Prevention, the New Paradigm in Risk Management for SMEs and Non-Profits 

Prevention, the New Paradigm in Risk Management for SMEs and Non-Profits

In an era defined by rapid technological advances and an increasingly interconnected global economy, the approach to risk management for SMEs and non-profits has never been more critical. 

The axiom “an ounce of prevention is worth a pound of cure” resonates profoundly in today’s business landscape, where the fallout from reactive measures can dwarf the investment in proactive risk management.

The stakes are high, and the margins for error are slim. 

For organisations operating in this high-stakes environment, adopting a forward-looking stance on risk management is not just prudent—it’s imperative. 

It’s about shifting from a culture of response to a culture of anticipation, where potential threats are not just identified but are actively mitigated before they can impact the organisation.

This proactive approach to risk management involves a comprehensive understanding of the unique vulnerabilities and threats that an organisation faces, from cybersecurity breaches and compliance failures to supply chain disruptions and reputational damage. 

It requires a commitment to continuous monitoring, a willingness to invest in the latest technologies and practices, and, most importantly, a strategic mindset that views risk management as an integral component of the organisation’s overall strategy.

For leaders of SMEs and non-profits, the message is clear: the cost of inaction can far exceed the cost of prevention. 

In a world where the unexpected can become the norm, investing in a proactive risk management strategy is not just a safeguard—it’s a competitive advantage, ensuring not only the resilience but also the longevity and success of the organisation.

How does/would an Australian nonprofit organisation know what happened in a cyber event?

When a nonprofit organization in Australia experiences a cyber event, it is essential to determine what happened and how the incident occurred.

This process is known as a post-incident analysis or investigation.

Here are some steps that nonprofits can take to determine what happened in the event of a cyber event:

Identify the cause:

Nonprofits should work to identify the cause of the cyber event, including whether it was the result of a human error, a technical vulnerability, or a malicious attack.

This may involve reviewing system logs and other data sources.

Analyze the impact:

Nonprofits should analyze the impact of the cyber event, including what data was compromised, what systems were affected, and what operational and financial losses were incurred.

Collect evidence:

Nonprofits should collect evidence related to the cyber event, including system logs, network traffic data, and any other relevant data sources.

This evidence can be used to determine the cause of the incident and identify potential culprits.

Conduct a root cause analysis:

Nonprofits should conduct a root cause analysis to determine the underlying cause of the cyber event.

This may involve reviewing policies and procedures, as well as conducting interviews with staff.

Review security measures:

Nonprofits should review their security measures to identify any weaknesses or gaps in their defenses that may have contributed to the cyber event.

Make improvements:

Nonprofits should take steps to improve their security measures and response plan to prevent future cyber events.

Document findings:

Nonprofits should document their findings and any remediation efforts taken to prevent future incidents.

This documentation can be used to demonstrate due diligence and compliance with regulations.

Nnonprofits can work out what happened in the event of a cyber event by identifying the cause, analyzing the impact, collecting evidence, conducting a root cause analysis, reviewing security measures, making improvements, and documenting findings.

By taking a systematic approach to investigating cyber events, nonprofits can learn from the incident and take steps to prevent future incidents.

How does an Australian nonprofit get back to business as normal after a cyber event?

Getting back to business as normal after a cyber event can be a challenging process for any organization, including nonprofit organizations in Australia.

Here are some steps that nonprofits can take to resume operations after a cyber event:

Restore critical systems:

Nonprofits should prioritize restoring critical systems and data first.

This may involve rebuilding or repairing IT systems and data backups.

Conduct security assessments:

Nonprofits should conduct security assessments to identify any vulnerabilities and ensure that security measures are up to date.

This may involve hiring a cybersecurity expert to perform an assessment or using a security software tool.

Communicate with stakeholders:

Nonprofits should communicate with stakeholders, including donors, partners, and staff, about the incident and its impact.

This can help maintain trust and transparency with the organization’s supporters and minimize reputational damage.

Review response plan and policies:

Nonprofits should review their response plan and policies to identify areas for improvement.

This can include revising the response plan to address any weaknesses identified during the incident.

Provide training and education:

Nonprofits should provide ongoing training and education to staff to ensure they are aware of the latest cyber threats and know how to prevent future incidents.

Monitor systems:

Nonprofits should monitor their IT systems and data for any unusual activity or anomalies.

This can help identify potential security incidents before they become major problems.

Review insurance coverage:

Nonprofits should review their insurance coverage to ensure they have adequate coverage in the event of a future cyber incident.

Recovering from a cyber event can be a complex and time-consuming process.

Nonprofits can benefit from seeking advice and assistance from cybersecurity experts and regulatory authorities to ensure they are taking appropriate steps to resume operations and prevent future incidents.

By taking proactive steps to prevent cyber incidents and being prepared to respond if an incident occurs, nonprofits can minimize the impact of cyber threats and continue to fulfill their mission.

How does a non profit organisation recover from a cyber event?

Recovering from a cyber event can be challenging for any organization, including non-profit organizations in Australia.

Here are some steps that non-profit organizations can take to recover from a cyber event:

Containment and assessment:

The first step in recovering from a cyber event is to contain the incident and assess the damage.

This may involve disconnecting affected systems from the network and determining what data has been compromised.

Response plan activation:

Non-profit organizations should have a response plan in place for cyber incidents, which outlines the steps to be taken in the event of an attack.

This plan should be activated as soon as the incident is detected to ensure a timely and coordinated response.


If personal data has been compromised, non-profits may need to notify affected individuals and regulatory authorities, such as the Office of the Australian Information Commissioner (OAIC), under the Notifiable Data Breaches (NDB) scheme.

Non-profits should follow the guidelines set out by the OAIC regarding the content and timing of data breach notifications.


Non-profits should communicate with stakeholders, including donors, partners, and staff, about the incident and its impact.

This can help maintain trust and transparency with the organization’s supporters and minimize reputational damage.

Recovery and restoration:

Non-profits should work to restore affected systems and data, including implementing data backups, patching vulnerabilities, and updating security measures.

Non-profits should also review their response plan and security measures to identify areas for improvement.

Review and prevention:

Once the organization has recovered from the cyber event, it’s important to review the incident and identify areas for improvement.

Non-profits should also take steps to prevent future cyber incidents, including implementing stronger security measures and providing ongoing training and education to staff.

Recovering from a cyber event can be a complex and time-consuming process.

Non-profits can benefit from working with cybersecurity experts and seeking advice from relevant regulatory authorities to ensure they are taking appropriate steps to recover and prevent future incidents.

Why your charity is a great target for cybercriminals

You are doing a great job.   You manage, support a small charity, not for profit organisation and love what you do.

Your primary focus is to get as much done for your charity.   It could be donations, volunteers or grants but all for your primary charity focus.

Your whole role is to make sure that as much money goes through to the people in need.

Now I want you to step back and answer a couple of questions.

  • What would happen to all those good intentions if you got hacked?
  • How many of your supporters would you lose if you got hacked?
  • What would happen to your reputation if you got hacked?

But, it would not happen to you, would it?

Let me tell you a not so secret secret!

You are a target!

Maybe not a target of a full-blown black hat attack but you are a target none the less.  The analogy that I use is “what is the chance that a black belt martial arts person is going to beat you up?” Probably very remote!

When it comes to a cyber event, the black hat attacker is not the problem.

The problem is the hugely available and easy to use automated systems that are available for any person with an inclination to use them.

These automated systems create malware, deliver it, track it, monitor it, manage the stages of an attack and manage and control the money being made.   All a “ hacker” has to do is be willing and ethically capable and pull that trigger.

The risk to your charity organisation is significant.

Our attitude to the digital world as it is just a tool and anyone can use it is having a huge negative impact on business because it is not.

I can guarantee that your charity has a board, it has used a legal company for the structure and has an accountant to look at the books, but the most essential component of the organisation is what you put into the digital world.

From desktop computers to smart devices and cloud-based systems and services, the digital world is all around us.

We treat it like the normal world, that is bad.   Theft in the real world is seen and actioned, in the digital world, it is not.   I could have access to all of your data and you may not even know it is happening.

You need to talk to a MBSSP to bring your organisation to a level where your business security will protect the organistion, the data, the users but most importantly your clients, volunteers and supporters.

Without them you cannot function as a charity, and all your good intentions will disappear.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings