Close Search
Hot Topic  |  InnovationTech and AI

‘Be prepared and be brave’: The Salvos reveal how they prepare for cyber attack

9 November 2020 at 5:31 pm
Justin Flower
How does a large NFP operate from a cyber risk perspective? Justin Flower from InfoTrust sits down with the Salvation Army’s executive manager of cybersecurity to find out.

Justin Flower | 9 November 2020 at 5:31 pm


‘Be prepared and be brave’: The Salvos reveal how they prepare for cyber attack
9 November 2020 at 5:31 pm

How does a large NFP operate from a cyber risk perspective? Justin Flower from InfoTrust sits down with the Salvation Army’s executive manager of cybersecurity to find out.

A recent survey by CohenReznick showed 69 per cent of not for profits do not even have a cybersecurity response plan in place, while other research confirmed that a fifth of charities had come under cyber attack in the last 12 months. 

The repercussions of even one breach can cause catastrophe for not for profits, which executive manager of cybersecurity Lachlan McGill, from The Salvation Army Australia, knows very well.

To give just one example from hundreds, in 2017, Save the Children was scammed through fake emails by a hacker posing as a staff member, losing US$997,400 to a fraudulent business in Japan.

Since COVID-19 hit we’ve seen a huge spike in cybercrime and charities are particularly vulnerable due to lower cyber awareness, particularly smaller charities. Phishing and malicious emails remain the most common form of attack on not for profits, however hacking and extortion is also a cause for concern. 

As a cyber security firm, we work with all types of organisations on their holistic security practices. Our work in implementing incident response services for The Salvation Army led me to want to delve further into how charities are dealing with the cyber security landscape. 

Here I interview McGill, who shares some really interesting insights into how their organisation is tackling this ever-increasing threat.

Have you ever had to manage a cyber incident? 

Like most cybersecurity people, I have certainly experienced my share of cyber incidents. What I’ve learnt is you need to have capable and knowledgeable people on board reacting to the incident. 

Often someone in my role will be caught up in communication channels responding to requests for information and keeping stakeholders updated. 

It’s so important to know that the people you have remediating the issue in the background are skilled, calm and collaborative. 

The last thing you need is somebody panicking or unable to communicate well with other resources in the investigation team.  

Everybody working together across the board will ensure the best outcome. 

Another important piece of advice is sometimes you need to make decisions based on limited data. 

Understand this, be prepared and be brave!

What would you say are the key areas of cyber risk or concern in not-for-profit organisations?

NFP organisations such as ours often deal with people or situations that require handling of confidential or sensitive information.

It’s critically important to the survival of our mission that we protect that information at all stages of its lifecycle so that we and our clients do not suffer the consequences that can come from data loss or breaches. 

That’s why we’ve engaged expert services to help us in the event of a major cyber incident. The quicker we can remediate and determine the cause of the breach, the better the outcome for everyone. 

In NFPs we have a serious obligation to spend money wisely and this means we need to have a very good understanding of risk management and which threats are of the most concern so we can prioritise effectively. 

Understanding risk management is a critical aspect of my role.

Do you train your staff on cyber security? 

We take the cybersecurity education of our staff very seriously and it is a key performance indicator for the security team. We use different methodologies, forums and communication channels to keep all of our staff abreast of threats and secure ways of working.

Have you seen an increase in cyber incidents this year?

There has definitely been an increase in threats since the COVID pandemic struck and people have been forced to work away from the office. Most companies globally will have seen the threat landscape change significantly during this period and The Salvation Army is no different. 

We’ve seen a lot of press over the past 12 months of major cyber incidents and breaches across all industries, is there anything you’ve learnt from these?

There certainly has been a large number of incidents over the past year in organisations both small and large. What I’ve learnt from these are that the organisations who communicate quickly, openly and as accurately as they are able to usually come out looking the most competent and concerned about the outcome. 

What is also clear from these incidents is that it’s a group effort requiring input from several stakeholders to ensure the best response and outcome for the customers and clients. Cybersecurity, IT, risk, legal, media relations and third party experts all have a part to play.

The best thing the cybersecurity industry can do to help one another is share as much information as possible and within legal constraints about how/why the incident occurred and what was done to remediate. This is of enormous benefit to the whole industry and helps us all build better protections.

Is there any other advice you’d give to charities looking to increase their cyber security protection?

My advice would be that once you have or are working on deploying the foundational technical controls such as endpoint protection, software patching, authentication, IPS, etc, you need to focus on the cybersecurity culture within the organisation. 

This is critically important and will have a multi-layer impact on the overall security posture. Enabling all staff to understand the importance of cybersecurity will decrease pushback on security initiatives, increase security reporting of potential incidents, drive down phishing click rates and even eventually have the business approaching you to discuss rolling out further security controls. 

A great culture is about much more than stopping staff clicking on phishing emails, it’s about bringing the organisation on the cybersecurity journey and having everyone push that carriage along the tracks instead of the security team doing it by themselves. 

Read up on it and engage external help. 

A change in culture takes time and energy but is well worth it.

Justin Flower  |  @ProBonoNews

Justin Flower is the southern region general manager at InfoTrust.

PB Careers
Get your biweekly dose of news, opinion and analysis to keep you up to date with what’s happening and why it matters for you, sent every Tuesday and Thursday morning.

Got a story to share?

Got a news tip or article idea for Pro Bono News? Or perhaps you would like to write an article and join a growing community of sector leaders sharing their thoughts and analysis with Pro Bono News readers? Get in touch at or download our contributor guidelines.


Panel Discussion Webinar

Get more stories like this


Your email address will not be published.


Accessibility-first mindset needed to make tech design equitable

Danielle Kutchel

Tuesday, 21st June 2022 at 3:43 pm

Celebrating the best in NFP technology innovation

Danielle Kutchel

Friday, 13th May 2022 at 6:01 pm

Full program confirmed for the Connecting Up conference 2022


Thursday, 28th April 2022 at 7:50 am

$1M in pro bono tech services to help not for profits be amazing-er


Tuesday, 29th March 2022 at 7:15 am

pba inverse logo
Subscribe Twitter Facebook

News for those with purpose.

Delivered free to your inbox every Tuesday and Thursday morning. 

Thank you - you have successfully subscribed.

Get the social sector's most essential news coverage. Delivered free to your inbox every Tuesday and Thursday morning.

You have Successfully Subscribed!