This section of the Governance Toolkit covers issues of cybersecurity - what they are, how they may affect charities and what charities can do to reduce risks of cyberattacks.
Read the guide and then check your understanding by taking the assessment available at the bottom of this page. You do not need to submit this assessment to the ACNC - it is optional and designed to help you measure your understanding of the topic and identify areas for training or improvement.
What is cybersecurity?
Cybersecurity is protecting your charity's electronic information from unauthorised access.
Cybersecurity applies to all electronic information. But if your charity handles personal or sensitive information, you must be particularly careful about how it is protected.
Some charities, due to a lack of resources or time, may not have considered cybersecurity. This is understandable, but it creates vulnerability.
Charities should make sure that staff and volunteers have a basic understanding of cybersecurity issues.
Personal information and sensitive information are defined in the Privacy Act 1988 (Cth) (the Privacy Act):
Personal information is information or an opinion about an identified person (or a person that can reasonably be identified), regardless of whether the information or opinion is true or recorded in a material form.
Sensitive information is a subset of personal information and may include, for example, a person’s religious or philosophical beliefs, sexual orientation or health information.
For more on what constitutes personal information and sensitive information, see ‘Key concepts’ in the Australian Privacy Principles guidelines from the Office of the Australian Information Commissioner.
The Privacy Act has requirements for the way personal information and sensitive information are collected and stored. The Australian Privacy Principles guidelines has information about these requirements. Our guide to managing information and data also provides a good overview for charities.
Risks and consequences
It is not only large companies and government agencies that can fall victim to cyberattacks. Charities – even smaller ones – can be targeted too. And, often having weaker defences, smaller charities can be especially vulnerable.
Commons cybersecurity risks include:
- unauthorised access to a device, network or system
- viruses or other malicious software that can collect, change or delete information and spread throughout a network
- fake emails or websites set up to trick someone into revealing personal or sensitive information.
The consequences of an incident can be significant. They may include:
- loss of crucial information
- disruption to services
- unauthorised changes to your charity’s information and systems
- expensive costs to restore data and services
- costs of notification and investigation (including legal costs)
- costs arising from the attack itself (for example, extortion or ransomware)
- regulatory action and penalties
- loss of trust and reputation
When a charity has inadequate security for its computer systems, it is more vulnerable to attacks and less likely to be able to detect them. This can then make responding to attacks more difficult and can increase the time and cost of recovery.
Your charity may have legal obligations for the way it collects and stores information. This will depend on the location and nature of your charity’s operations. You may consider getting legal advice to fully understand what legal obligations there may be for your charity.
Protecting your charity from cyberattacks
Although everyone in a charity has an important part to play in protecting against cyberattacks, the ultimate responsibility is with the charity’s Responsible Persons.
The Responsible Persons must consider the circumstances of their charity and make sure that they can identify and manage relevant cybersecurity risks.
How charities manage cybersecurity risks will vary significantly. But there are four steps that every charity can take to help protect against cyber incidents:
- Identify and assess the risks
- Prevent incidents and mitigate risks
- Engage people in the charity, and even third parties, to help manage risks
- Take action when concerns, suspicion or complaints arise.
Most of these actions are simple and most charities will be able to do them. But if you think your charity doesn’t have anyone available with enough knowledge and experience, you may need to seek outside help.
Identify and assess the risks
The first step is to identify the data, information and knowledge your charity has that could be of value to a potential attacker.
Keep a list of these as ‘critical assets’ in a register, and prioritise their importance. Doing this will help you to focus attention and limited resources on protecting the highest priorities.
- Identify the information and assets that are vital for your charity to run smoothly
- Find out who is collecting personal and sensitive information in your charity, how they collect it, and where it is stored.
After you have identified your charity’s ‘critical assets’, do a risk assessment to help you think about what could go wrong with them. This is a simple process that:
- Identifies risks
- Considers potential incidents
- Analyses the likelihood and effect of an incident
- Explores ways to manage risks
You should record the findings of your charity’s risk assessment and review it regularly to make sure it remains relevant and up to date.
Prevent incidents and mitigate risks
There are many practical things your charity can do to mitigate risks and prevent incidents:
- Limit access: Only allow staff and volunteers to access information they need for their roles.
- Protect devices: Use anti-virus software to protect all computers, tablets and smart phones. Modern anti-virus software can find, contain and remove viruses. Users should scan their systems regularly with the software and keep the software updated.
- Protect networks: Use a firewall for your charity’s network. This is software that can prevent unauthorised access to a network, and unauthorised use of the network by your charity’s staff and volunteers.
- Use only authorised resources: Only allow approved applications (apps) on your charity’s computer and phones, and block access to inappropriate websites and downloads.
- Use passwords effectively:
- Make sure your charity has unique passwords to protect every device and system.
- If your charity provides devices to staff and volunteers, all the default passwords should be changed before they are handed out.
- A strong password is made up of at least eight characters, uses both capital and lowercase letters and numbers, and contains at least one special character. Passwords should be changed at least every three months.
- Use additional user verification for access to critical information such as financial or health information. For example, a one-time security code sent to the user’s e-mail account or phone in addition to their regular password.
- Make back-ups: Make sure your charity’s important information is backed up regularly. Charities increasingly use the ‘cloud’ – a shared computer and storage resource service that is accessed through the internet – to protect their information, rather than a physical device. This is a way to securely store back-ups outside of the charity’s physical location.
Engage people in the charity
It is a good idea for your charity’s staff and volunteers to have at least basic training in cybersecurity and data privacy.
The training, at a minimum, should cover a broad range of cybersecurity risks and outline the ways to collect and handle personal information.
Take action and respond effectively
Your charity should have a plan for responding to cybersecurity issues and data breaches. See our template to get you started on one for your charity.
Everyone in the charity should be familiar with the plan and have access to it if they need it.
You charity could use the following steps to manage, respond and address a data breach or other cybersecurity issue:
- Identify and contain: Understand what is happening and, if possible, take steps to prevent other systems, devices or data from being affected
- Investigate: Find out the nature of the issue, which devices and systems are affected, and what the risks might be
- Assess the risks and respond: Work out what harm has been done, the effects of the harm, and what could go wrong from here
- Act and notify: Decide on the priorities for protecting individuals and organisations from further harm. In the case of a data breach, follow the OAIC notification guidelines to inform the regulator and other parties if required.
- Review: Look over your charity’s policies, procedures and systems to identify any changes that would reduce the likelihood and consequences of similar issues occurring again.
Case study: Learning from experience
A charity that provides support for elderly people in a regional town keeps personal and sensitive information about its clients on computers. It relies on staff and volunteers to enter and update this information.
The charity always thought it was doing enough to protect the information of its clients – it locked away physical files and had strong passwords on its computers and devices – but it had no way to stop someone with access to the charity’s computers from downloading users’ information.
The charity was shocked when contacted by a journalist from a local paper who said that someone had found a USB stick in a café that had the personal details of the charity’s clients on it. The paper published a story about the incident and the charity spent several days responding to angry enquiries from its users and their families.
Fortunately, the charity had a good reputation in the community and this helped it recover. But its board quickly realised that better measures were needed to make sure the charity was protected against cybersecurity threats and able to win back the trust of the community.
Despite not being cybersecurity experts, the charity’s board found lots of useful information online about cybersecurity threats, including suggestions of the sorts of things a charity could do to protect itself. In response to the incident, the board:
- approved a new policy which restricted access to certain files on the charity’s computers
- organised training sessions for staff and volunteers about the data and information protection
- agreed to review policies annually and organised spot checks to ensure staff and volunteers were complying with the rules
- decided to set aside some funds for ongoing cybersecurity measures.
The charity’s board also agreed on a new plan for handling any future incidents. This included the need to report certain serious data breaches to the Office of the Australian Information Commissioner (OAIC).
Critical asset register template
Plan for responding to a data breach template
- Managing people’s information and data, ACNC
- Damn good advice on cyber-safety and fraud prevention, Our Community
- Guide to conducting privacy impact assessments, OAIC
- OAIC notification Guidance, OAIC
- Australian Cyber Security Centre, Australian Signals Directorate
- Creating a cybersecurity policy for your business, Business.gov.au
- Cyber security: Small charity guide, National Cyber Security Centre (UK)