NFPs struggle to manage cyber security risk: report

Posted on 28 Nov 2024

By Greg Thom, journalist, Institute of Community Directors Australia

Just one in three not-for-profit organisations have effective processes in place to manage information security risks, according to a major new report on technology in the sector.

The Infoxchange Digital Technology in the Not-for-Profit Sector Report for 2024 reveals that despite the growing danger posed by cybercrime, only one in five organisations regularly conduct cyber security awareness training for staff and volunteers.

The report found that while sector organisations have made significant progress in their adoption of emerging technologies such as artificial intelligence (AI), most survey respondents considered their technology environment to be basic or challenged.

This has resulted in significant shortfalls in cyber security capability, use of data for measuring impact and the digital skills of staff and volunteers.

Key findings of the report, now in its ninth year include:

Data and reporting for evidence-based decision making has become the number one priority for NFPs in the year ahead, with only one in four organisations agreeing the quality of their data is good and readily supports their reporting requirements

77% of organisations don’t have systems that allow them to effectively understand the impact of their services
  
Adoption of AI intelligence has increased significantly, with 76% of organisations using generative or conversational AI tools compared to only 24% last year
 
Budget and funding remain the biggest challenge for organisations in building their digital capability.

The report's findings follow revelations in the recently released Paying What It Takes Report which found NFPs struggle to secure funding for ‘indirect costs’ such as IT, measurement and evaluation, reducing their ability to generate substantial impact.

Cyber security processes implemented by organisations.

“At a time where inequality is deepening, we need greater investment in data and technology capabilities so we can help staff on the front line and enable organisations to effectively respond.”  

Infoxchange CEO David Spriggs.

Budget and funding issues (up 11% to 61% from 2023)

Access to affordable and skilled technical resources (37%)

Staff capacity and capability (26%)

Listen to this panel of sector experts comprising Australian Charities and Not-for-Profits Commission (ACNC) commissioner Sue Woodward, Community Council for Australia CEO David Crosbie, The Smith Family CEO Doug Taylor and Beth Worrall from the National AI Centre discuss the 2024 Digital Technology in the Not-for-Profit Sector Report.

Infoxchange CEO David Spriggs said NFPs played a vital role in responding to and supporting vulnerable communities but were increasingly overwhelmed in trying to keep pace with digital technology.

“Cyber security threats are rising by the day, and the sector is not adequately prepared,” he said.

“The majority of not-for-profits are also struggling with their data and information systems to effectively measure their impact and provide insights to improve service delivery.” 

Spriggs said organisations that prioritised their digital technology capabilities could make stronger data-driven and evidence-based decisions.

“At a time where inequality is deepening, we need greater investment in data and technology capabilities so we can help staff on the front line and enable organisations to effectively respond.”  

Charities Minister Andrew Leigh said the Infoxchange report highlighted that many NFPs are not using protective tools such as multi-factor authentication, leaving them exposed to cyber risks.

“The Australian government understands the importance of addressing cyber risk and the fact we’ve already seen serious cyber-attacks in the NFP sector,” said Dr Leigh.

“Like businesses, NFP organisations need to be prepared for cyber-attacks, hardening their systems and reducing unnecessary data being kept in forward-facing systems.” 