The public is jittery about cyber security for good reason. Cyber-attacks have become an inevitable part of modern life, and the not-for-profit sector is not immune – as we saw in 2023, we are already a target. But we don’t have to sit back and wait for the worst to happen again. Here we discuss the monumental cyber security challenges facing our industry, the proactive steps nonprofits can take to protect themselves against the growing threat, and the ways in which one fundraising organisation is using technology to deliver best practice data management.   

The threat  

In FY23, the Australian Signals Directorate (ASD) responded to over 1,100 cyber security incidents and received over 33,000 calls to the Australian Cyber Security Hotline, an increase of 32% on 2021/22. Separately, nearly 94,000 reports were made through the ReportCyber platform, a 23% increase on the previous year.  

Threats to nonprofits 

Findings in the Australian Nonprofits State of the Sector 2023 Report show that of 830 nonprofit survey respondents, 8% had been affected by a cyber security incident in the past 12 months. Extrapolate the number across Australia’s 60,000 charities (and those are just the ones registered with the ACNC) and that’s a whopping 4,800 organisations.  

The threat is real and significant, but the sector’s response has yet to catch up. Nonprofits struggle with limited resourcing and small budgets, but we can take low-cost, proactive steps to protect our organisations against cyber risk. But before we look at the solutions, let’s explore the sector’s vulnerabilities.    

The 2023 Infoxchange Digital Technology in the Not-for-profit Sector Report told us that:  

  • Only 12% of the 1,020 (AU and NZ) organisations surveyed for the report provided regular cyber security awareness training for their staff and less than 25% had effective processes to manage information security risks.  
  • Only 38% of the surveyed organisations had an ‘acceptable use policy’ that enabled staff and volunteers to understand how they should keep their organisation’s information safe. 
  • Only one in five organisations had a cyber security policy that outlined how the organisation protects its information from security-related threats. 
Current standards of cyber security in Australian and New Zealand nonprofits. Source: Digital Technology in the Not-for-Profit Sector Report, Infoxchange, October 2023.  

What do all these facts and figures tell us? That we face just as much risk as the corporate sector (perhaps more when you consider NFP resource restrictions and the degree to which we depend on supporter trust). That we are (woefully) under-prepared for cyber-attacks and data breaches. That our human resources are not empowered or equipped to face the growing threat. And that perhaps many NFP organisations don’t even understand the risk that faces them, leaving the sector dangerously exposed to cyber threats.  

Now for the good news! There are some really effective ways to protect your organisation in 2024 and beyond. Let’s start by looking at government action on the issue and then consider how your nonprofit (no matter its size) can put its own plans for cyber security in place.  

The government response  

Following Medibank and Optus data breaches in 2022 – which exposed the personal information of 9.7 million and 10 million people respectively – the Department of Home Affairs released the 2023-2030 Australian Cyber Security Strategy, a seven-year plan to combat the threat to Australia’s cyber security. It provides detailed oversight of the threat and proposed response, and it can help you understand the broader nationwide context in which your nonprofit exists.  

In recent years, the ASD has released a series of resources that organisations of any size can use to help mitigate cyber security incidents and we recommend you checking your organisation against them. Four key resources are:  

  • The Essential Eight – which are: patch applications; patch operating systems; multi-factor authentication (MFA); restriction of administrative privileges; application control; restriction of Microsoft Office macros; user application hardening; regular backups. You can find out more about what these ‘essentials’ involve and how to implement them here.  
  • Strategies to Mitigate Cyber Security Incidents – which includes a comprehensive list of mitigation strategies, with information about how effective they are and how expensive they are to implement and maintain.  
  • Questions to Ask Managed Service Providers – key queries for suppliers that access your data/IT systems.  
  • Small Business Cyber Security – which can also be applied to small/medium nonprofits.  

What does gold standard cyber security look like?  

Tele-fundraising agency GiveTel addressed key points of cyber security vulnerability by migrating all its campaign delivery services to Evergiving, a global PCI Level 1-rated platform that safely and securely delivers fundraising programs.  

To understand how GiveTel uses Evergiving, we will first look at the services the agency provides.  

GiveTel powers fundraising 

Regular giving (RG) acquisition, conversion, upgrades, reactivations, Gifts in Wills calling and thank you calls – GiveTel offers all these services within a framework of best practice data security and donor care. Clients include Assistance Dogs, Lifeline, Greenpeace, Oxfam, PLAN International and World Animal Protection, and the agency helped to acquire over 12,500 regular givers last financial year.  

Using payment gateway integrations within Evergiving, the GiveTel calling team can set up a recurring gift to start on any date with any frequency and can also collect Instant First Debits during calls, an initiative that significantly reduces declined first debits and subsequent attrition.  

GiveTel protects data  

Data – and, more specifically, Personally Identifiable Information (PII) – can be vulnerable at several stages of a fundraising campaign; the transfer of data to third party suppliers (such as tele-fundraising agencies), the collection of new donor data (over the phone or otherwise), and the post-campaign management of data.  

Leads for call campaigns come from a variety of sources – list brokers, warm donor lists and, increasingly, Facebook lead generation activity such as petitions or value exchanges. GiveTel protects the receipt of this data by using an API that directly transfers it from source to ‘dialler’ (a computerised system within Evergiving that dials each number on a call list) without manually handling PII and with restricted data available to call staff based on the essential information they need for each call.  

If a supporter chooses to donate (a regular or single gift) over the phone, the Evergiving platform uses interactive voice response (IVR) to step the donor through the use of their phone keypad to enter credit card details which are instantly tokenised. Ie, the GiveTel fundraiser never sees or hears the sensitive payment information. If payment details are mistyped, the system will detect this, and IVR will ask the donor to correct their information before confirming their details and transferring them back to the fundraiser.  

Post-campaign, GiveTel guarantees the swift and safe destruction of all sensitive campaign data (a process you should always check takes place with any agency you provide data to).  

Great fundraising and best practice data security  

Now that GiveTel is partnered with Evergiving, the most secure fundraising platform on the market, setting up a new tele-fundraising campaign with the agency is streamlined and secure. GiveTel is also FIA Code compliant. So, if you are planning a call campaign for 2024 and want to run a test with confidence, get in touch with the GiveTel team today.  


Plan of action for nonprofit cyber security – the non-negotiables 

  • Read the 2023-2030 Australian Cyber Security Strategy. 
  • Access and implement the helpful guides provided by the Australian Signals Directorate.  
  • Check if the suppliers who interact with your data are PCI and FIA Code compliant. 
  • Do your due diligence – are the agencies you work with destroying data after each campaign? Do they have a solid crisis management plan should there be a cyber security incident? Does your nonprofit have its own data breach response plan?  
  • Remember that credit card information and PII must be collected within a secure, PCI-compliant environment. Fundraisers should not be exposed to credit card details or have any ability to download or view these details. 
  • Every aspect of a campaign must be secure. There should be direct integration between data capture and a nonprofit’s payment gateway and the use of anonymised tokens to link supporters to their sensitive card details.  
  • Ensure your nonprofit offers regular cyber security training to staff. 

Key resources