NFP leaders say they are vulnerable to cyber attacks

More than 60 per cent of NFP CEOs expect a surge in cyber incidents this year, yet training and compliance is not seen a priority, a new report reveals.

As the repercussions of the recent cyber attack on telecommunications giant Optus continues, a new report reveals how NFP sector leaders are responding to cybersecurity. 

More than 60 per cent of NFP organisations expect a surge in reportable cyber incidents this year, according to PwC’s 3rd annual not-for-profit CEO survey. Yet, just under half of sector leaders (48 per cent) are actually making progress on establishing a cybersecurity and privacy uplift program.

Even more concerning is that CEOs are not prioritising upskilling their employees in areas of cybersecurity and privacy, which is required to future-proof roles against technological advances, instead pursuing softer skills including teamwork, problem solving, adaptability and resilience.

See more: Cybersecurity is paramount for not for profits – we need to act now 

Marcus Harvey, Manager of Infoxchange’s Digital Transformation Hub and NFP technology expert, believes one reason for this result is that many time and resource-poor NFP leaders focus first on delivering what they are confident will add most value to their organisation, which often excludes cybersecurity as a space less familiar to the sector.

“I am concerned that many non-profits are not treating cybersecurity with the urgency it requires, considering the importance of some of the information, and I think that’s a lot to do with them not being an expert in that space,” says Harvey.

According to Harvey, a key solution to engaging NFPs to address cybersecurity is through collaboration with other organisations who hold more knowledge and experience – whether this be the government, private sector or other NFPs such as Infoxchange, which run monthly cybersecurity webinars for the sector.

See more: Bridging the digital divide between government and charities

“From my perspective, non-profits need a trusted technology partner that will guide them sensibly through their cybersecurity journey,” continues Harvey.

“The government can support that process and bring tools, discounts and processes to the table, but that doesn’t replace the need for a non-profit to have someone who can give them quality advice in the cybersecurity space to help them on their journey.”

According to Harvey, there are quick fixes that NFPs can undertake to strengthen their cybersecurity and privacy, including implementing multi-factor authentication, updating policies and procedures, and ensuring staff are trained so they know how to treat and protect sensitive information.

See more: Maintaining cybersecurity during global unrest 

Jane Edwards, social impact director at PwC Australia believes that a deeper understanding of the responsibility to protect and limit the use of personal information is just as crucial for the NFP sector.

“I think not-for-profits face similar risks as large organisations, but they don’t necessarily have the same resources to establish a strong cybersecurity framework,” says Edwards.

“It might be that not-for-profits are not necessarily identifying the need to directly upskill their workforce as such, but they are recognising the need to improve cybersecurity and privacy measures more broadly.

“We are certainly seeing examples in our own cyber practice of non-profits who are looking to assess the current state of their cybersecurity maturity and really uplift their controls to improve protection,” she concludes.

PwC’s 3rd Annual not-for-profit CEO survey includes insights from over 230 leaders in the NFP sector across Australia and New Zealand.