Last week I spoke at the Cybercon conference in Canberra about the unique challenges of managing cybersecurity risks in Not for Profits (NFPs).
The audience was mostly a mix of NFP staff and service providers. However, a government procurement person was also in the room, wondering how government could pragmatically impose cybersecurity requirements on their service providers, who were mostly charities.
I loved the fact that she even attended this session. It was clear that she understood her need to protect client data, but that she was also concerned about her service providers’ ability to manage any additional requirements.
It’s a delicate balance that I can appreciate, having started my career as a government procurement officer for the US Air Force and later as the CEO of a charity.
So, how did we get here, and how can government help charity service providers manage cybersecurity risks?
Australia’s dependency on charities for social services
I’ve lived in multiple countries on five continents, and from my experience, Australia is unique in the way that the government utilises charities to deliver a large proportion of its social services. And I generally believe this is a good thing.
After all, charities have always been more efficient and effective at delivering these types of services than government agencies with multi-level bureaucracies that lack visibility into the impact of their work.
Charities, on the other hand, are usually quite lean, partly due to their funding constraints, but also because they want every dollar to go directly toward their mission whenever possible.
However, it’s this lean nature that makes it even harder for charities to implement government-sized cybersecurity measures.
Charities are operating lean already.
The Australian Charities and Not-for-Profits Commission (ACNC) shared in their latest report that about 71% of charities had less than $1 million in revenue.
Many can operate on such low budgets only because of a legion of volunteers that reduces their payroll expenses. Without them, their government contracts may not be sufficient to cover their basic costs.
IT costs, on the other hand, cannot be reduced in this way. While charities are offered discounted licensing rates for some software, they have been increasing by 10% or more per year.
Implementation and support costs have also increased due to inflation, while government contracts have not always followed suit.
Furthermore, government reporting requirements are becoming increasingly complex and granular, necessitating a greater investment in technology to avoid a massive manual reconciliation process each reporting period.
And without such technology, charities are also finding that they lack sufficient visibility into their true costs of delivering services, placing them in a difficult decision of either turning off vital community services or remaining viable.
Wrap these tech investment needs with the quantity of privacy-related data they manage, and the cybersecurity risks are exponentially concerning.
How government can help charity service providers manage cybersecurity risks.
If government is to rely so heavily on charities to deliver such services, then they must also play a part in helping these organisations with their cybersecurity risks related to the sensitive data they manage.
- Invest in your own IT infrastructure. Many government agencies have not adequately invested in their own IT infrastructure for reporting purposes. I have a client who was told that the government reporting app they were required to host on their own server (but which the government has never patched) was their responsibility to securely manage. And let’s not talk about how much information has to be manually entered into some of these government systems!
- Demonstrate what good cybersecurity practice looks like. Government agencies regularly send and receive emails with client privacy information to charity service providers. While I can help my clients find safer ways to share information with their third parties, there is nothing we can do if the government insists that privacy information is shared with them via email.
- Expect to pay for overhead. Government reporting and cybersecurity requirements for charity service providers are becoming increasingly complex. Your contracts must allow for this, to enable the charities to make adequate investments in their IT infrastructure.
- Avoid the requirement for ISO27001 type certifications. Yes, I used to include these in all my contracts, particularly for big tech companies when I worked in the public sector. Nevertheless, for charities, these types of certifications are often meaningless policy exercises that do nothing to strengthen the day-to-day cybersecurity of a charity, particularly ones that use all cloud-based software and have an outsourced IT help desk (most!).
- Put more security requirements on the tech vendors. Due to the unique Australian government requirements, niche tech vendors have evolved in Australia to support services such as the NDIS, Community Transport, and RTOs. Unfortunately, too many of these companies have not prioritised cybersecurity in their development work, lacking basic security measures such as strong passwords and multi-factor authentication. Put a great burden on them, and they will make these investments faster.
Final thoughts
Charities play a significant role in providing social services on behalf of the Australian government. As such, the cybersecurity risks of managing such sensitive data are shared with these organisations.
However, for charities to meet these obligations, government must support them in managing these risks by first getting their own house in order and then supporting these organisations as they invest in doing the same.
I regularly help Not for Profits with making strategic IT investments and managing cybersecurity risks. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.
