Why Cyber Security and Privacy are Crucial for Nonprofits (NGOs)?
In the article titled Understanding Cyber Security, Privacy and Confidential Information: A Nonprofit (NGO) context, we delved into the legal frameworks and policies that govern the privacy and security responsibilities of modern nonprofits (NGOs) in Australia. While safeguarding Personally Identifiable Information (PII) and Sensitive Information related to clients is a top priority for nonprofits, the following list offers a broader perspective on information assets and aspects of your organisation that need protection within a cyber security framework:
- Protection of Private and Sensitive Information: Nonprofit organisations frequently deal with private and sensitive data, including personal information about clients, donors, volunteers, and employees. Cyber security measures are essential to prevent unauthorised access and breaches that could compromise this data. The Personally Identifiable Information (PII) and Sensitive Information managed by nonprofits are precisely the kinds of information highly coveted by cyber criminals. Beyond the realm of mere identity theft, the sensitive nature of this information allows for the possibility of ransom, presenting a significantly more lucrative incentive for cyber criminals.
- Compliance with Regulations: Many nonprofits are subject to data protection regulations like the Privacy Act or GDPR (and additional policies and frameworks within the jurisdictions they source finding from), which require them to implement cyber security measures and protect Private and Sensitive Information. Non-compliance can result in legal consequences and reduce their ability to win new tenders.
- Reputation and Trust: A cyber-attack or data breach can seriously damage an nonprofit’s reputation and erode trust among donors, clients, and other community stakeholders.
- Protection of Assets: Cyber-attacks can lead to data loss, theft of financial resources, and disruption of operations. Cyber security helps protect these valuable assets and ensures business continuity.
- Protection of Partners and Stakeholders: Nonprofits often collaborate with partners and stakeholders. A cyber-attack on an nonprofit can also affect these parties. Implementing robust cyber security measures helps protect not only the nonprofit but also its partner and stakeholder ecosystem.
Key Cyber Security Risks for Nonprofits (NGOs)
In the ever-evolving digital landscape, nonprofits (NGOs) are not immune to the multitude of cyber threats that lurk in the virtual realm. This section unravels some of the key cybersecurity risks faced by nonprofits, shedding light on the potential pitfalls and challenges that demand attention:
Phishing Scams – pronounced “fishing”
Phishing scams come in various forms, all designed to trick individuals into revealing sensitive information or performing actions that benefit the attacker. Here are some common examples:
- Email Phishing: Cybercriminals send deceptive emails that appear to be from legitimate sources, such as banks, government agencies, or well-known companies. These emails typically contain urgent messages, requesting recipients to click on malicious links or provide personal information like login credentials or credit card details.
- Spear Phishing: This is a targeted form of phishing where attackers customise their messages for specific individuals or organisations. They often gather information about the target to make the emails seem more convincing. For example, an attacker might send a spear-phishing email to an employee, pretending to be their boss and requesting sensitive financial information.
- Vishing (Voice Phishing): Instead of emails, vishing involves phone calls. Attackers impersonate legitimate organisations or individuals over the phone, attempting to extract sensitive information or convince the victim to take certain actions, such as transferring money to a fraudulent account.
- Smishing (SMS Phishing): Smishing scams use text messages to deceive recipients. These messages often contain urgent requests or false alarms, asking victims to click on links or respond with personal information. They can appear to be from trusted sources, like banks or delivery services.
- Pharming: In this type of attack, cybercriminals manipulate the DNS (Domain Name System) to redirect users to fraudulent websites, even if they type the correct website address. Victims are tricked into entering their login credentials or financial information on these fake sites.
- Clone Phishing: Attackers create nearly identical copies of legitimate emails or websites, making only minor modifications. Unsuspecting individuals may not notice the subtle differences and are more likely to fall for the scam.
- Attachment Phishing: Cybercriminals send emails with malicious attachments, often disguised as important documents or invoices. When recipients open these attachments, malware is deployed on their systems, allowing attackers to gain access or steal information.
- CEO Fraud or Business Email Compromise (BEC): This type of phishing targets employees responsible for finances within an organisation. Attackers impersonate company executives or high-ranking officials and request financial transactions, which can result in significant monetary losses.
- Ransom Phishing: Cybercriminals send emails claiming to have compromised the recipient’s computer or account and demand a ransom payment to avoid exposing sensitive data or unlocking the device.
- Social Media Phishing: Attackers create fake social media profiles or impersonate trusted contacts to send malicious links or messages to potential victims. This can lead to account compromise or the spread of malware.
Ransomware poses a significant cybersecurity threat to nonprofits, placing them at risk of devastating attacks. In ransomware incidents, malicious actors infiltrate an organisation’s systems, encrypt vital data, and demand a ransom payment in exchange for the decryption key. Nonprofits, like any other sector, are susceptible to these attacks, which can lead to substantial data loss, financial repercussions, and operational disruption.
Advanced Persistent Threats (APTs)
Nonprofits face the risk of advanced persistent threats, which are targeted attacks often carried out by state-sponsored actors or cyber crime organisations. These attacks aim to gain access to sensitive information and maintain a foothold in an organisation’s network for an extended period.
Insider threats represent a significant concern for nonprofits, as these organisations often rely on a dedicated workforce and collaborate with various individuals, including contractors and volunteers. Insider threats occur when individuals with authorised access misuse their privileges to engage in activities that jeopardise cybersecurity. These threats can take various forms, such as data theft, sabotage, or unauthorised data disclosure. Given the nature of nonprofits, where trust is paramount, insider threats can be particularly damaging, eroding the organisation’s reputation and potentially causing financial harm. Effective employee training, access control measures, employee exit checklists, and ongoing monitoring are essential for nonprofits to detect and mitigate insider threats effectively.
DDoS (Distributed Denial of Service) Attacks
DDoS attacks use a network of infected computers to flood a website or network with traffic, rendering it unavailable to users.
IoT (Internet of Things) Threats
IoT devices used by Nonprofits can be vulnerable to cyberattacks, potentially granting access to the network or sensitive information.
Social engineering represents a critical cybersecurity concern for nonprofits, as it preys on human psychology rather than technical vulnerabilities. In these attacks, cybercriminals exploit trust and manipulate individuals into divulging sensitive information or performing actions that compromise security. Nonprofits, often driven by their missions to help and engage with various stakeholders, can be particularly susceptible to social engineering tactics. Awareness and education within the organisation are crucial to recognise and thwart these manipulative strategies, ensuring the protection of sensitive data and maintaining stakeholder trust.
For nonprofits, leveraging cloud services can enhance efficiency and accessibility and reduce costs. However, ensuring cloud security is crucial because sensitive data stored and processed in the cloud must be safeguarded against unauthorised access or data breaches. Investments in cloud security measures, like encryption and access controls, are vital to protect this valuable information and maintain trust among donors and clients. It is also increasingly important to understand your data sovereignty requirements and whether or not the information you are placing on the cloud is allowed to leave Australia or not.
Lack of Human Resources and Organisational Structure
Many nonprofits operate with limited IT resources, which can make them vulnerable to cyber threats. Without sufficient resources, including skilled cybersecurity professionals and a well-defined organisational structure for managing cyber risk, it becomes challenging to keep up with rapidly evolving cybersecurity technologies and efficiently manage IT infrastructure. Addressing this limitation is essential to strengthen their cyber defenses and protect sensitive data. Nonprofits should consider adopting cybersecurity frameworks and guidelines to provide a structured approach to managing cyber risks and ensuring that the organisation has the necessary leadership and expertise to navigate the ever-changing cybersecurity landscape effectively
Lack of Cybersecurity Expertise
Nonprofits may lack the necessary up-to-date cybersecurity expertise to implement and manage security measures effectively. This expertise gap can expose them to vulnerabilities and cyber risks. Collaborating with experts or investing in training and development can help nonprofits bridge this gap and enhance their cybersecurity posture.
Budget constraints often restrict nonprofits from making comprehensive investments in cybersecurity. However, overlooking security measures can result in costly data breaches or reputation damage. Nonprofits should allocate their resources wisely, focusing on high-impact cybersecurity strategies and measures to maximise protection within their budget constraints.
Nonprofits frequently rely on third-party vendors for various services, such as payment processing, cloud hosting, CRMs or client management systems. It’s crucial to ensure that these vendors have robust cybersecurity and privacy measures in place. Conducting regular vendor risk assessments and establishing strong contracts and agreements are essential steps to protect sensitive data and maintain compliance.
Mobile Decive and BYOD Security
With the rise of remote work and Bring Your Own Device (BYOD) policies, nonprofits need to securly manage the many devices (phones, tablets, laptops etc.) used to access their networks and systems to prevent data breaches and protect client and donor information.
Lack of Employee Training
Nonprofits may not have structured training programs to educate their staff about cybersecurity best practices. This lack of training can increase the organisation’s vulnerability to various threats, as employees may unknowingly engage in risky behaviors. Implementing comprehensive employee training on cybersecurity is essential to create a security-aware workforce and reduce the organisation’s exposure to potential risks.
Key Privacy Risks for Nonprofits
Nonprofit organisations (NGOs) handle vast amounts of sensitive data, including personal and health information, as they strive to make a positive impact on society. However, with great data comes great responsibility. Nonprofits must navigate a complex landscape of privacy risks, where the mishandling of information can result in reputational damage, legal consequences, and the erosion of trust among clients, donors, and stakeholders. To help NGOs safeguard the privacy of their constituents and maintain compliance with evolving regulations, we explore key privacy risks and the essential measures required to mitigate them effectively.
Nonprofits must obtain consent when collecting and using personal and sensitive data from clients. Consent, which can take various forms, is vital to respecting individuals’ rights and privacy. Ensuring proper consent practices are essential for maintaining trust with clients and donors and complying with privacy regulations.
Handling Data Breaches
Nonprofits are vulnerable to data breaches, which can result in the theft or exposure of sensitive information. These breaches can lead to financial losses, reputational damage, legal consequences, and even identity theft or ransom attacks on affected individuals. Protecting against data breaches is crucial for safeguarding client and donor information. In NSW, DCJ’s notifiable policy for service providers, has a detailed section on your responsibilities when you detect an actual or suspected information security incident.
Nonprofits face the risk of unauthorised access to sensitive information by employees, contractors, or individuals without proper authorisation. Implementing strict security authorisation policies and access controls is necessary to prevent unauthorised access and protect privacy.
Lack of Data Management Policies
Some nonprofits may lack clear policies and procedures for managing personal information, increasing the risk of data breaches and non-compliance with privacy regulations. Establishing robust data management policies is essential for maintaining data security, including a standardised consent framework across multiple programs and services.
Compliance with Regulations
Many nonprofits are subject to privacy regulations such as the Privacy Act, GDPR, and HIPAA. These regulations require organisations to protect personal data and confidential information, making compliance crucial to avoid legal consequences and maintain client trust. Nonprofits operating in NSW may also be subject to NSW jurisdictional regulations, including the NSW Privacy and Personal Information Protection Act 1998 and the NSW Health Records and Information Privacy Act 2020. It is important to know the compliance and regulation requirements of the regions in which you operate.
Lack of Privacy Expertise
Some nonprofits may lack the expertise needed to effectively implement and manage privacy measures. Acquiring privacy expertise is essential for ensuring compliance and data protection. Justice Connect, a not-for-profit legal firm provides this resource – National privacy guide and resources to assist your organisation comply with privacy laws.
Lack of Transparency
Nonprofits should be transparent about how they collect, use, and share personal information. Failing to do so can erode trust among clients, donors, and stakeholders, making transparency a critical element of privacy practices.
Lack of Employee Training
Nonprofits must provide adequate employee training on privacy best practices to mitigate the risk of data breaches and non-compliance with privacy regulations. Training ensures that staff members understand and follow privacy protocols.
Staying Abreast of Privacy Act Changes
Nonprofits must stay informed about changes to privacy regulations, such as updates to the Privacy Act. Keeping up with these changes ensures that organisations remain compliant and adapt their privacy practices accordingly. On 16 February 2023, the Commonwealth Government Attorney-General’s Department, published the Privacy Act Review Report. This has been followed by the Australian Government publishing its response to the Privacy Act Review Report (28 September 2023).
What can Nonprofits (NGOs) do to protect their organisation?
To address the cyber security and privacy risks above, nonprofits should consider the following strategies:
Consider implementing the Essential Eight strategies recommended by the Australian Cyber Security Centre (ACSC). These strategies provide a prioritised approach to enhancing cybersecurity and include measures such as application whitelisting, configuring Microsoft Office macro settings, and patching applications. Adhering to the Essential Eight can significantly improve your nonprofit’s cybersecurity posture.
Conduct Regular Risk Assessments
Regular risk assessments are crucial for identifying and prioritising cybersecurity and privacy risks specific to your nonprofit. This includes evaluating potential threats like data breaches, phishing attacks, unauthorised access, and compliance issues. Prioritise risks based on severity and likelihood, allowing your organisation to allocate resources effectively to mitigate these threats.
Train Staff and Volunteers
Ensure that all staff and volunteers receive comprehensive training on cybersecurity and privacy best practices. Training should cover topics such as recognising and responding to phishing scams, handling sensitive information securely, and complying with relevant regulations. Regularly update training to stay current with emerging threats.
Implement Security and Privacy Controls
Utilise security and privacy controls, including firewalls, intrusion detection systems, encryption, and access controls, to fortify your defenses against cyber threats and privacy risks. Data minimisation practices should also be employed to collect and retain only essential information, reducing the risk of exposure in the event of a breach.
Work with Secure Vendors and Partners
Collaborate with vendors and partners who uphold robust cybersecurity and privacy standards and align with relevant regulations. Conduct regular vendor risk assessments to evaluate their security practices and ensure they meet your organisation’s requirements. Establish strong contractual agreements that outline data protection expectations and responsibilities.
Use Secure Communication Methods
When transmitting sensitive information, employ secure communication methods such as virtual private networks (VPNs) and encrypted messaging apps. Avoid sending private information via unsecured email to prevent interception by malicious actors.
Conduct Regular Security and Privacy Audits
Regularly audit your organisation’s security and privacy measures to identify vulnerabilities and ensure that controls are functioning effectively. These audits help maintain the integrity of your cybersecurity posture and privacy compliance.
Have an Incident Response Plan
Develop and maintain a well-defined incident response plan that outlines the steps to take in the event of a cyber-attack or privacy breach. This plan should include procedures for minimising damage, notifying affected parties promptly, and complying with legal requirements.
Keep Software Up-to-Date
Ensure that all software and systems used by your nonprofit are kept up-to-date with the latest security patches and updates. Regularly patching vulnerabilities helps protect against known threats and vulnerabilities.
Monitor for Suspicious Activity
Continuously monitor your networks and devices for suspicious activity, such as unauthorised access attempts. Implement real-time monitoring solutions to detect and respond to cyber-attacks and privacy breaches promptly.
Regularly Back Up Important Data
Implement a routine data backup plan to safeguard critical information and maintain the ability to restore data in the event of disasters or cyber-attacks. Ensure backups are stored securely and are easily accessible when needed.
Implement Multi-Factor Authentication (MFA)
Strengthen your security by implementing multi-factor authentication (MFA) wherever possible. MFA adds an additional layer of protection, requiring users to provide multiple forms of verification before gaining access to sensitive information and systems. For example, an SMS code, a one-time-password sent over email, or Google Authenticator are examples of MFA options.
Single Sign-On (SSO)
Implementing Single Sign-On solutions can streamline access management and enhance security for your nonprofit. SSO allows users to access multiple applications and services with a single set of login credentials, reducing the risk of password-related vulnerabilities and simplifying user authentication. This not only improves security but also enhances user experience and reduces the burden of password management.
Review and Update the Checklist Regularly
Periodically review and update your cybersecurity and privacy checklist to reflect the evolving threat landscape and changing organisational needs. This ensures that your nonprofit continues to take appropriate steps to mitigate risks effectively.
Inform and Get Consent
Maintain transparency in how your organisation collects, uses, and shares personal information. Inform individuals about the data you collect and their rights regarding their information. Seek and obtain explicit consent when necessary, ensuring compliance with privacy regulations.
Get Cyber Insurance
Consider acquiring cyber insurance to provide financial protection in the event of a data breach or cybersecurity incident. Cyber insurance can help cover the costs associated with incident response, legal expenses, and potential damages.
Uphold transparency by clearly communicating how your organisation collects, uses, and shares personal information. Ensure individuals have easy access to their personal data and mechanisms to rectify it, promoting trust and compliance with privacy regulations.
Other links and resources
You can also find the following policies and legislation online:
- NSW Privacy and Personal Information Protection Act 1998
- NSW Health Records and Information Privacy Act 2020
- DCJ’s notifiable policy for service providers on maintaining information security and advising on any information security breaches
In addition to the resources provided online by DCJ, you may find the following useful:
- Cyber Security NSW – Cyber security awareness resources
- Australian Cyber Security Centre (ACSC) – Cyber security campaign resources
- Justice Connect, Not-for-profit Law – National privacy guide and resources to assist your organisation comply with privacy laws
- Information and privacy commission (IPC) – Data breach guidance for NSW Agencies
- Office of the Australian Information Commissioner – Data breach preparation and response
- SANS Glossary of Cyber Security Terms
- ACSC Annual Cyber Threat Report, July 2021 to June 2022
- Cyber.gov.au: Guidelines for Database systems
- Cyber.gov.au: Small Business Security Resources
- Crowdstrike.com: Incident response steps
- Governance Toolkit for cyber security on the Australian Charities and Not-for-profits Commission (ACNC) website useful
- Information for clients about privacy – a factsheet on how privacy is protected in the DSS Data Exchange, to aid your organisations’ conversations about privacy with clients