Not-For-Profit cyber security best practice guide

3 minute read  06.12.2024 Jamie Dunn

A guide for the Not-For-Profit sector on how to secure their IT environment against cyber threats.


Key takeouts


  • Implement essential cyber security measures and education by working towards a minimum level of cyber security through frameworks like the Australian Cyber Security Centre's Essential 8.
  • Create and test an incident response plan to enhance effective decision making during a cyber security incident. Plans should include steps to take at each stage, communication strategies and how to notify regulators and stakeholders.
  • Maintain clear communication and understand agreements and insurance coverage: Establish regular open dialogue with your managed service provider to ensure you remain informed of the evolving health of your environment and the actions being taken.

In the ever-evolving landscape of cyber security, not-for-profit organisations are increasingly becoming targets for cybercriminals, with the Australian Cyber Security Centre reporting that the average cost of cybercrime for small to medium-sized businesses ranges from $46,000 to $100,000.

Given often limited resources and high reliance on community trust, it is crucial for these entities to adopt a robust cyber security posture. The checklist covers essential actions that can significantly bolster your organisation's defences against digital threats, from cultivating a culture of awareness and vigilance to implementing technical safeguards like Multifactor Authentication (MFA) and DMARC (Domain-based Message Authentication, Reporting & Conformance).

By following the actions in this checklist, your organisation can not only protect its valuable data and resources but also maintain the integrity and trust that is the cornerstone of your mission.

  1. Implement Multi-Factor Authentication (MFA) wherever possible as this dramatically increases the difficulty for attackers to compromise accounts. Having an additional step of authentication severely affects an attacker's ability to impersonate a user. Adding this to high risk procedures such as authorising large payments can help protect your organisation.
  2. Adopt robust email hygiene by educating staff on phishing awareness, employing spam filters, implementing DMARC to validate emails, and ensure email systems are frequently updated to mitigate security threats.
  3. Ensure your data backup schedule is sufficient for your operations. For example, if your backup schedule is weekly but your operations require data from the previous day to continue smoothly, this would not meet your operational requirements.
  4. Restrict the number of users with administrative access to those that are only required as part of business as usual (BAU) operations. All other accounts should have limited privileges based on what access is needed to perform that role, i.e. role based access control (RBAC). Regular audits of accounts and roles should also be performed.
  5. Ensure that you understand what support services are part of your Service Level Agreements (SLAs) and what falls outside this agreement. Services like Incident Response support are often classed as optional extras. This also applies to any cyber insurance you hold as many policies have specific exclusions or restrictions on how you respond to incidents to remain covered where services like Digital Forensics, which can help determine the source of the incident, are often classed as optional extras.
  6. Create an incident response plan which outlines exactly how to react to a live incident step-by-step, including contact details of relevant employees and support staff, as well as notification requirements to regulating bodies such as the Office of the Australian Information Commissioner (OAIC). This plan should be tested regularly under different scenarios to ensure staff understand their roles and responsibilities during stressful live incidents.
  7. Ensure cyber security education is regularly provided, specific to the threats relevant to your operations. Consider the biggest recurring threats to your organisation such as phishing, malware in emails or insecure devices connecting to your network and target these areas.
  8. At a minimum, meet maturity Level 1 of the Australian Cyber Security Centre's Essential 8 Framework by implementing the recommended controls throughout your environment, including on personal devices if they can access your work environment. This will often involve a conversation with your IT provider to inform them this is the minimum standard you wish to apply within your environment.
  9. Understand which security standard is being applied by your MSP or IT department, such as the Essential 8, ISO 27001, or NIST CSF, and understand the specific controls in use, along with how compliance is monitored and reported back to your organisation. To maintain the health of your environment, implement consistent and transparent communication with your MSP through regular meetings or monthly reports, to ensure actions taken for securing your environment align with your cybersecurity policies.
  10. Utilise free resources and guidance such as those provided by the Australian Cyber Security Centre and the Office of the Australian Information Commission. These are aimed at bolstering cybersecurity for small businesses and explaining best practice on securing personal information, including steps not-for-profits can put in place to comply with retention and destruction obligations. These resources provide valuable guidance on best practices, risk assessment, and strategies for enhancing cyber resilience, and organisations are encouraged to take advantage of these tools to strengthen their cybersecurity posture without incurring additional expenses.

For assistance in implementing these actions either internally or through your MSP, please contact MinterEllison to discuss how we can help to secure your IT environment.

Read our Cyber Security best practice guideline.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIwY2IxZGVmZi02NGRkLTQwNWQtYTA3ZS05MWVkZWEzMmVhYjYiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczNzEyMTY4NSwiZXhwIjoxNzM3MTIyODg1LCJpYXQiOjE3MzcxMjE2ODUsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL25vdC1mb3ItcHJvZml0LWN5YmVyLXNlY3VyaXR5LWJlc3QtcHJhY3RpY2UtZ3VpZGUiLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9ub3QtZm9yLXByb2ZpdC1jeWJlci1zZWN1cml0eS1iZXN0LXByYWN0aWNlLWd1aWRlIn0.bt7U4-mx-ueBPh6Jz-S0SWE8BGatwE38RcfAbliY-94
https://www.minterellison.com/articles/not-for-profit-cyber-security-best-practice-guide