By Penny Corkill
Partner Risk & Assurance
For many Not-for-profit (NFP) organisations, dealing with cybersecurity can feel overwhelmingly complex and expensive, yet the consequences of a breach – lost donor trust, regulatory penalties, compromised beneficiary data – can be catastrophic.
Many NFPs respond by doing either too little (basic password protection and hoping for the best) or attempting enterprise-grade security programs they cannot sustain. The reality is that effective cybersecurity doesn't require unlimited budgets or dedicated IT teams. A simple way to start thinking about your cybersecurity risks and the level of protection required, is to ask yourself these questions:
This will help you as you "Right-size" i.e. implementing fundamental protections proportionate to your organisation's scale, risk profile, and resources, starting with achievable baseline measures and building incrementally as you grow.
Understanding the environment
NFPs can often struggle to navigate the gap between cybersecurity best practice (designed for large corporations) and their actual capacity. Leadership teams feel paralysed by not knowing where to start, what's truly necessary versus "nice to have," or how to justify cybersecurity spending when funds are desperately needed for direct service delivery.
Some organisations invest in expensive tools they don't properly implement or maintain; others avoid the issue entirely, leaving critical systems unprotected. Staff lack basic training on recognising phishing attempts or handling sensitive data securely. Boards receive either no cybersecurity reporting or technical updates they cannot meaningfully assess.
When incidents occur – ransomware attacks, data breaches, business email compromise – organisations discover their backup systems don't work, their incident response "plan" is a vague document no one has practised, and they have no clear understanding of what data was compromised. The result is disruption to daily operations, reputational damage, regulatory scrutiny, and most critically, potential harm to the vulnerable people whose data has been exposed.
The challenge
NFPs need clear, practical guidance on what cybersecurity measures are genuinely necessary for their specific operation, and how to implement them without requiring specialist expertise or corporate budgets.
This means understanding the difference between fundamental cyber hygiene (essential for everyone) and advanced controls (needed only for specific risk profiles), knowing where to find free or low-cost resources designed for their sector, and building security incrementally with a roadmap that grows alongside organisational capacity. NFPs need a Board-appropriate reporting framework that position cybersecurity as an effective strategic risk management tool rather than incomprehensible IT jargon.
Cybersecurity can no longer be viewed as an unaffordable luxury; but rather an essential infrastructure that protects an organisation’s work and the people they serve. Done well, this approach will go a long way to protecting a NFP's operations and sensitive data.
How can Centium assist you?
Centium aims to help liberate NFP leaders from cybersecurity paralysis by providing a clear, achievable path forward that fits their operating environment and budget.
We can partner with you to shift the mindset from "we cannot afford proper cybersecurity" to "we can build proportionate protection that grows with us," and from "this is too technical and overwhelming" to "these are manageable steps we can implement now." We can demonstrate that right-sized cybersecurity is both achievable and essential.
Solutions that Centium may explore with you include:
To learn more about our Cybersecurity, data governance and information management services please email: info@centium.com.au
If you're interested in strengthening your NFP's governance and risk management, follow our series of articles:
