For not-for-profit leaders, risk oversight has always been a core responsibility. Financial governance, regulatory compliance and reputation management regularly feature on board agendas. Increasingly, cybersecurity belongs firmly alongside them, and the need to act has never been more pressing. Recent Australian Cyber Security Centre reporting shows not-for-profits are among the fastest-growing targets for cybercrime, driven by limited security maturity and the high value of personal and donor data.
Digital systems now underpin almost every aspect of not-for-profit operations, from service delivery and case management to fundraising, payroll and donor engagement. With this reliance comes exposure. Cyber incidents are no longer isolated IT issues; they are organisational events that can disrupt essential services, compromise sensitive data, and rapidly erode community trust.
Importantly, the Australian Charities and Not-for-profits Commission makes it clear that boards are responsible for identifying and managing material risks, including those related to technology and data. In this context, cybersecurity is not optional or future-focused — it is a current governance obligation. For CEOs and board members, the question is no longer whether cybersecurity matters, but whether the organisation is doing enough now to meet its duties, protect its beneficiaries, and remain a trusted steward of public and donor confidence.
Why Cyber Risk Demands Leadership Attention
Australian not-for-profits are being targeted with growing frequency by cybercriminals. Limited budgets, ageing systems, and lean internal teams can make the sector particularly vulnerable. At the same time, NFPs often hold highly sensitive personal and financial information relating to donors, staff, and vulnerable communities.
A cyber incident can have far-reaching consequences. Beyond operational disruption, there may be legal, regulatory, and reputational impacts. Loss of trust can affect donor confidence, funding relationships and community engagement long after systems are restored.
Importantly, regulators and insurers increasingly expect boards to demonstrate active oversight of cyber risk. Cyber resilience is now viewed as part of an organisation’s duty of care and good governance. Delegating responsibility solely to IT is no longer sufficient.
From Technical Issue to Strategic Risk
Many organisations still rely on traditional, perimeter-based security models that assume anything inside the network is trusted. This approach reflects a time when staff worked primarily from offices, and systems were largely on-premises.
That environment no longer exists.
Hybrid work, cloud platforms, and mobile access have changed how people interact with systems and data. Staff, volunteers and partners access information from multiple locations and devices. Once a single account is compromised, legacy security models offer limited protection.
This has led many organisations to adopt a Zero Trust approach to cybersecurity.
Zero Trust operates on a simple principle: trust is never assumed. Every user, device and access request is verified, regardless of location. Access is limited to what is necessary, reducing the potential impact of breaches and improving visibility for leadership.
For boards and executives, Zero Trust provides a framework that aligns cyber security with risk management, accountability, and organisational resilience.
A Practical Example: How Settlement Services International (SSI) Strengthened Its Digital Foundations
Settlement Services International (SSI), a leading Australian not-for-profit supporting culturally diverse communities, set out to modernise its technology in a way that strengthened governance, reduced risk, and ensured more funding could be directed to mission delivery.
Its existing on-premises environment limited flexibility and made it difficult to maintain consistent oversight as the organisation grew. From a board perspective, visibility over access, data protection and security controls was fragmented, increasing operational and compliance risk.
Working with FUJIFILM IT Services, SSI moved to a cloud-based environment designed to simplify oversight and support a distributed workforce. More than 1,000 staff were enabled to work securely across 25+ sites, with clearer controls over who could access systems and data.
Critically, retiring legacy infrastructure reduced ongoing costs and management effort. This allowed SSI to redirect funds and internal resources away from maintaining technology and into frontline services and community programs, directly supporting its purpose.
At the same time, SSI strengthened its overall security posture in line with modern governance expectations, giving board and executive leaders greater confidence that digital risks were being actively managed.
The full case study outlines how SSI approached this transformation and the outcomes achieved.
The Right Starting Point for Boards and Executives
For many leadership teams, the challenge is not recognising cyber risk but understanding where the organisation currently stands and what actions will have the greatest impact.
FUJIFILM IT Services offers a complementary Zero Trust Assessment designed to give CEOs and boards clear, practical insight into their organisation’s cyber maturity.
The assessment helps leaders:
• Understand current cyber risk exposure in plain business terms
• Identify priority gaps aligned to Zero Trust principles
• Support informed investment and risk decisions
• Demonstrate active governance and oversight
It is obligation-free and tailored to the operational realities of not-for-profit organisations.
Learn more about the Zero Trust Assessment here.
Leadership Sets the Tone for Cyber Resilience
Cybersecurity is no longer a technical discussion reserved for specialists. It is a leadership issue which requires board-level visibility and executive sponsorship.
By taking a proactive, structured approach to cyber risk, not-for-profit leaders can protect their organisations, maintain trust and ensure continuity of services for the communities that rely on them.
In today’s environment, strong governance means understanding cyber risk and acting before an incident forces the issue.
Jason Wornham
Jason is the General Manager for Business Solutions at FUJIFILM Business Innovation Australia. With more than 25 years’ experience driving transformation across IT services and automation, he leads a high-performing business delivering Managed IT, Cybersecurity and Process Automation solutions to organisations.
He is also President of Night Ninjas Inc., a Queensland charity providing frontline support to vulnerable community members - a role that reflects his belief in leadership as service. Jason is passionate about empowering people, building capability, and reshaping organisations to be more adaptive, resilient, and human-centred.
His work makes technology meaningful - helping businesses thrive while contributing positively to society. He continues to champion innovation that drives both business success and social good.
Trending
Popular
