Cybersecurity for NFPs in Australia: Protecting Your Mission in a Digital Age

The not-for-profit sector in Australia is dealing with an unprecedented cybersecurity crisis. While NFPs work tirelessly to serve vulnerable communities, advance social causes, and develop a more equitable society, they’re increasingly finding themselves targeted byhighly skilled cybercriminals. The statistics paint an eye-opening picture: in 2025 alone, the NFP sector experienced a shocking 59% increase in ransomware events, and one in eight NFPs reported a data breach in the past year.

But here’s the vital insight that should mobilise every NFP board member, executive, and staff member: most of these attacks are preventable. With the right knowledge, practices, and mindset, Australian NFPs can considerably fortify their cyber defences without breaking the bank.

01. The Perfect Storm: Why NFPs Are Prime Targets

Not-for-profit organisations have become increasingly attractive targets for cybercriminals, and the reasons are both strategic and opportunistic:

High-Value Data, Low Defences: NFPs store sensitive information including donor details, beneficiary records, health information, and financial data—all valuable assets on the dark web.
Trust-Based Culture: The collaborative, mission-driven nature of NFPs shapes an ecosystem where staff and volunteers work with high levels of trust—ideal conditions for social engineering attacks to flourish.
Budget Constraints: The 2024 Digital Technology in the NFP Sector report shows that 61% of NFPs name budget and funding issues as their main technology challenge, often leading tolegacy systems and limited IT security staff.
Cascading Impact: A successful cyberattack on an NFP doesn’t just influence the organisation—it can put vulnerable beneficiaries at risk, disclose donor information, and erode public trust in the broader charitable sector.

02. Real-World Impacts on Australian NFPs

Recent incidents highlight the sector’s vulnerability:

The Smith Family (2022) experienced a cyber security attack that accessed sensitive supporter data, including names, contact details, and partial credit card information.
Pareto Phone breach (2023) revealed donor data from over 70 Australian charities including Cancer Council, Fred Hollows Foundation, Canteen, and Amnesty International through a LockBit ransomware attack.
Oxfam Australia (2021) suffered a data breach impacting 1.7 million records, with stolen data finally posted on the dark web.
Multiple aged care NFPs have faced ransomware attacks interrupting both care delivery and financial operations, with potential data exposure requiring lengthy recovery periods.

03. New Regulatory Landscape: Cyber Security as Governance

The regulatory environment has changed significantly, making cyber security a board-level responsibility rather than merely an IT issue.

The Cyber Security Act 2024: From May 30, 2025, larger NFPs (those with annual turnover exceeding $3 million) must report ransomware payments within 72 hours or incur civil penalties of $19,800. The Act also establishes the Cyber occurrence Review Board to undertake post-incident reviews and share lessons learned across sectors.
ACNC’s Governance Focus: The Australian Charities and Not-for-profits Commission (ACNC) announced cyber security as a key compliance and oversight priority for 2024-25. ACNC Commissioner Sue Woodward emphasised that cyber security is now firmly on the governance agenda: “This is a key governance risk for charities. Those who run charities are required to ensure good governance is in place to minimise the risks”.
Privacy Act and Notifiable Data Breaches Scheme: Privacy Act reforms and the Notifiable Data Breaches (NDB) scheme add further obligations for NFPs handling personal and confidential information. Organisations must take appropriate steps to secure information from improper use, tampering, loss, and unauthorized access.

04. Building Your Cyber Defence: Practical Strategies

You don’t need a Fortune 500 budget to substantiallyboost your cyber security posture. Here are evidence-based, cost-effective strategies tailored for Australian NFPs:

1. Implement Multi-Factor Authentication (MFA) Everywhere

Current Gap: Only 35% of NFPs have implemented MFA, although it is one of the most effective controls against unauthorized access. Why It Matters: The Medibank breach, which affected 9.7 million people, reportedlyhappened because the company didn’t have MFA on its VPN. MFA requires at least two elements—something you know (password), something you have (phone/token), and/or something you are (biometrics).

Action Steps:

Enable MFA on all email accounts, cloud services, financial systems, and remote access portals
Start with VITAL systems first, then expand organisation-wide
Use reliable authenticator apps rather than SMS where possible

2. Tackle the Human Factor: Security Awareness Training

Current Gap: Only one in five NFPs regularly conduct cybersecurity awareness training, yet 90% of cybersecurity issues are caused by human error. Why It Matters: Phishing and social engineering are the primary entry points for cybercriminals. Staff who can recognise threats become your strongest defence.

Action Steps:

Conduct routine, compulsory cybersecurity training for all staff and volunteers
Run simulated phishing exercises to test and reinforce learning
Cover the “seven tips to catch a phish” and safe browsing practices
Make cyber \security awareness part of staff induction processes
Access free resources through Infoxchange’s Digital Learning Centre

3. Master the Essential Eight Framework

The Australian Signals Directorate’s Essential Eight framework delivers a graduated approach to cyber security that NFPs can adopt based on their risk profile and resources.

The Eight Essential Strategies:

Application control (whitelisting)
2. Patch applications regularly
3. Configure Microsoft Office macro settings
4. User application hardening
5. Restrict administrative privileges
6. Patch operating systems
7. Multi-factor authentication (MFA)
8. Regular backups

Implementation Approach: Start with Maturity Level 1 (protection against basic attacks using readily available tools) and progressively move toward Level 2 and 3. The Australian Cyber Security Centre found that 84% of reported attacks in 2020-21 could have been prevented or significantly minimised by adopting at least one Essential Eight strategy.

4. Protect Against Specific Threat Vectors

Phishing Prevention:

Enable email content filtering to block malicious messages
Train staff to recognise suspicious emails, unexpected attachments, and urgent requests
Implement DMARC, SPF, and DKIM email authentication protocols
Never trust email alone for banking detail changes—always verify through independent channels

Ransomware Defense:

Maintain frequent, tested backups stored offline or in isolated network
Keep all systems and software updated with the latest security patches
Secure servers and NAS devices with robust authentication and monitoring
Limit administrative privileges to only those who need them

Business Email Compromise (BEC) Protection:

Set up verification protocols for any payment or confidential data requests
Require verbal confirmation via independently sourced phone numbers for bank detail changes
Implement rigid separation of duties in finance teams
Monitor for suspicious inbox rules and login attempts from unusual locations

5. Develop a Cyber Incident Response Plan

Current Gap: While 79% of NFPs report having data backup protocols, only 45% have built a data breach response plan.

Why It Matters: When a cyberattack occurs, having a transparent, trusted response plan can mean the difference between a manageable disruption and an organisational crisis.

Key Components (based on ACSC guidance):

Clearly defined roles and responsibilities
Detection and first assessment capabilities
Investigation and remediation procedures
Decision and escalation points
Communications management strategy
Contact information for external support (ACSC hotline: 1300 CYBER1)
Regular testing through tabletop exercises

Resources: The ACSC provides free cyber incident response plan templates and guidance specifically for charities and NFPs.

6. Solidify Governance and Board Oversight

Board-Level Responsibilities: The Australian Institute of Company Directors (AICD) has published thorough cyber security governance principles for NFPs. Key questions boards should frequently address include:

Does the board understand cyber risks well enough to oversee and challenge management?
Who has primary responsibility for cyber security in our management team?
Is cyber risk specifically identified in our risk management framework?
How regularly does management present on the effectiveness of cyber risk controls?
Do we have a tested Cyber Incident Response Plan with an integrated communications strategy?

Creating a Cyber-Safe Culture: ACNC research found that charities achieved satisfactory cyber security governance by promoting a strong culture of cyber security awareness, ensuring staff understood common cyber threats and best practice measures.