
Buried in paperwork, teachers don't have time to teach, says survey
Posted on 22 Jul 2025
It’s a common complaint in today’s compliance-driven education system, and in NSW schools, teachers…
Posted on 22 Jul 2025
By Nick Place, journalist, Institute of Community Directors Australia
Cyber-security expert Nik Devidas is not a fan of charity leaders being told that when it comes to the threat of online scams, they need to “be vigilant”.
“That puts all the onus back on the end person; it’s over to you,” he told the Community Advocate. “Even with all the advice in the world, people say, ‘I don’t know where to start.’”
Nik said charities and not-for-profits, small and large, need to be aware of practical, inexpensive ways to get on top of cyber threats.
The Australian Charities and Not-for-profits Commision (ACNC) has just released its first Cyber Security Risks compliance review summary, emphasising that boards and senior managers have a responsibility under the ACNC Governance Standards to be on top of managing the risk of cyber-attack and to have a game plan for dealing with incidents if they do occur.
A cyber-attack occurs every six minutes in Australia, according to the Annual Cyber Threat Report: 2023–2024 from the Australian Signals Directorate. The attacks cost affected businesses an average of $49,000 per incident, along with reputational damage, stress and lost time.
Taking an even wider view, Targeting Scams, published by the National Anti-Scam Centre in March this year, calculated combined reported losses from scams in 2024 at $2.03 billion, a 25.9 per cent decrease on 2023.
For charities, cyber-threats can be a mysterious, exhausting and shadowy threat, requiring unknown amounts of resources, expenses and specialist knowledge to guard against.
But the need to be on top of the threat, as a governance requirement, is stronger than ever. Devidas said the Australian Prudential Regulation Authority’s (APRA’s) updated standard for operational risk management for business (CPS230) now incorporates the standard for information security (CPS234), which was previously not mandated.
“It’s very hard to break into a banking system, but if you can break the person and convince them that yes, it's legitimate, then that's the easy way to the money.“
Devidas, who has two decades of experience in IT management, sits on government boards and is CEO of 4walls Cyber Advisory, has advice for NFP leaders who handball anti-hacking strategy to the IT department, or whoever in the organisation’s often small staff has been handed that task.
“I ask them, ‘If you do get hacked and lose data from your donors or something similar, are you going to put your IT department in front of the media?’ They say, no, of course it would be the CEO or the chair, and so I say then that means they need to lead the initiative,” he said.
The ACNC’s Cyber Security Risks compliance review surveyed a variety of charities and found the large ones, with resources, were doing a good job when it came to cyber health. They typically had strong IT and data management policies and systems in place, and the capacity to research, monitor and stay on top of governance requirements.
Some smaller, less resourced NFPs, on the other hand, were struggling.
“Smaller organisations we reviewed were often not as advanced in their approach to cyber security,” an ACNC spokesperson said. “Some smaller organisations drew on staff expertise in areas like information technology and were accessing resources that were free and already available.”
But issues emerged with cyber security governance when charities took their eye off the issue, did not have a plan for the event of an attack, or failed to have appropriate policies and procedures relating to data management and retention, including with third-party contractors.
Devadis said there wasn’t much mystery to the most likely way to get hacked or phished. “The easiest mechanism is and always has been the weakest link, which is people. And the mechanism to deliver that is email, hence spam filters,” he said. “It’s very hard to break into a banking system, but if you can break the person and convince them that yes, it's legitimate, then that's the easy way to the money.“
He said AI was helping technically savvy hackers to create and code more sophisticated email campaigns, deepfake videos and calls, but the threat could also come from much less skilled hackers. “I could swap my credit card today, pay about 150 bucks, get a ransomware as a service product, buy an email list for 50 bucks,” he said. “I’ve spent 200 bucks and I can just start emailing people ransomware. As one hacker said when caught and asked why he did it, he said, because it worked.”
ACNC commissioner Sue Woodward has said that cyber-security management doesn’t need to be expensive or high-tech. It starts with an NFP understanding what data it is holding, understanding why, and understanding the risks.
“As a matter of good practice (and, for many, also because of legal requirements), charities should have a policy that outlines the way they collect, store and use people’s data. The policy will help determine what approach your charity takes to managing information, guide your staff and volunteers, and provide assurances to your donors, supporters and members.
“A key tip is only collecting the minimum amount of information about a person required for a particular purpose, and then only store it for as long as required for that purpose.”
Nik Devidas thinks education is the key because every time you hire somebody, you don’t know how vigilant or knowledgeable they are going to be about spotting potential cyber-attacks. He said a strong culture was essential, so new employees felt empowered to ask questions if they spotted something that looked fishy.
“If your ageing parent rings to say he or she is not sure about an email or a phone call they received, you can have that interaction, whereas if you have 20 or 120 or more people in your business – and people come and go – you really need to say to those new people: this is the way we do things and we need you to look out for certain things, as well as do your job.”
Nik added that the solution doesn’t lie in the evolution of browsers or email. “The bad guys aren’t going away. If you want to be online, you’ll be found, and so it’s about, okay, how do I handle this sort of thing?”
Nik Devidas joins ICDA this Thursday for a special webinar examining the latest cyber threat trends. You’ll leave with five board-friendly actions you can take within the next week, whether that’s a quick cross-check with your IT provider or a no-cost DIY fix.
Expect plain language, real-world charity examples and a takeaway checklist you can pass straight to staff or fellow directors.
Date: Thursday, July 24, 2025
Time: 1–2pm AEST (check the webpage for your local time)
Price: ICDA members can attend this webinar for just $99 (normally $120)