Imagine a scenario where a not-for-profit (NFP) organisation falls victim to a cybersecurity attack and loses access to all its data. This would lead to significant operational disruptions, increased operational costs, and strategic setbacks, much like any business.
Copies of donor information being stolen may have a significant impact on the stakeholder relationship and lead to reputational damage. Such a loss could severely undermine a NFP and its ability to access funding to fulfill its mission and support the community. With almost half the respondents in the 2025 survey expressing a lack of confidence in being able to recover from a cyber-attack, and only 59% indicating they have a cyber response plan in place, cybersecurity is a growing concern for NFPs.
To insure or not insure?
Australian businesses experience a cyber-attack once every six minutes. With only 30% of the 2025 survey respondents reporting that they have experienced an incident, they either have robust cybersecurity measures in place, have been extremely lucky or aren’t aware they’ve had an incident.
Interestingly, 66% of respondents indicated that they currently have cybersecurity insurance, highlighting a proactive approach to risk management. However, nearly 20% remain uninsured.
One of the primary challenges identified by responding NFPs is an increase in operating costs. This pressure may influence their decision against taking up insurance. Organisations must balance the cost of insurance against the substantial risks and potential financial impact of a cyber-attack.
The other factor discouraging organisations from obtaining cyber insurance is the operational burden required to meet insurer requirements. NFPs need to demonstrate they have the systems and controls in place to mitigate against attacks. Implementing these can add to already high operational costs.
Further analysis shows a stark contrast between organisations that have experienced a cybersecurity incident and those that have not. Among the 30% of organisations that have faced an incident, 91% are insured, compared to 53% of those who have not experienced an incident. This disparity suggests that experiencing a significant cyber-attack often prompts organisations to seek insurance, emphasising the need for pre-emptive measures rather than reactive ones.
Lack of cybersecurity preparation and confidence
71% of respondents agree that the benefits of capturing and storing customer data outweigh the risks and associated responsibilities to customer privacy. It makes sense as donor data is the lifeblood of many NFPs. However, when it comes to organisational preparedness, the survey results indicated some concerns.
Nearly half of the respondents expressed a lack of confidence in their ability to recover effectively from a significant cyber attack.
Moreover, the fact that only 59% of respondents identified as having a cyber incident response plan highlights a significant vulnerability for many NFPs. An incident response plan is the first step in planning for a cyber attack and may directly relate to the lack of confidence to recover effectively from a significant attack that many NPFs feel.
Of those with plans in place, only 26% have practiced implementing their cyber attack response plans. A plan is only as effective as its execution, so embedded practice is critical to allow for continuous improvement in incident response planning and recovery strategies.
Whose responsibility is it really?
63% of respondents believe their primary decision-makers are well-educated on cybersecurity matters, yet only 43% feel their organisation has a strong cybersecurity culture.
While the tone at the top results seem positive, there is heightened scrutiny and increased accountability for directors of NFP organisations. Directors must understand key compliance obligations, monitor risks, and take reasonable steps to guide and oversee management. With cyber risks now well established as a critical organisational risk, leaders are accountable if they fail to act appropriately when there is a foreseeable risk of serious harm to the organisation.
Only 43% of respondents indicated that cybersecurity is top of mind and ingrained in their workplace. One of the most effective ways to combat cyber-attacks is by ensuring that the workforce is vigilant and understands that protecting the organisation is everyone’s responsibility. Employees can often be the ‘weakest link’ in cyber defence plans. For many NFPs, the challenge lies in their volunteer workforce, who often have access to the same systems as employees but are not included in cybersecurity education and training.
While awareness at the executive level is crucial, fostering a culture of cybersecurity throughout the organisation is equally important.
Are NFPs really at risk?
Nearly 40% of respondents believe that their organisation is not an attractive target for a cyber-attack. This complacency can be dangerous, as it may lead to underestimating the potential threats and not investing adequately in cybersecurity measures.
This also highlights a knowledge gap when it comes to cybersecurity. Attackers often cast a wide net, aiming to exploit vulnerabilities wherever they find them, regardless of intended targets.
Cyber-attacks are often opportunistic, using automated tools to scan for vulnerabilities. Attackers may also employ volume-based strategies, sending out phishing emails or malware to as many recipients as possible. Additionally, your organisation can be affected through the supply chain, where cybercriminals might target a less secure partner or vendor to gain access to your systems.
Plan for the worse and hope for the best
The complexity of managing cybersecurity plans increases significantly for federated NFP organisations, where each branch or chapter may manage its own systems and processes. Managing your own cybersecurity roadmap is important, but what happens if the other branches aren’t adhering to the same levels of security?
While a cyber attack would likely be confined to a single branch and limit the impact on business continuity, the reputational damage could be extensive, affecting the organisation holistically – potentially reducing donor confidence and increasing regulatory scrutiny. Ultimately the challenge for NFPs is balancing rising operating costs with growing cybersecurity threats and the obligation to keep relevant data safe.
What this means for you
- Take your cyber response plans off the shelf: conduct simulations to evaluate how your organisation would respond to a cyber attack.
- Training and education are crucial: treat your volunteers the same as full-time employees and don’t assume new employees have the same level of cybersecurity knowledge as existing staff.
- Directors, it is your responsibility: to understand more you can reach out to expert advisors or read up on the Australian Institute of Company Directors cybersecurity handbook for small business and NFP Directors cyber-security-handbook-web.
