Imagine you have just set up a charity to help those in need, whether it be for those in distress, or for homeless people, or for other purposes; the causes are endless. You gain substantial donors and funds, and your organisation grows from all the hard work put into it. One morning, you wake up and discover all your funds have been usurped by an unknown entity online. All those hours spent working to raise funds – all gone in an instant. Perhaps it had something to do with that strange link you clicked on yesterday?
In an increasingly digitized world, the vulnerability of charitable organizations to cyberattacks has become a pressing concern, especially with charities and not-for-profits (NFPs) moving operations online.
Cyber attackers don’t just randomly target charities. This sector collects sensitive information, raises funds, and connects people, sometimes with a lack of oversight. Therefore, it presents an opportunity for large financial gain and information. As Community Council for Australia head David Crosbie states, “The sector is more vulnerable due to the lack of technology, funding and training.”
There have been devastating instances in the past of cyberattacks on charities. For example, a Ransomware gang stole 6.8TB of data from the Save The Children charity. Additional charities, like The Fred Hollows Foundation, Amnesty International, the Australian Conservation Foundation, and the Cancer Council, have also been affected.
According to Infoxchange’s 2022 Digital Technology in the Not-For-Profit Sector report, “Only 49% of organisations have an information security policy. However, funding in this area is increasing, with Australian charities spending 30% more on digital technologies in the last year than they had in 2021.”
Types of Cyber Threats That Charities Face
Charities may encounter various cyber threats, especially through digital weaknesses. Digital weaknesses may arise out of outdated software. This occurs more frequently in charities that don’t have enough funds to increase their digital strength, such as smaller charities. Attackers may also use phishing or ransomware.
What is phishing? phishing is often conducted via deceptive emails. These messages, disguised as trustworthy communications, aim to trick recipients into revealing sensitive information, such as passwords or financial details, by leading them to fake websites or installing malicious software through links or attachments.
Ransomware may occur after infiltration of a charity. This is when attackers block access to critical files and demand payment for the charity to access the files again, threatening to permanently delete or publish the compromised data if the ransom is not paid.
Cyber-security protections
Privacy Act 1988 (Cth) (Privacy Act):
Because of this well-known threat, implementing cyber-security laws has been elevated through the Privacy Act 1988. It establishes guidelines for secure handling of personal information, ensuring data protection, and promoting measures to prevent unauthorized access.
Australian Charities and Not-for-profits Commission (ACNC):
Charities are legally required to be registered with the ACNC, and to be registered, they must pursue charitable purposes and continue to be not-for-profit. Additionally, they are to keep financial records and report information annually to the ACNC through an Annual Information Statement (AIS).
Comprehensive client agreements:
Comprehensive client agreements outline the terms and conditions of the services provided, including security measures and data protection protocols.
Data and privacy agreements:
Data storage agreements and privacy protocols specifically address how the business handles and protects sensitive information.
How Can You Improve Cyber Security Protection?
Before entering into a contract, it is beneficial to thoroughly carry out due diligence by investigating the reputation, qualifications, and policies of a potential fundraising agency. This covers data collection, management procedures and the fundraising tactics employed. While malicious/criminal attacks or system failures have commonly led to breaches, studies have indicated that not-for-profits and charities are vulnerable to human error breaches, which can involve merely sending emails to incorrect recipients. Additionally, in the upcoming months, a set of national fundraising guidelines will be rolled out throughout Australia.
In order to comply with regulations, ACNC recommends that staff members undergo mandatory cybersecurity training, use multi-factor authentication to access systems, and review policies on an annual basis. “Every system has its vulnerabilities; however, relying on third-party providers always increases these risks and there is minimal control over the provider’s security,” ASIC states.
In summary, mitigating the risks associated with data security in charities involves adopting a dual strategy. First, by storing only essential information for the necessary duration and restricting access for third-party providers, potential vulnerabilities are minimized. In the digital era, strong client agreements and data privacy protocols are essential defences against cyber threats. These agreements establish clear expectations, define security measures, and demonstrate a commitment to ethical data handling. They play a vital role in safeguarding businesses and client data, minimizing financial and reputational risks, and fostering trust in the dynamic landscape of cyber threats.
Additionally, having a well-structured action plan for responding to data attacks is crucial, serving as a proactive measure. These factors significantly reduce both the risk and impact of a potential data breach.
For additional information on potential risks and precautionary measures, please reach out to Warlows Legal at: info@warlowslegal.com.au
