe products (software, phones etc)
Blocking threats – active national anti-hacking initiatives
Protecting critical infrastructure – additional protections for some high-risk facilities
Building cyber capacity – across business and the community
Global engagement – actively supporting global cyber security initiatives.

Cyber security is now a priority concern for governments and business.

Unfortunately, the same cannot be said for all charities, even though the potential for damaging cyber security hacks in this sector is just as real and pressing.

In a joint Community Council for Australia (CCA) and Australian Council for International Development (ACFID) webinar this week, Lyn Morgain from Oxfam and Doug Taylor from the Smith Family outlined their experiences as CEOs of organisations that had experienced a cyber attack.

Their presentations were made more poignant by the fact that both these charities had invested considerable time and energy ensuring they had good cyber security and systems protections in place before they were attacked.

Between them Oxfam and the Smith Family had to spend hundreds of thousands of dollars addressing the hacks, and both also had to deal with the reputational risk as they made full public disclosures.

The lesson we all learnt listening to Lyn and Doug describe their experiences was that no matter how well prepared you think you are, an attack is a case of when, not if.

Even a small hack could have devastating consequences for an organisation. In some cases, the data held within charities and NFPs is much more sensitive than in many businesses.

David Spriggs, the CEO of Infoxchange, pointed out that according to his organisation's surveys of the sector, Oxfam and the Smith Family were in the top 20% of well-prepared charities and NFPs when it comes to cyber security.

Almost 50% of charities and NFPs do not have multi-factor authentication as standard in protecting access to their systems and devices. The same number do not train their staff in cyber security awareness.

Many charities and NFPs suggest cost is the issue preventing them from putting in place cyber security protection, while others indicate it is simply not their highest priority.

Either way, it seems the sector is a sitting duck for bad actors seeking to disrupt and capitalise on weak cyber security.

"Charities and NFPs need to do a lot more to address the threat posed by cyber security, especially given that we are clearly not a priority for government."

At CCA we wrote to the Prime Minister, the Minister for Home Affairs, and the National Cyber Security Co-ordinator a month ago. Copies of the letter were provided to the Assistant Minister for Charities, Dr Andrew Leigh.

Our letter argued in part:

“Charities hold extensive personal and financial information from millions of Australians.

“Despite having a massive footprint in our economy and in our lives, charities and not-for-profits have not been provided with the support they need to deal with an increasingly sophisticated level of cyber-attacks.

“Unlike business, charities spend every spare dollar they can find on serving their communities. Allocating more resources to strengthen cyber security would mean reducing the level of services available in our communities.

“Many charities and NFPs struggle to withdraw services, even though cyber security is clearly an important priority.

“There will be cyber-attacks on charities and there is real potential for certain kinds of attacks to significantly damage confidence and trust in our sector. Cyber-attacks in our sector could also have devastating impacts on individuals and communities.

Community Council for Australia CEO David Crosbie.

“We ask that you consider providing increased support for charities across Australia to be able to review their current cyber security preparedness and to invest in better data security and protection.

“This is no more than what your government is already providing to business.

"Leaving charities to fend for themselves in dealing with the threat posed by global cyber security attacks is not an acceptable policy approach.”

Not once did the Minister for Home Affairs mention charities or not-for profits in her speech to the Cyber Summit, nor in the subsequent media coverage and discussion of cyber threats that I managed to follow.

No one has responded to our letters.

It’s as though cyber security is only an issue for business or government. Or that charities and NFPs are seen as a subset of small business – even though none of the extensive small business cybersecurity concessions and grants are available to our sector.

Charities and NFPs need to do a lot more to address the threat posed by cybersecurity, especially given that we are clearly not a priority for government.

It will be the communities we serve who will ultimately pay the price if we fail to support the cyber security capacity of charities and NFPs in Australia.

David Crosbie has been CEO of the Community Council for Australia for the past decade and has spent more than a quarter of a century leading significant not-for-profit organisations, including the Mental Health Council of Australia, the Alcohol and other Drugs Council of Australia, and Odyssey House Victoria. 

Subscribe to the Community Advocate, our weekly newsletter