Australian charities and not-for-profit organisations provide vital resources and aid to some of Australia’s most vulnerable and disadvantaged. This often requires organisations to store sensitive data, including names and addresses, banking information, and system login credentials, of their staff and consumers.

This information is valuable to threat actors who may initiate a cyber-attack to extort money from charitable organisations. Charities and not-for-profit organisations are particularly susceptible to a cyber-attack due to a lack of resources that provide a for-profit business with more robust security measures. Some attacks that can occur include:

• Phishing: phishing is a common cyber-attack that involves a threat actor manipulating a victim to obtain something of value, such as money, login credentials, or system access. The threat actor will use tactics that induce fear, anxiety, or trust in their victim, including threats or impersonating someone of authority. Phishing can occur over email, via text messages (smishing), and even through phone calls (vishing).
• Business email compromise (BEC): a BEC attack involves a threat actor impersonating a legitimate business, business representative, or staff member using an illegitimate email address or email domain. The threat actor will try to use malicious emails to inject malware into a business’s system, obtain login credentials from other employees, or to gain money by sending fraudulent invoices. BEC attacks will sometimes utilise phishing attack tactics.
• Ransomware: ransomware attacks involve a threat actor encrypting data or locking legitimate users out of an organisation’s system until a ransom is paid. Sometimes, these attacks involve data extortion, where is the ransom is not paid the data is published illegally, usually on dark web forums. Ransoms can be paid with many online payment forms, including cryptocurrency and online bank transfers.

Any cyber incident can severely impact charities and not-for-profits. Consequences for charity organisations can include loss of sensitive or valuable information, disruptions to services provided, unauthorised system alterations, reputational damage due to data leakage, and monetary loss because of expensive data or system recovery processes. Therefore, it is important for Australian charities and not-for-profit organisations to ensure their cyber security practices are robust enough to be able to reduce the risk and severity of a cyber-attack. That is why the Australian Cyber Security Centre (ACSC), part of the Australian Signal Directorate, has released a new resource hub, Cyber security for charities and not-for-profits, which includes recommendations and resources available for charities and non-profit organisations, including to:

• Turn on multi-factor authentication, where possible.
• Back up important files and device configurations often. Test backups on a regular basis.
• Provide cyber security training, particularly on how to recognise scams and phishing attempts.
• Test cyber security detection, incident response, business continuity and disaster recovery plans often.
• Report a cybercrime, incident or vulnerability to protect from further harm.

See the full list of recommendations and resources on Cyber security for charities and not-for-profits and use the Cyber security checklist for charities and not-for-profits (PDF 638 KB) to help improve the cyber security of your charity or non-for-profit.