Danger: Not-for-profit sector cuts corners on cybersecurity


New Zealand’s not-for-profit (NFP) sector’s cybersecurity isn’t anything like good enough, a newly-released report says.

Grant Thornton New Zealand’s latest Not-for-Profit report says charities are particularly vulnerable to phishing attempts and ransomware attacks.

The report states that these attacks are all over the economic sector and show no signs of abating.

Report findings

The Not-for-Profit report says:

  • only 43 percent of NFPs invested in cybersecurity in the two years to 2022
  • only 27 percent plan to invest in cybersecurity over the next two to three years
  • 37 percent of NFPs do not have effective procedures to detect and report data breaches

“NFPs face unique challenges that make it harder for them to invest in cybersecurity”, Grant Thornton New Zealand’s Barry Baker says.

“Naturally, they are always trying to minimise spending, as there’s a lot of pressure to spend as much as possible on frontline assistance to those in need, and as little as possible on the behind-the-scenes processes that deliver that assistance.

“This often means eking an extra year or so out of technology. NFPs are still using laptops that should be replaced, relying on outdated software and legacy platforms – creating greater vulnerability to cyber attacks.

“Cybersecurity can also seem like a non-priority. When there hasn’t yet been a data breach or hack, that can give NFPs a dangerous false sense of security.”

Risks high

The potential risks cannot be overstated, Baker says. It’s not a matter of if an organisation will be hacked, it’s a matter of how bad it will be.

“For a charity, this could result in a complete halt on operations, snarling up frontline services and potentially demanding a ransom to restore systems.

“Worryingly, that ‘smash and grab’ approach by bad actors is being superseded by a more insidious attack: the actors can get into your systems, look around undetected and steal any of your data, including donors’ and/or members’ personal data.

“Then there’s the reputational fallout. Donors who see your name connected with a data breach can easily switch their contributions to another organisation.”

Protecting the organisation

Taking cybersecurity risks seriously is vital, Baker says. It should be given the same attention as health and safety.

Importantly, private data from donors and donor transactions need to comply with certain PCI DSS standards, he says.

Baker suggests it may be worth investing in a third-party payment gateway to take over processing credit cards.

That “reduces the data you’re keeping and the level of compliance required of the organisation,” he says.

He also notes it’s important to understand that tech problems aren’t really about technology.

They’re about people.

“This means thinking about not only systems, but up-skilling everyone who works in the organisation, including the board, and encouraging teams and suppliers to work together harmoniously.

“Only with cooperation and education can your organisation protect itself from the ongoing risks of cyberattacks.”



Additional reading

News category: New Zealand.

Tags: , , ,