Former Director of the FBI Robert S. Mueller, III, made the famous quote that: “There are only two types of companies: Those that have been hacked and those that will be hacked.”

And others have since moved to suggest that the quote should now be: “There are only two types of companies: those that have been hacked and those that don’t know they have been hacked.”

It is unfortunate that not for profit organisations are sometimes the target of a cyber-attack. Given that not for profits often hold a lot of personal data, they can be seen as a soft target. Attackers also don’t need to have a lot of data about a person in order to perform identity theft, so the consequences can be significant if personal data is stolen.

Being the subject of a cyber attack can have wide ranging impacts on the organisation; including damage to reputation, financial losses and an inability to service clients during any downtime caused by the incident.

On 28 February 2020, the Office of the Australian Information Commissioner (OAIC) released the latest Notifiable Data Breaches Report on the period July to December 2019. A few key statistics and observations can be made from the report:

  • Nationally, there are approximately 80-90 data breaches per month which are “eligible”* and are reported to the OAIC
  • Malicious or criminal attacks (including cyber incidents) are the leading cause of data breaches, amounting to 64% of all notifications in the past six months
  • About a third of breaches are the result of human error
  • The health sector has the highest number of breaches
  • Most data breaches affect less than 100 individuals, showing the vulnerability of smaller organisations, including not for profits
  • The most common data which is involved is personal contact information.

*Under the Notifiable Data Breach legislation, it is an “eligible data breach” where:

  • there is unauthorised access to or unauthorised disclosure of personal information (or the information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur)
  • a reasonable person would conclude it is likely to result in serious harm to any of the individuals whose personal information was involved in the data breach, and
  • the entity has not been able to prevent the likelihood of serious harm through remedial action.

If an entity suspects that an eligible data breach has occurred, they must undertake an assessment into the relevant circumstances, notify affected individuals and the OAIC as soon as practicable.

Ensuring that your systems are secure is fundamental to data security, but human error also presents significant risk. Human error can involve a staff member inadvertently opening a phishing email or clicking a link to a suspicious website. One of the other sources of data breach can be, for example, when a staff member accidentally selects the wrong email address and sends an email with personal details to the wrong person.

Cyber risks are often one of the risks that are identified in a risk assessment, but many organisations struggle to know what to do next to mitigate those risks.

Five steps to mitigate cyber risk

Not for profit providers can take these steps to prepare now and mitigate the risk:

  1. Ensure that cyber risk scenarios are identified in the organisation’s risk assessment.
  2. Look at your people and the role of training in mitigating the risk– it’s important that employees understand how to detect and report threats, protect their devices and the organisation’s data.
  3. Preventative technologies and processes – encryption, secure backups, multi-factor authentication and modern hardware/software will all help to minimise the risk of data loss.
  4. Review relevant policies and preparation – plan ahead by ensuring you have an up to date privacy policy, data breach policy and data breach response plan, and undertake simulation exercises to test management.
  5. Work with a specialised external consultant undertake an independent security review and penetration testing.