Enterprise-grade protection on a charity budget — so donor data stays safe, grant obligations are met, and your mission keeps moving.
Australia's 63,000-plus registered charities collectively hold enormous volumes of donor, volunteer, and beneficiary data. Lean security budgets, high volunteer turnover, and a culture of trust make not-for-profits an attractive and often under-defended target. The numbers are stark.
Not-for-profits face the same threat actors as corporates, but with fewer controls in place to stop them. Understanding the realistic threat picture is the first step to spending your security budget wisely.
Regulatory expectations for NFPs are tightening. Understanding what applies to your organisation is essential — and good governance is the foundation of donor and funder trust.
Key benchmarks for Australian NFP cyber security.
You do not need an enterprise IT team to achieve meaningful security uplift. The ACSC Essential Eight provides a proven, prioritised framework, and several of the most effective controls cost relatively little to implement — especially with the right partner and nonprofit-discounted licensing.
MFA on every email, cloud, and admin account is the single highest-impact control you can implement. It blocks the overwhelming majority of credential-based attacks. For NFPs with volunteer turnover, MFA also limits the damage when accounts are not promptly deprovisioned.
Keeping operating systems, browsers, and applications updated closes the vulnerabilities ransomware and malware exploit. Pair this with managed endpoint detection and response (EDR) for real-time threat visibility across every device your team uses.
Offline, tested backups are your last line of defence against ransomware. The 3-2-1 rule — three copies, two media types, one offsite — should be standard. We help you implement immutable cloud backup so ransomware cannot encrypt your recovery data.
Centralised identity via Microsoft Entra ID (included in nonprofit-licensed Microsoft 365) lets you provision and deprovision volunteers instantly, enforce least-privilege access, and maintain audit trails for ACNC and grant reporting purposes.
Domain-based message authentication (DMARC, DKIM, SPF) prevents criminals from spoofing your domain. Advanced email filtering catches phishing and malicious attachments before they reach inboxes. Payment-redirection risk is further reduced by verification workflows and dual-approval controls.
With only one in five NFPs conducting regular training, this is a major gap. Simulated phishing exercises, short video modules, and tailored volunteer onboarding security briefings are cost-effective ways to build a human firewall across your entire team.
Cryptiq Cybersecurity is an Australian MSSP and MSP built for small and mid-sized organisations. We work with NFPs to deliver right-sized, grant-friendly security programs that grow with your organisation — without surprising you with unexpected costs.
One fixed monthly plan covering helpdesk, device management, Microsoft 365 with nonprofit licensing, and proactive maintenance — so your team can focus on mission, not IT problems.
Learn more →MFA, endpoint protection, email security, vulnerability management, and security awareness training. Aligned to the ACSC Essential Eight and mapped against Privacy Act APP 11 obligations. Designed to satisfy grant-body and funder security requirements.
Learn more →Microsoft offers substantial nonprofit licensing discounts and grants for eligible organisations. We help you access, deploy, and harden Microsoft 365 — including Defender, Entra ID, and Purview — to protect donor data and meet your compliance obligations affordably.
Learn more →24/7 security monitoring, detection, and response without the cost of an in-house security team. Our SOC analysts investigate alerts in real time so threats are contained before they escalate to a data breach or ransomware event.
Learn more →A virtual Chief Information Security Officer gives your board and leadership team the expert guidance needed to satisfy ACNC governance obligations, respond to funder security questionnaires, develop an incident response plan, and build a security roadmap that fits your budget cycle.
Learn more →Your donation forms, event registrations, and volunteer portals handle sensitive data and card payments. We design and harden NFP websites with PCI-compliant payment integration, SSL/TLS, WAF protection, and regular vulnerability scanning.
Learn more →We assess your current environment, identify your highest risks (email, identity, backups, donor data), and map gaps against the ACSC Essential Eight and your Privacy Act obligations — at no cost and no obligation.
We produce a prioritised roadmap that fits your budget cycle and addresses funder or grant requirements. Controls are sequenced by impact, not cost. You choose what to implement and when.
We deploy controls — MFA, endpoint protection, backups, email security, Microsoft 365 nonprofit licensing — with minimal disruption. Fixed monthly pricing means no billing surprises for your finance team or board.
We manage your security environment, provide board-ready reporting, respond to incidents, and keep your posture aligned to evolving obligations — including new Privacy Act reforms and ACNC compliance requirements as they emerge.
It depends on your annual turnover and the type of data you handle. Charities with annual turnover above $3 million, or those that handle health information, are covered by the Privacy Act and its 13 Australian Privacy Principles (including APP 11, which requires active security measures). Proposed reforms may remove the small-business exemption entirely, meaning all registered charities could be covered in future. We recommend assessing your obligations now rather than waiting for reforms to pass.
The NDB scheme requires organisations covered by the Privacy Act to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm — within 30 days of becoming aware (proposed reforms may shorten this to 72 hours). If you hold donor, health, or financial data and meet the turnover threshold, you are likely covered. Cryptiq can help you build a documented breach response plan so you are ready to respond quickly and lawfully.
Yes. Microsoft offers substantial discounts and grants on Microsoft 365 for eligible Australian not-for-profits — including Business Premium, which includes Microsoft Defender and Entra ID — at a fraction of standard commercial pricing. We help you assess eligibility, apply for nonprofit licensing, and deploy and harden the environment so you get both cost savings and strong security from day one.
Centralised identity management via Microsoft Entra ID allows accounts to be provisioned and deprovisioned quickly, with MFA enforced on all accounts and least-privilege access as standard. We also implement offboarding checklists and automated access reviews so that when a volunteer leaves, their access is removed promptly — closing a common vector for account takeover and data misuse.
Do not action any payment or banking-detail change via email alone. Establish a dual-approval, out-of-band verification process for all changes to supplier, grant-body, or donor payment details — for example, a callback to a known phone number. Report the suspicious email to the Australian Signals Directorate via ReportCyber (cyber.gov.au). Cryptiq can help you implement technical controls (DMARC, advanced email filtering) and process controls that significantly reduce BEC risk.
Absolutely. We assist NFPs in documenting and implementing the security policies, controls, and plans that grant bodies, government funders, and philanthropic partners increasingly require. This includes an information security policy, incident response plan, Essential Eight assessment, and evidence of controls such as MFA and backup testing. Our vCISO service is specifically designed for organisations that need security leadership without the cost of a full-time CISO.
Book a free, no-obligation security review tailored to Australian not-for-profits and charities. We will identify your highest risks and show you what good security looks like on a charity budget.
Book your free security review