Sector left empty handed after plea for government cyber security aid

Posted on 20 May 2024

By Greg Thom, journalist, Institute of Community Directors Australia

Charity and not-for-profit organisations have expressed bitter disappointment that Canberra has ignored their pleas for federal Budget funding to help the sector defend itself against cyber attacks.

Despite providing generous support for business, the government’s cyber security strategy did not contain any dedicated funding for charities to bolster digital resilience.

Ahead of the budget, the sector sought $20 million over three years to improve cybersecurity awareness, training and protection.

A coalition of peak sector bodies who lobbied the Albanese government for help now say the lack of government support is putting donors’ data and sensitive information at risk.

The Community Council for Australia, the Australian Council for International Development, Fundraising Institute Australia and the Public Fundraising Regulatory Association warned that their members were being targeted by criminal networks.

Community Council for Australia chair Rev Tim Costello said the federal Budget had given business and government millions to bolster cybersecurity, while ignoring pleas from under-resourced charities and NFPs who were losing millions to cybercriminals.

“This lack of funding leaves donors’ financial data, and highly sensitive information about millions of vulnerable Australians, exposed,” he said.

Rev Costello said charities manage thousands of services for vulnerable people on behalf of federal and state governments.

“Many operations are tiny and rely on volunteers who are not equipped to keep pace with rapidly evolving cybersecurity requirements.”

The Infoxchange 2023 Digital Technology in the Not-for-Profit Sector report revealed that one in eight organisations had experienced a cyber security incident or breach.

Just 12% provided regular cybersecurity training to staff and only a quarter had a policy on how to protect information from cybersecurity threats.

This is despite the risk of cyber attack being top of mind for many sector organisations.

The Australian Nonprofits State of the Sector 2023 report found one in five Australian charities and NFPs fear that a cyber attack would devastate their organisation.

“Charities are caught between a rock and a hard place trying to balance legitimate community expectations and the soaring cost of keeping data safe."

Community Council for Australia chair Rev Tim Costello.

In an analysis of cybersecurity funding in this year's federal Budget, AUSCERT general manager Dr Ivano Bongiovanni outlined a raft of initiatives designed to strengthen Australia's defence against malicious attack.

“This year’s Budget maintains a traditional focus on equipping government departments and agencies with resources to strengthen their cyber resilience," said Dr Bongiovanni.

"Government departments and agencies including the Australian Tax Office, the Australian Prudential Regulatory Authority, the Australian Securities and Investments Commission, the Department of Parliamentary Services and independent statutory agencies such as NDIS received significant budget allocations.

"While the 2023 Budget contained more specific references to the protection of businesses, this Budget’s ultimate beneficiaries appear to be citizens, including from more vulnerable groups.”

Key announcements included:

$288 million to strengthen Australia’s Digital ID program

$39.9 million toward the safer use of artificial intelligence (AI)

$50 million to improve myGov fraud detection capabilities

ASIC and APRA will receive more than $206 million over four years (partly funded by industry levies) to improve data capability and cybersecurity, including combatting online scams.

Dr Bongiovanni said Budget commitments to several government departments and agencies, including the Department of Foreign Affairs and Trade and the Australian Sports Foundation ($8 million), will extend over several years, highlighting an ongoing government commitment to boosting Australia’s cyber security capability.

“The long-term commitments made in this budget reflect the reality that securing our nation’s information assets is an ongoing program and not a one-off project.

“With online fraud and identity theft a major issue for every citizen, the commitment to a Digital ID will boost protection for consumers and make it harder for criminals to commit identity-based crimes.”

AUSCERT is a not-for-profit, member-funded organisation based at the University of Queensland. It provides support to businesses during cybersecurity incidents, as well as threat intelligence services and ongoing education and development programs.

The sector's lack of preparedness to deal with cyber threats was brought into sharp focus in August 2023 when a ransomware attack on third-party telemarketing company Pareto Phone resulted in a massive data breach.

The attack resulted in data from more than 70 Australian and New Zealand charities and details of 50,000 donors being dumped on the dark web.

The affected organisations were a who’s who of the sector, ranging from Amnesty International to the Wilderness Society and Médecins Sans Frontières (Doctors without Borders).

The incident led to a warning from authorities to charities and NFPs to be wary of relying on third-party providers who have access to their data.

The sector was further spooked by data security breaches at Surf Life Saving Victoria on November 28 and St Vincent's Health on December 19.

Days after the Pareto attack, Community Council for Australia CEO David Crosbie wrote to Prime Minister Anthony Albanese and Minister for Cyber Security Clare O’Neil calling on the government to better protect charities from cyber attacks.

The letter was co-signed by the CCA board, which includes Mission Australia CEO Sharon Callister, RSPCA Australia CEO Richard Mussell and Volunteering Australia CEO Mark Pearce.

The plea was followed up by a visit to Canberra by sector leaders, who met with staff at the Department of Home Affairs to discuss cyber safety support for charities and not-for-profits.

The meeting with senior federal government cyber security officials followed complaints the sector was being left to fend for itself in the wake of the cyber crime onslaught.

The Australian Charities and Not-for-profits Commission (ACNC) has made the ability of charities and NFPs to manage cyber security threats a key focus of its approach to compliance and enforcement in the coming year.

ACNC commissioner Sue Woodward described cyber security as a "key governance risk” for the sector.

In the lead up to this year's federal Budget, those lobbying for help were quietly confident Canberra would respond positively, but instead they have been left frustrated.

“People rightly expect charities to keep operating expenses as low as possible and prioritise the provision of critical services,” said Rev Costello.

“Charities are caught between a rock and a hard place trying to balance legitimate community expectations and the soaring cost of keeping data safe.

“Helping the sector achieve this is vital to ensuring ongoing public confidence in supporting organisations that serve our communities, society and country.”