Four easy things to do now to boost your not-for-profit’s cybersecurity

Posted on 27 Oct 2021

By Matthew Schulz, journalist, Our Community

Hacker Christoph Scholz Flickr  169

Data breaches are among the biggest risks facing not-for-profits, but according to one cyber security expert, there’s plenty of “low-hanging fruit” you can pick to help you keep that data safe.

Adam Smallhorn

A free October 2021 webinar hosted by Our Community and the Commonwealth Bank, Protecting your data, attracted more than 400 groups keen to keep on top of the latest trends.

Presenter Adam Smallhorn, from the Commonwealth Bank’s cyber security outreach team, said many protective methods were free or easy to implement.

He nominated the top four safety measures organisations should take immediately:

  • education
  • two-factor authentication on critical accounts
  • protecting your email
  • updating software regularly.

Mr Smallhorn said educating staff and volunteers and creating a culture of data safety was often the first big step towards keeping an organisation protected. CommBank has produced a “white labelled” free cyber safety app for staff and volunteers (

Two-factor authentication worked as a second line of defence for critical accounts, Mr Smallhorn said, by requiring an extra code when signing on, especially onto new accounts or new computers. This helps prevent password attacks.

“If you do one thing, this is going to really help. This is really good bang for buck,” Mr Smallhorn said.

Email “quick wins” include automatically delaying sending important emails to avoid accidental sends (even if delays are set for just one minute), using in-built security tips in email software, and disabling auto-complete functions to prevent emails being sent to wrong addresses or with inappropriate information.

And he said automatic updates on critical software help ensure that anti-virus software, browsers and operating systems are less vulnerable.

Mr Smallhorn said anyone wanting to develop good cybersecurity should understand the influence of:

  • technology
  • people
  • processes.

Mr Smallhorn said it was necessary to look at all those areas, especially when protecting against “malicious” attacks such as phishing, ransomware, hacking and malware.

But as he put it, “the easiest attack vector for criminals is people”.

Mr Smallhorn said it was easy for crooks to target organisations.

In one example, he showed how a would-be hacker could simply look at a founder’s bio, usernames, social media accounts, birthdays and other dates, favourite sports teams, pets’ names and children’s names, and use that information in a freely available password generator.

Password generators are able to compose 10,000 likely passwords in “milliseconds”. Those can be used to access websites, emails and worse.

“That’s why we say that people are actually a huge component of your cybersecurity.”

He said phishing scams accounted for most successful cyberattacks, and that even though 80 percent of workers knew the risks, “they click on the link anyway”.

He stressed that raising awareness of the risks – and increasing knowledge about the signs of phishing scame, such as misspellings and requests for personal information – was very important for organisations.

Click on the cover to get your copy.

Questions to ask include “Have I talked to my staff, my team about this? Are we vulnerable to attack?”

His top tips?

  • Lead by example, and expect your organisation to use strong passwords
  • Make someone in the organisation responsible for cyber security
  • Focus on the people and process, not just technology
  • Build a cybersecurity culture
  • Use the free resources available.

He suggested a good place to start your cyber safety journey was with Damn Good Advice on Cyber Safety and Fraud Prevention, jointly produced by Our Community and CommBank.

Become a member of ICDA – it's free!