The Australian Charities and Not-for-profits Commission is urging charities to review and update their cyber security, warning that reports of cyber crime against the sector keep climbing. As the ACNC puts it, charities often handle sensitive information and financial data, and that makes them a tempting target. Its Cyber Security Governance Toolkit boils the response down to four steps: identify and assess the risks, prevent incidents and mitigate them, engage your people and third parties, and respond effectively when something goes wrong.

Why does this land harder on not-for-profits? Because most run lean. Tight budgets, volunteer help, and donated hardware are normal, yet the data held is exactly what attackers want, including health records, financial details, and information about vulnerable people. Under the Privacy Act, a serious data breach has to be reported to the regulator and the people affected, and the reputational hit with donors and funders can cost more than the technical clean-up. The part boards sometimes miss is that this is a governance responsibility. You can outsource the technology, but the accountability still sits with the board.

So put cyber security on the board agenda, not just the IT to-do list. Work through the ACNC’s four steps and confirm the basics are actually in place: multi-factor authentication switched on everywhere, backups that are tested rather than assumed, access removed promptly when a staff member or volunteer leaves, and a written plan for responding to a data breach. Mapping your controls to the Essential Eight or SMB1001 also gives you something defensible to show funders and auditors when they ask.

If your board wants a clear read on where it stands, our cybersecurity for not-for-profits team can run the checks and report back in plain language.