Logo of Centium
MENU
Close
Contact Us

The hidden cyber risks NFPs cannot afford to ignore

Category:
February 4, 2026

Author: Penny Corkill

Partner Risk & Assurance

Contact Author


Not-for-profit (NFP) organisations hold extremely sensitive data about donors, vulnerable beneficiaries, volunteers, and staff, yet often operate with limited IT resources and expertise.

Not having the right cybersecurity controls in place can lead to financial loss and/or reputational damage; the time it can take to fix a problem is time better spent working on and in your business.

To better understand your cybersecurity risks and the right controls required, start by asking yourself these questions:

  • How secure is our valued information and data?
  • How well do I trust our suppliers to manage cyber security?

Understanding the environment

When NFP leaders think about cybersecurity, they often picture sophisticated external hackers targeting their systems.

The reality is far more mundane and closer to home:

  • Data from the Office of the Australian Information Commissioner indicates that approximately 30% of data breaches in Australia are caused by human errors (i.e. well-meaning staff making innocent mistakes).
  • Trusted third-party vendors with inadequate security can become backdoors into your systems.
  • Without proper governance, the well-intentioned adoption of AI tools can introduce new vulnerabilities.

The challenge
Many NFPs focus their limited cybersecurity attention on preventing external attacks while remaining blind to the risks that are statistically most likely to harm them:

  • Staff inadvertently click phishing links or misconfigure systems, exposing sensitive beneficiary data.
  • Fundraising platforms, cloud service providers, and outsourced IT vendors have extensive access to systems but may not maintain the security standards organisations assume.
  • Well-meaning teams adopt AI chatbots or automation tools without considering data privacy implications or how these technologies might be exploited.

When breaches occur through these vectors, NFPs often discover their contracts do not specify vendor security standards; that there is no process for reviewing staff access permissions; and there is no governance framework for emerging technologies. The consequences are severe: loss of donor trust, regulatory penalties, operational disruption, and most critically – harm to the vulnerable people they serve.

Meanwhile, Boards and leadership teams struggle to understand risks they cannot see and have not been trained to recognise.

Understanding the threats to your NFP isn't about becoming a cybersecurity expert; it's about recognising where your real vulnerabilities lie so you can protect what matters most with the resources you have…

How can Centium assist you?

NFPs need practical frameworks for identifying and managing the cyber risks that exist within their own operations risks from their people, their partners, and their technology choices.

This means moving beyond abstract fears about hackers to concrete understanding of how human error occurs, which vendors pose the greatest risk, and what governance questions to ask before adopting new technologies.

Centium recognises that while NFP leaders are skilled in their fields and passionate about their cause, they are not always IT specialists. Our approach doesn't require deep technical expertise but it will provide meaningful protection against identified risks and safeguard those who trust you with their sensitive information.

Centium can help you identify the risks facing your operation and partner with you to manage those risks with good governance in the form of clear policies and controls.

Solutions that Centium may explore with you include:

  • Implementing insider threat controls through least-privilege access principles, regular access reviews, appropriate staff vetting for sensitive roles, and monitoring for unusual data access patterns that indicate error or misuse.
  • Establishing third-party risk management by enforcing security requirements in vendor contracts, conducting regular reviews of critical suppliers (especially fundraising platforms and data processors), ensuring encryption and breach notification clauses, and maintaining an inventory of which vendors access what data.
  • Developing AI governance frameworks before adopting new technologies, including transparency about AI usage, vendor oversight processes, human oversight requirements, and assessment of how AI tools handle sensitive beneficiary data.
  • Building targeted defences against common threats like ransomware (network segmentation, anomaly detection) and business email compromise (multi-factor approval for financial transfers, training finance teams on red flags).
  • Creating simple incident response plans that staff can use when something goes wrong, ensuring quick containment and clear communication pathways.

To contact the Cyber Risk & Assurance team at Centium please email info@centium.com.au

If you're interested in strengthening your NFP's governance and risk management, follow our series of articles:

  1. Misconduct in NFPs: Creating a Proactive Risk and Conduct Culture
  2. Are you confident of recognising the early signs of misconduct within your NFP?
  3. Misconduct doesn't always start with bad intent: Why governance matters for every not-for-profit organisation
  4. Protecting your mission: Financial misconduct prevention strategies for NFPs
  5. Breaking the silence: Creating safe reporting channels for misconduct in NFPs
  6. When misconduct occurs: A practical guide to conducting effective investigations in NFPs
  7. How to avoid Board failure: Understanding Director duties in NFP governance
  8. Safeguarding your mission: How proactive prevention protects your NFP's reputation and maintains community trust

Top