Biting the cybersecurity bullet
30 November 2022 at 11:10 pm
What are the issues that need to be seriously considered if the sector wants to improve data security? David Crosbie explains.
A donor rang a CCA member this week indicating a willingness to contribute to the charity. His motivation was to support the cause, but he wanted to speak to the CEO about a condition that needed to be met if he was to donate his money.
He would only give to the charity if 100 per cent of the money was to be directed to the cause and none of his money would be spent on administration or fundraising.
The CEO spoke to me about this request expressing their concern. What should they do? Refuse the donation because it was such an ill-informed condition, or play along, agree to the terms even though they are impossible to truly meet, and try to ensure the money was spent appropriately?
My response was that the CEO needed to have an honest discussion with the donor and maybe raise the issue of cybersecurity.
CCA has spent quite a bit of time recently talking about cybersecurity, not only because it is a hot issue across all organisations, but also because there was an important data security related bill in the federal parliament.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was passed this week, increasing the penalties for ‘serious or repeated data breaches’ from $2.2 million to whatever is the most of:
- $50 million
- 30 per cent of adjusted turnover for the period
- three times the financial gain from the misuse of data in the case of outstandingly shocking breaches.
As CCA pointed out to government and the senate committee reviewing the proposed bill, there are very few charities in Australia that would be able to survive if they had to pay a fine of $50 million or 30 per cent of their turnover. CCA argued that while there was clearly a need to strengthen data security in organisations, shutting down charities who might be targeted in a cyberattack was unlikely to help achieve this policy goal.
We lost the argument (as did the small business sector), but thankfully this is not the end of the story in terms of government regulation relating to penalties for breaches of the Privacy Act.
There is a review of the Privacy Act currently being undertaken within the attorney general’s department due to report by the end of the year. As Senator Murray Watt, the minister for agriculture and emergency management indicated this week, “Reforms to clarify key definitions in the Privacy Act, develop a tiered penalty regime, provide greater clarity on the applications of penalties and enhance security guidelines are being considered through the Privacy Act review.”
CCA is hopeful that the review of enforcement and penalties for data breaches will address the need for a more proportionate and appropriate penalty regime for charities and NFPs.
There are two other important areas that need to be more seriously considered if we are to improve data security in the charities and NFP sector.
The first issue is the need for staff skills and training. A system is only ever as strong as its weakest link, and for many organisations the weakest link will be staff who are not well trained or alert to ways in which data breaches can and do happen. Some of the costliest cyberattacks have occurred through staff not adequately implementing safe data management practices. There are still many charities where staff are not practising even simple security measures like two-factor authentication rather than just a password login.
An Infoxchange survey of over 600 charities and NFPs found that over half do not offer cybersecurity training to their staff. This is clearly a much bigger threat to data security than the size of the penalty for breaching the Privacy Act.
A second important issue is who pays? Training staff and ensuring data systems are secure is not a cost-free exercise. The biggest funders of charities in Australia are governments. Governments assume that the organisations they are contracting to offer services will be keeping their data secure, especially their client data. But how does this happen? Is cybersecurity factored into the funding contracts or the unit price of service delivery? If so, will the funding provided enable the organisation to regularly train all staff in cybersecurity and cover all the requirements to have secure data storage systems? I suspect most governments are still in denial about their exposure to data breaches through the charities and NFPs they contract to provide services.
Cybersecurity is a big concern across the charities and NFP sector, and rightly so. Malicious attacks on IT systems pose a real threat to organisations, their clients, donors, supporters and their communities. In Canberra recently, sensitive client details were stolen as part of a larger cyberattack, forcing an agency to relocate around 100 women and children who had sought refuge from domestic violence situations. This was a very costly exercise, and not just financially.
And so let me return to our generous donor who opposes having their money used in administration. Perhaps they would like their banking and personal details including their home address to be available online? Or, if they want their sensitive information to be secure, would they be willing to give just a small percentage of their donation towards having a secure data storage system and regular cybersecurity training for the staff?
Even if the donor is not concerned about cybersecurity, are they happy for the money to be badly spent or would they like to see people trying to get the maximum benefit for the expenditure? Without adequate administration and on costs, trained staff and good IT systems, how can organisations offer good services or know even the most basic information like who is benefiting from their programs, who is missing out and how could their outcomes be improved?
The Pay What It Takes report highlights how smart investment in organisational capacity (including data systems) makes charities and NFPs stronger, more effective and more efficient.
While the threat of cyberattacks is a very unwelcome pressure on charities, the silver lining is that the need for data security clearly highlights why paying what it takes must be the bottom line in all charity and NFP funding.