Month: April 2024

Every hour, 10 cyber-crime reports are received by the Australian Cyber Security Centre (ACSC) – and nonprofits are not exempted from these attacks:

• Over 70 charities were affected by last year’s data breach on Pareto Phone, a firm that collects donations from nonprofit supporters. Credit card and other personal information of at least 50,000 individuals were published on the dark web.
• Attackers targeted children’s charity The Smith Family, exposing around 80,000 details – including names, addresses, phone numbers, email addresses, donation records, and the first and last four digits of credit or debit cards.
• A cyber incident also happened at the not-for-profit (NFP) provider of health and aged care services, St. Vincent’s Health Australia, with 4.3 gigabytes of data reportedly stolen from their network.

Why Cyber-Attacks on NFPs are Rising

At least three reasons are behind the increasing cyber incidents experienced by NFPs:

1. More and more nonprofits are embracing digitisation and automation. This trend is expected to increase their exposure to cyber risk.
2. NFPs are easy targets because cyber criminals assume that they lack sufficient cyber security resources and expertise.
3. Many nonprofit organisations handle sensitive information, which are attractive to cybercriminals.

Donor data and client records represent goodwill and trust. For donors, it’s a testament to their belief in the mission of the NFP. For clients, these records represent their personal journeys, often shared in confidence. As data custodians, nonprofits must keep fortifying their digital defences.

Data Privacy Regulations

The Australian Charities and Not-for-profits Commission (ACNC) emphasises the legal obligation for nonprofits to comply with requirements concerning people’s information and data, as outlined in the Privacy Act 1988.

The Privacy Act 1988

Nonprofits in Queensland may be subject to the Privacy Act 1988 if they collect and store people’s information and data, or their annual turnover exceeds $3 million, or if a nonprofit opts in, or in certain other circumstances as described in our article Understanding the Privacy Act Review: Its Impact on Nonprofits, Medical, and Education Sectors.

Here’s how they are to comply:

• Develop a Privacy Policy that outlines how the organisation collects, stores, and uses people’s information and data
• Manage information and data in accordance with all legal and ethical responsibilities
• Implement security measures for storing personal information
• Obtain consent when collecting sensitive and health information
• Inform individuals about the collection of their personal information and its purpose

A good rule of thumb is to consider that all privacy laws apply to your organisation, especially following the recent updates. Data privacy compliance can also:

• Build trust with donors, supporters, and members
• Ensure that a nonprofit meets their legal obligations
• Improve the reputation and community support to an NFP

Health Services Act 1991 (Qld)

For nonprofits in the health sector, the Health Services Act 1991 (Qld) provides the framework for the organisation, management, and delivery of health services in Queensland.

The Act prohibits health staff from disclosing confidential information about a person who is receiving, or who has received, a public sector health service if the person could be identified from the information.

It’s important for health organisations to understand these provisions and ensure they are complying with them. Non-compliance could lead to legal consequences and damage to the organisation’s reputation, so it is best to consult with a compliance professional and stay updated with any changes to the Act.

Data Breach Risks Faced by Nonprofits

Data breaches are a constant threat to nonprofit organisations with consequences potentially undermining their mission. They’re facing digital risks as well as personal, financial, and reputational.

Immediate Risks

When sensitive information is compromised, it can lead to identity theft, financial loss, and fraud. For instance, the Pareto Phone breach highlights the vulnerability of nonprofits to cyber-attacks and the importance of strong cyber security measures.

Damaged Trust

The ramifications are not limited to the immediate financial impact. They can erode the hard-earned trust between nonprofits and their supporters, potentially leading to a decline in donations and volunteer engagement.

Harm to Reputation

The reputational damage can be long-lasting and more costly than the initial data loss. The risks also include legal consequences, especially with the mandatory data breach notification schemes in Queensland.

Far-reaching Impact

A breach on one organisation can affect individuals, but it can also lead to a loss of confidence in the nonprofit sector. NFPs thus need more stringent data protection and compliance practices.

What NFPs can Do for Data Protection

Just like any other sector, Nonprofits must invest in cyber security, educate their staff and volunteers about cyber threats, and establish clear protocols for data management and breach response.

Here are some best practices for data security and privacy you can quickly implement:

• Multi-factor authentication (MFA), as a barrier against unauthorised access
• Regularly updating your systems, which is a key to cyber resilience
• Maintaining backups, which can be your lifeline in case of a disaster

It can be critical for nonprofit organisations to implement data management protocols and prepare for potential breaches with clear response strategies. Every NFP must have clear procedures for a rapid breach response, transparent communication, remediation steps, and an IT disaster recovery plan.

The Importance of NFP-specific Cyber Security Expertise

NFPs have to level up their cyber security expertise, now more than ever before. One way to do it is via a cyber security services provider with significant experience in the Not-For-Profit sector.

ADITS have been supporting NFPs for a number of years as we align with your values of community impact and positive change. We are committed to empowering your organisation to advance your mission with technology operating seamlessly behind the scenes.

Why is it important to have IT and cyber security services that are specially designed for nonprofits?

• Customised Solutions: Nonprofits have distinct needs and missions. When IT services are customised and technology aligned with their specific goals, NFPs are enabled to create a stronger impact efficiently.
• Proactive Monitoring: With dedicated monitoring of systems and software, potential issues in the sector can be detected early, minimising disruptions, and maintaining operational continuity for nonprofits.
• Cyber Security: Protecting sensitive data should be a top priority for any NFP. Tailored cyber security measures will safeguard your mission against increasing cyber threats, ensuring trust, and compliance.
• Strategic Support: Access to experienced IT professionals who understand the nonprofit sector can simplify technology management and reduce costs, allowing organisations to focus on their core mission without tech-related distractions.

In essence, specialised IT and cyber security services will empower you to navigate the complexities of technology with confidence, ensuring donor data security for non-profits and that you remain focused on making the world a better place.

Did you know ADITS can help you with your application for discounted Microsoft licences too? Simply book a consultation and we’ll guide you through the process.

Cyber Security and Data Privacy for the NFP Sector

As much as board members have an obligation to protect their donor and volunteer data, we also understand that you don’t all have to be tech savvy. Keeping up-to-date with the state of cyber security in Australia, and learning more about your liability as well as understanding the difference between security and compliance, can be overwhelming.

As it is your role as a board member to instil a cyber security and data privacy culture from the top throughout your organisation, enquire about our tailored cyber security training to receive the knowledge that will make you confidently lead your organisation:

If you are running a business in Queensland, then you are no stranger to natural disasters. On average, 11 cyclones hit Australia each year, four of them passing through the state.

But cyclones are not all we’re experiencing – flooding, thunderstorms, bushfires, heatwaves are common. The last few years we also went through a pandemic and a volcanic eruption in the pacific that triggered tsunami warnings for the Australian East coast line.

Any of those events can cause business disruption, as could cyber incidents, hardware failures, and user error.

Because there is no good time to expect a disaster, you must always be prepared!

The Importance of Business Disaster Recovery

To safeguard your business against unexpected disruptions, you need a Business Disaster Recovery (BDR) strategy – your lifeboat in case of a disaster.

Business Continuity, Disaster Recovery, and IT Resilience

Let’s clarify these terms before diving any deeper.

Business continuity is about ensuring your business can continue to run during and after a disaster. It is the overarching concept to disaster recovery, which focuses on restoring your IT systems and data after a disaster. Meanwhile, IT resilience is the ability to adapt and recover quickly from any disruption.

If your business was a ship, IT resilience would include the strength of your ship’s materials, the skills of your crew, and the effectiveness of your maintenance. But those could be overcome by a disaster, so you need to know what to do when it hits.

Business continuity is your plan for keeping your ship’s essential operations going. This could involve moving passengers to safer parts of the ship or using buckets to remove the infiltrated water. In your business, this might mean switching to backup systems or working from a secondary location after a disaster.

Disaster recovery is like your emergency measures if the ship starts to sink. It can include lifeboats and emergency signals or, in real terms, backups of your data or systems that you can restore after a cyber-attack or a hardware failure.

Why You Need a BDR Strategy

A disaster recovery plan for Brisbane and Townsville businesses is a safety net that can enable them to keep operating under adverse conditions. This is crucial if you want:

• Less downtime: A disaster can force you to cease operations temporarily. Your goal is to reduce the pause period and resume ASAP.
• Data protection: Implementing data backup and recovery policies can protect your business data against loss or corruption.
• Reduced financial losses: Data loss or extended downtime can lead to significant losses. Mitigating these risks can prevent your business from losing money.
• Customer trust: Quickly recovering from a disaster can demonstrate reliability and help maintain trust and loyalty.
• Regulatory compliance: Many industries have regulations requiring businesses to have BDR plans in place to protect sensitive data.
• Peace of mind: Knowing there’s a plan in place to handle disasters can provide business owners and stakeholders with peace of mind.

Types of Disaster Recovery Solutions

There are three common types of disaster recovery solutions.

1. Cloud-based Solutions

Cloud-based BDR solutions do not rely on physical servers, the recovery infrastructure is hosted in the cloud. use remote servers. You can access your data from anywhere and at any time.

These solutions are cost-effective (you only pay for what you use) and offer high flexibility and reliability.

2. On-premises Solutions

On-premises disaster recovery involves maintaining backup systems and servers at your business location. You have total control over this setup, but it may require having extra hardware and servers on-site. This can make it costly and lack scalability. For example, you might need duplicated servers that take over if the main servers fail, ensuring the business can still operate.

3. Hybrid Solutions

These combine the best of both worlds, using both cloud and on-premises solutions for optimal flexibility and security. It involves maintaining backup systems on-site and replicating critical systems and data to the cloud.

There are several scenarios where a company might need both a cloud-based and on-premise backup solution such as when a business operates in a hybrid environment, a regulatory compliance, a cost consideration or even for enhanced redundancy.

RTO and RPO: Measuring the Success of Your Disaster Recovery Strategy

Two key metrics in disaster recovery planning are Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

RTO is the maximum time your business can afford to be down after a disaster. Restoring operations within your RTO can help avoid unacceptable losses or harm to your business.

RPO is the maximum amount of data loss you can afford from a disaster. It is the estimated time between the data loss incident and the last available valid backup. If the RPO is unmet, your business could also suffer significant data loss and disruption.

It’s important to note that RTO and RPO are closely related but distinct metrics. Together, these metrics help organisations establish realistic goals and priorities for their disaster recovery efforts.

When planning for disaster recovery, organisations should aim to balance RTO and RPO requirements with the available resources, technology capabilities, and business needs. By defining clear RTO and RPO objectives, organisations can develop effective disaster recovery strategies, implement appropriate backup and recovery solutions, and minimise the impact of potential disruptions on business operations.

Why Data Security and Compliance Matter

BDR solutions play a vital role in helping organisations comply with industry regulations and standards by ensuring the protection, availability, and integrity of their data, facilitating business continuity and disaster recovery planning, and providing auditability and reporting capabilities. By implementing robust BDR strategies, organisations can enhance their regulatory compliance posture and mitigate the risk of non-compliance-related penalties and fines.

For these reasons, regular compliance audits and updates to security protocols are part of many DRPs.

Implementing IT Disaster Recovery Solutions

Disaster recovery planning isn’t just about surviving the next cyclone. It’s about ensuring your business can weather any disaster.

IT disaster recovery services and IT business continuity services can help you:

1. Identify your critical IT systems
2. Assess the threats to your systems
3. Develop an IT recovery plan
4. Update your DRP as your business grows
5. Test your plan regularly to make sure it works

At ADITS, we partner with Datto for our clients Microsoft 365 backup and Acronis for their on-premise workload.

Don’t wait until it’s too late, contact ADITS and let’s chat about the requirements of your environment and your industry obligations.

GET STARTED NOW