Sector left empty handed after plea for government cyber security aid

Posted on 20 May 2024

By Greg Thom, journalist, Institute of Community Directors Australia

Cyber crime hacking

Charity and not-for-profit organisations have expressed bitter disappointment that Canberra has ignored their pleas for federal Budget funding to help the sector defend itself against cyber attacks.

Despite providing generous support for business, the government’s cyber security strategy did not contain any dedicated funding for charities to bolster digital resilience.

Ahead of the budget, the sector sought $20 million over three years to improve cybersecurity awareness, training and protection.

A coalition of peak sector bodies who lobbied the Albanese government for help now say the lack of government support is putting donors’ data and sensitive information at risk.

The Community Council for Australia, the Australian Council for International Development, Fundraising Institute Australia and the Public Fundraising Regulatory Association warned that their members were being targeted by criminal networks.

Community Council for Australia chair Rev Tim Costello.

Community Council for Australia chair Rev Tim Costello said the federal Budget had given business and government millions to bolster cybersecurity, while ignoring pleas from under-resourced charities and NFPs who were losing millions to cybercriminals.

“This lack of funding leaves donors’ financial data, and highly sensitive information about millions of vulnerable Australians, exposed,” he said.

Rev Costello said charities manage thousands of services for vulnerable people on behalf of federal and state governments.

“Many operations are tiny and rely on volunteers who are not equipped to keep pace with rapidly evolving cybersecurity requirements.”

The Infoxchange 2023 Digital Technology in the Not-for-Profit Sector report revealed that one in eight organisations had experienced a cyber security incident or breach.

Just 12% provided regular cybersecurity training to staff and only a quarter had a policy on how to protect information from cybersecurity threats.

This is despite the risk of cyber attack being top of mind for many sector organisations.

The Australian Nonprofits State of the Sector 2023 report found one in five Australian charities and NFPs fear that a cyber attack would devastate their organisation.

“Charities are caught between a rock and a hard place trying to balance legitimate community expectations and the soaring cost of keeping data safe."
Community Council for Australia chair Rev Tim Costello.

The sector's lack of preparedness to deal with cyber threats was brought into sharp focus in August 2023 when a ransomware attack on third-party telemarketing company Pareto Phone resulted in a massive data breach.

The attack resulted in data from more than 70 Australian and New Zealand charities and details of 50,000 donors being dumped on the dark web.

The affected organisations were a who’s who of the sector, ranging from Amnesty International to the Wilderness Society and Médecins Sans Frontières (Doctors without Borders).

The incident led to a warning from authorities to charities and NFPs to be wary of relying on third-party providers who have access to their data.

The sector was further spooked by data security breaches at Surf Life Saving Victoria on November 28 and St Vincent's Health on December 19.

Days after the Pareto attack, Community Council for Australia CEO David Crosbie wrote to Prime Minister Anthony Albanese and Minister for Cyber Security Clare O’Neil calling on the government to better protect charities from cyber attacks.

The letter was co-signed by the CCA board, which includes Mission Australia CEO Sharon Callister, RSPCA Australia CEO Richard Mussell and Volunteering Australia CEO Mark Pearce.

The plea was followed up by a visit to Canberra by sector leaders, who met with staff at the Department of Home Affairs to discuss cyber safety support for charities and not-for-profits.

The meeting with senior federal government cyber security officials followed complaints the sector was being left to fend for itself in the wake of the cyber crime onslaught.

The Australian Charities and Not-for-profits Commission (ACNC) has made the ability of charities and NFPs to manage cyber security threats a key focus of its approach to compliance and enforcement in the coming year.

ACNC commissioner Sue Woodward described cyber security as a "key governance risk” for the sector.

In the lead up to this year's federal Budget, those lobbying for help were quietly confident Canberra would respond positively, but instead they have been left frustrated.

“People rightly expect charities to keep operating expenses as low as possible and prioritise the provision of critical services,” said Rev Costello.

“Charities are caught between a rock and a hard place trying to balance legitimate community expectations and the soaring cost of keeping data safe.

“Helping the sector achieve this is vital to ensuring ongoing public confidence in supporting organisations that serve our communities, society and country.”

More information

Charities at risk of being left defenceless in cyber-crime battle

Sector braces for cyber attacks in year ahead

NFP sector in Canberra cyber security talks

Cybersecurity a hot button issue for NFPs in 2024

Charities regulator zeroes in on cyber risk

More news

Become a member of ICDA – it's free!