NFPs receive a cyber security windfall under national strategy

The funding of $89.3 million over four years will see the government implement stage two (“Horizon 2”) of the national cyber security strategy, which aims to “help realise the Australian Government’s vision of becoming a world leader in cyber security by 2030”.

Under stage two, the government aims to “Make it easier for small and medium businesses, and the not-for-profit sector, to strengthen their cyber security.”

The government’s aim dovetails neatly with the not-for-profit sector’s ambition to “contribute to and benefit from digital transformation”, as outlined in the Not-for-profit Sector Development Blueprint, the 10-year strategy developed independently by the sector and published in 2024.

The Blueprint calls on government to “invest in and promote effective supports that enable NFPs to achieve a minimum level of data, cyber security and digital capability and data-informed management decisions”.

It also calls for investment in “existing sector-led initiatives, peer networks and communities of practice that support digital transformation”, for measurement of the sector’s digital capability, and for review and prioritisation of resourcing needs “in relation to changing digital and data capability demands over the life of the Blueprint.”

Burke’s latest announcement shows the government has heeded some of the sector’s calls, with its moves to simplify cyber security for the NFP sector, as well as for small to medium businesses.

Burke said the Department of Home Affairs intended to work with the National Cyber Security Coordinator, the Australian Charities and Not-for-profits Commission (ACNC), the Department of Social Services and the Australian Signals Directorate to build the NFP sector’s cyber security capability, knowledge and strength.

The outcomes are expected to include an NFP-tailored version of a new CyberSmart program that seeks to provide a nationally consistent cyber security standard for small to medium businesses.

“Supporting the sector to uplift cyber resilience requires a multi-faceted approach, including improving access to practical and trusted guidance, strengthening sector capability … and fostering collaboration between Government, industry, and the community,” Burke wrote in an internal government letter, outlining what was planned under stage two and how it would affect the NFP sector.

“The initiatives outlined are designed to address these priorities in a coordinated and sustainable manner,” he said.

He said the program was intended to provide a “not-for-profit cyber uplift community of practice”, which he described as a “Government-enabled, sector co-designed platform that fosters trusted collaboration, knowledge-sharing and practical uplift”.

He also promised a “not-for-profit cyber capability assessment”, which would identify gaps in cyber maturity across NFPs and assess the availability of cyber security services in the sector.

“This work will inform prioritisation of resources and enable targeted interventions for those parts of the sector most at risk,” Burke wrote.

He said that the resources available at cyber.gov.au would be “revamped to improve their relevance, accessibility and alignment with sector needs.”

The NFP sector faced unique challenges in addressing cyber security vulnerabilities, Burke said, all while playing “a critical role” in supporting Australian communities.

“We have committed to simplifying cyber security advice and [ensuring] support is targeted, evidence-based and tailored to all not-for-profits,” he said.

“Development of Horizon 2 has been informed through extensive engagement with Government and representative bodies, including the not-for-profit sector, through the Horizon 2 consultation process, roundtables and bilaterals. In these forums, the cyber resilience of not-for-profits and the need to uplift awareness and coordination was raised consistently as a key issue.”

2023–2030 Australian Cyber Security Strategy: Horizon 2 Action Plan, published by the Department of Home Affairs, warns that cybercrime costs the national economy an estimated $25 billion per year, “with the average cost of a cybercrime reported to the Australian Signals Directorate increasing 50 per cent between 2023–24 and 2024–25 to $80,000.”

A single catastrophic cyber incident has the potential to wipe out $35 billion, or 1.3 per cent of the gross domestic product (GDP), from the Australian economy, it warned.

Stage two of the strategy seeks to create a “human firewall” by educating workers to reduce the percentage of data breaches – currently 60 per cent –that occur as a result of human error, while also better protecting critical infrastructure and government systems.

The plan’s third objective is to shape, secure and embrace digital technology, including at not-for-profits as they look to use technology to boost their mission.

More information

The Horizon 2 action plan is here.