TL;DR

  • Non-profits are high-value targets with low security budgets: Charities and NFPs hold donor financial data, vulnerable client personal information (DV survivors, addiction treatment patients, mental health clients), and government grant funding — all extremely attractive to attackers who know security investment is typically minimal.
  • The Privacy Act applies to all charities receiving government grants: Any NFP that receives a government grant for service delivery is bound by the Privacy Act regardless of revenue size, as the government grant relationship brings them within the Act's coverage.
  • Charity scams exploit your brand: Attackers impersonate well-known charities to steal donations — your organisation's reputation is used as a tool against the people you're trying to help.
  • ACNC governance obligations include data security: The Australian Charities and Not-for-profits Commission (ACNC) Governance Standards require registered charities to manage their affairs responsibly — which increasingly includes cybersecurity governance as part of responsible trustee stewardship.

Why Non-Profit Businesses Are Cybersecurity Targets

Australian non-profit organisations and charities are increasingly targeted by cybercriminals for three distinct reasons: they hold sensitive personal information about some of Australia's most vulnerable people (domestic violence survivors, addiction patients, mental health service users, children in out-of-home care), they receive and disburse significant government and donor funds, and they typically have minimal cybersecurity investment compared to for-profit organisations in equivalent data-handling roles. A domestic violence shelter's client database — containing the location of survivors who have fled from abusers — is arguably the most sensitive personal information in the Australian privacy ecosystem. A ch

arity that processes thousands of donor credit card transactions per year is a payment card fraud target. A community services NFP managing government grants of $5–20 million per year is a financial fraud target. The Australian Signals Directorate's Annual Cyber Threat Report 2024–25 noted that cybercriminals relentlessly target all Australian organisations, including charities and community organisations, with ransomware and phishing being the primary methods. Charities that rely heavily on email and cloud-based collaboration tools — often in free or discounted tiers — may lack the security features enabled in paid commercial versions, creating additional vulnerability. The ACNC has recognised cybersecurity as a governance matter, and charity boards that cannot demonstrate reasonable security practices face increasing regulatory scrutiny.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌

The Top 3 Cybersecurity Threats for Non-Profits

1. Ransomware Targeting Client and Donor Databases

Ransomware attacks on NFPs encrypt client management systems, donor databases, grant management platforms, case management software, and financial systems — making it impossible to deliver services to the vulnerable people who depend on the organisation. For a community services NFP managing housing support, disability services, or mental health programs, a ransomware event means: caseworkers cannot access client histories, service appointments are missed, government reporting obligations cannot be met, and grant acquittals cannot be prepared. The pressure to restore systems is intense when clients depend on the services for safety and wellbeing. Unlike commercial organisations where ransom payment is a business decision, for NFPs the ethical dimension is acute: funds paid as ransom directly reduce the organisation's capacity to deliver services. The ASD's ACSC's FY2024–25 report confirmed that ransomware remained one of the most damaging cybercrime types, with all sectors — including community services — affected.

2. Charity Impersonation and Donation Fraud

Cybercriminals regularly create fake charity websites, email campaigns, and social media accounts impersonating well-known Australian charities — particularly during disaster events (bushfires, floods, cyclones) when public generosity is highest. This attack harms both donors (who lose funds to fraudsters instead of genuine charities) and the genuine charity (whose brand and reputation are damaged, and whose legitimate fundraising is undermined by donor distrust). Beyond impersonation fraud, attackers also target the charity's own donation processing systems: compromising payment gateways, redirecting recurring donor payment details, or inserting skimming code into the charity's website donation form. For charities that rely on individual giving for 50%+ of their income, donor payment security is a core business continuity issue.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌

3. Business Email Compromise Targeting Grant Payments and Payroll

NFPs that receive government grants and manage payroll for large care workforces are targets for Business Email Compromise (BEC) fraud. Attackers compromise an NFP's email accounts and send fraudulent payment instructions: redirecting a government grant instalment to an attacker-controlled account, changing staff banking details for payroll diversion, or impersonating a funding body to request financial information. For NFPs where a single government grant may represent $500,000–$5M per year, a redirected grant payment is a catastrophic financial event that may threaten the organisation's solvency and service delivery capacity. The charity's reporting obligations to the ACNC and to funding bodies require transparent financial management — discovering that grant funds have been diverted to a fraudster creates governance and reporting crises in addition to the financial loss.

Compliance Requirements for Non-Profits

Privacy Act 1988 (Cth) and Australian Privacy Principles Many NFPs are covered by the Privacy Act: any charity that receives Australian Government funding for service delivery; any NFP whose annual revenue (including grants, donations, and commercial activities) exceeds AUD $3 million; any NFP that trades in personal information; and any NFP that provides a health service. The Privacy Act's health service provider classification (which applies regardless of revenue) covers community health centres, disability service providers, mental health organisations, and aged care providers operating as NFPs. Under APP 11, reasonable security steps must be taken to protect the personal information of clients, donors, and volunteers. The NDB scheme requires notification to the OAIC and affected individuals for eligible breaches. The 2024 amendments to the Privacy Act increased maximum penalties to AUD $50 million — applicable even to charities.

Australian Charities and Not-for-profits Commission (ACNC) The ACNC Governance Standards require registered charities to be managed responsibly by their responsible persons (board/committee members). Standard 2 (accountability to members) and Standard 5 (duties of responsible persons, including acting in the best interests of the charity) increasingly encompass cybersecurity governance. Charities that suffer a significant cyber incident may face ACNC investigation if it is found that the board did not take reasonable steps to protect the organisation's assets (including data and systems). The ACNC has published guidance encouraging charities to consider cybersecurity as part of their governance responsibilities.

Government Grant Compliance — Funding Body Requirements Government grants from federal and state agencies typically include data security and privacy conditions. Department of Social Services (DSS), Department of Health, NDIS, and state-funded programs all have security requirements for organisations handling client data on government funding. Failing to maintain adequate security can result in grant conditions being breached, funding being clawed back, and exclusion from future grant rounds.

Disability Services and NDIS — Quality and Safeguards NDIS-registered providers are regulated by the NDIS Quality and Safeguards Commission. The NDIS Practice Standards include obligations around safeguarding participant information and privacy. A data breach affecting NDIS participant records triggers both OAIC NDB obligations and NDIS Commission investigation.

The lilMONSTER Security Checklist for Non-Profits

  1. Apply for Microsoft Nonprofit and Google for Nonprofits discounts — they include security features you need — Microsoft and Google offer free or deeply discounted versions of their cloud productivity suites to registered charities. Microsoft 365 Business Premium (AUD $0–$7/user/month for nonprofits) includes MFA, email security, endpoint management, and cloud backup — all the security features you need at a fraction of commercial cost. Apply through the Microsoft Nonprofit Hub or Google for Nonprofits before spending anything on security tools.

  2. Enable MFA on all email accounts and financial systems — MFA on Microsoft 365 or Google Workspace is free and blocks the majority of credential-based attacks. Enable it for all staff — including volunteers who have email accounts. Prioritise CEO/ED and finance team accounts first, then roll out to all users within 2 weeks.

  3. Implement a payment change verification process — Any change to grant payment destinations, supplier banking details, or payroll banking information must be verified by calling the requesting party on a number already in your records. This prevents the majority of BEC fraud targeting NFP payment flows. Document this process and make it a board-approved policy.

  4. Ensure your website donation form is PCI-DSS compliant — If you collect credit card donations on your website, use a reputable PCI-DSS compliant donation platform (Raisely, Funraisin, Stripe, PayPal) rather than processing cards directly. Do not build your own payment form. Check your donation platform vendor's PCI-DSS certification annually. A compromised donation form that captures donor card data creates both regulatory and reputational consequences.

  5. Train volunteers and staff on charity impersonation and phishing — Educate staff and volunteers on how to respond when donors report receiving requests from fake accounts impersonating your charity. Establish a clear process: monitor for impersonation (Google your charity name regularly, report fake accounts to platforms promptly), and provide donors with a clear statement on your official website about how your charity requests donations.

  6. Conduct an annual security review — use the ASD Small Business Cyber Security Guide — The ASD's ACSC provides free cybersecurity guidance specifically for small organisations. The Small Business Cyber Security Guide at cyber.gov.au is an excellent starting framework. Conduct an annual review against this checklist and document your actions — this demonstrates reasonable steps under the Privacy Act and responsible governance under the ACNC Standards.

  7. Backup all client management and financial data daily, offline — Daily backups of case management data, donor records, financial systems, and grant documentation, stored offline or in an isolated cloud backup, are the primary defence against ransomware. Many NFPs rely on cloud-based systems (Salesforce for Nonprofits, Infoodle, MYOB) — confirm your backup strategy covers these cloud platforms, not just local files.

How Much Does Cybersecurity Cost for a Non-Profit?

The good news: Microsoft and Google nonprofit programs provide commercial-grade security tools at zero or minimal cost. For a small-to-mid NFP (under 50 staff/volunteers with IT access):

  • Microsoft 365 Business Premium (nonprofit rate): AUD $0–$5 per user/month — includes MFA, endpoint management, email security, and cloud backup. For 20 users: ~$1,200/year or less.
  • Annual security assessment: AUD $2,000–$8,000 (some cybersecurity providers offer nonprofit discounts).
  • Staff/volunteer cybersecurity training: AUD $500–$3,000 per year (free resources available from ASD's ACSC).
  • Donation platform PCI-DSS compliance: AUD $0 additional if using Raisely, Funraisin, or similar compliant platforms.
  • Total: AUD $3,000–$15,000 per year for a solid baseline — a tiny fraction of most NFP budgets.

The cost of a breach — ransomware disrupting service delivery, grant fraud, or client data disclosure — can be devastating for an NFP both financially and reputationally. Government funders who discover inadequate security practices may terminate grants. Donors who lose trust after a breach may never return.

FAQ

For most Australian charities and NFPs, a solid security baseline costs AUD $3,000–$15,000 per year — significantly less than comparable commercial organisations, thanks to Microsoft and Google nonprofit pricing. MFA on email and financial systems, daily backups, and annual security training are the three highest-impact, lowest-cost controls. Apply for Microsoft 365 Business Premium or Google Workspace for Nonprofits before spending anything else.

Business Email Compromise (BEC) targeting grant payments and payroll is the most financially devastating threat, while ransomware targeting client management systems is the most operationally devastating. Both are prevented primarily by: MFA on all email accounts, and a verbal verification process for any payment change. These controls cost almost nothing to implement.

ISO 27001 is rarely required for small NFPs but is increasingly expected by: government agencies providing large grants with data security conditions, healthcare funding bodies, NDIS Commission for registered providers, and as part of ACNC governance for larger charities managing significant personal data. For NFPs managing sensitive client data (DV survivors, mental health clients, NDIS participants), ISO 27001 provides a structured framework for demonstrating the responsible governance expected by both regulators and funders.

Annual security assessments are recommended for NFPs with digital case management systems, online donation processing, or government grant obligations. Full penetration testing is most relevant for larger NFPs (50+ staff) and those managing sensitive health or disability data. The ASD's ACSC's free Small Business Cyber Security Guide provides an accessible starting point for organisations without security expertise.

If client personal information is compromised, the OAIC must be notified within 30 days if serious harm is likely — the same obligation that applies to commercial organisations, regardless of NFP status. ACNC may investigate the governance response. Government funding bodies must be notified if grant data or systems were affected. The most immediately devastating consequence is often service disruption — clients who depend on the NFP's services lose access during the recovery period. Engage a cybersecurity incident response specialist promptly, notify your insurer, and communicate transparently with stakeholders.

References

[1] Australian Signals Directorate, "Annual Cyber Threat Report 2024–25," ASD/ACSC, October 2025. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

[2] Office of the Australian Information Commissioner (OAIC), "Notifiable Data Breaches Report: January to June 2024," OAIC, September 2024. [Online]. Available: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2024

[3] Australian Charities and Not-for-profits Commission (ACNC), "Cybersecurity and charities," ACNC, 2024. [Online]. Available: https://www.acnc.gov.au/charity/managing-charity/governance-hub/cybersecurity-charities

[4] Microsoft, "Microsoft for Nonprofits," Microsoft Corporation, 2024. [Online]. Available: https://www.microsoft.com/en-au/nonprofits

[5] Australian Government, "Privacy and Other Legislation Amendment Act 2024 (Cth)," Federal Register of Legislation, 2024. [Online]. Available: https://www.legislation.gov.au

[6] IBM Security, "Cost of a Data Breach Report 2024," IBM Corporation, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[7] NDIS Quality and Safeguards Commission, "NDIS Practice Standards — Privacy and Dignity," NDIS Commission, 2024. [Online]. Available: https://www.ndiscommission.gov.au/providers/registration-ndis-providers/practice-standards-and-quality-indicators

[8] ASD's ACSC, "Small Business Cyber Security Guide," Cyber.gov.au, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/small-business-cyber-security/small-business-cyber-security-guide

[9] Australian Government, "Australian Charities and Not-for-profits Commission Act 2012 (Cth)," Federal Register of Legislation, 2012 (as amended). [Online]. Available: https://www.legislation.gov.au

[10] Google, "Google for Nonprofits," Google LLC, 2024. [Online]. Available: https://www.google.com/nonprofits/

Need help securing your Non-Profit or Charity? Book a free consultation with lilMONSTER — we offer accessible cybersecurity support for Australian community organisations.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation