Building a cyber champion in a NFP

This Think Tank is an active panel exploring the practical business challenge of building a cyber champion in an NFP (Not For Profit) business environment. The Australian Charities and Not-for-Profit Commission has published a Governance Toolkit for Cyber Security, identifying the obligation of and recommendation actions and tools for NFPs to protect their data from cyber-attacks. These recommendations are backed by concrete case studies. But despite these insights and enablement, the 2023 CyberCX Cyber Intelligence Insights on Australian Charities found the overall threat level facing the Australian charities sector remains high, with specific calls for third-party providers' risks to NFP. This risk is exacerbated due to the sector’s diverse operating environment and cross-sector dependencies. Defending against supply chain risk from third-party providers is difficult, particularly for NFPs, which rely heavily on cross-sector collaboration involving many volunteers participating as third parties, with limited operational and security oversight by the NFP. Any tightening of their access to protected data is perceived as creating unsustainable operational and cost burdens. While these perceptions have some truth, this Think Tank equips CISOs in an NFP to identify and foster cyber champions within their organisation and cross their partners. CISOs will learn and practice how to put into perspective the business impact of inaction and drive their security mandate.

When justifying the diversion of funds from direct community support to cybersecurity, executives and boards must consider the broader perspective. While there may be short-term sacrifices, investing in cybersecurity mitigates risks and enables NFPs to continue supporting their communities effectively. By utilising decision support tools to express these decisions in financial terms and compare the potential harm of cyber risks with other critical decisions, helps remove emotional responses and support informed choices that prioritise both immediate support and long-term resilience. Recognising the moral and legal obligations of NFPs to protect the sensitive information of their beneficiaries is crucial. The susceptibility of charities and NFPs to cyberattacks underscores the importance of strengthening cyber resilience to maintain their social license and uphold their responsibilities to the community.