Compliance and Security for Not-for-profit organisations in Australia

In today’s digital age, cybersecurity has become a critical aspect of all organisations whether large or small.

Not-for-profit organisations (NFPs) are no exception.

NFP organisations hold sensitive information, such as personal details, financial information, and medical records of their stakeholders and clients. This information is highly valuable to cybercriminals, who can use it for identity theft, financial fraud, and other malicious activities.
NFPs in Australia are bound by several pieces of legislation that dictate how they should manage the information they hold, including the Privacy Act and Notifiable Data Breach scheme.

NFPs that accept credit card payments or handle sensitive personal information and are designed to assess compliance with various regulatory and industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).

To comply with these acts, NFPs must implement robust cybersecurity measures to protect their data from unauthorised access, theft, or loss.

Failure to comply can result in significant consequences, including regulatory fines, loss of funding, damage to the organisation’s reputation, and even legal action.

As cyber threats continue to evolve, it is essential for NFP organisations to prioritise cybersecurity and implement robust security measures to protect their donors, beneficiaries, and critical information.

The Essential Eight Risk Mitigation Strategies 

The Essential Eight risk mitigation strategies are a set of minimum security controls developed by the Australian Cyber Security Centre (ACSC). While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems. 

These strategies are: 

  1. Application whitelisting: This strategy involves creating a list of approved applications that are allowed to run on an organisation’s network, thereby preventing the execution of unauthorized or malicious applications. 
  2. Patch applications: Consistent and timely application of patches to all software and applications used by an organisation can prevent known vulnerabilities from being exploited by attackers. 
  3. Configure Microsoft Office macro settings: Macros in Microsoft Office can be used to execute malicious code. Configuring macro settings to block untrusted macros can mitigate this risk. 
  4. User application hardening: Ensuring that users have restricted privileges and are using the latest versions of applications and software can reduce the risk of cyber threats. 
  5. Restrict administrative privileges: Restricting administrative privileges can prevent unauthorised access to critical systems and reduce the impact of a successful cyber attack. 
  6. Patch operating systems: Regularly applying patches and updates to the operating system can prevent known vulnerabilities from being exploited. 
  7. Multi-factor authentication: Implementing multi-factor authentication can prevent unauthorised access to systems and reduce the impact of a successful cyber attack. 
  8. Daily backups: Regularly backing up critical data can minimize the impact of a successful cyber attack by enabling an organisation to recover data in the event of a data breach or ransomware attack. 

How can mcrIT help? 

mcrIT has a passion for developing solutions tailored for NFPs in Australia: 

  • A range of security checks to identify gaps and vulnerabilities. 
  • Controls that allow you to map your information to the required standards.

To find out more about how we can help, reach out to our team today.