Despite this, the responsibility for managing the consequences still sat squarely with the organisation. Boards and leadership teams were required to respond to privacy obligations, communicate with affected clients and stakeholders, and protect trust, often with incomplete or evolving information.
From what we are seeing, these events are prompting many not-for-profit leaders to pause and reflect on how well prepared they really are.
Not-for-profit organisations are often custodians of deeply sensitive information, including:
A breach of this information can have real consequences for the people you support, not just the organisation itself.
Much of this information is held in third party systems such as case management platforms, CRMs, and finance, HR and Health and Safety tools. These systems are essential to delivering services efficiently and at scale.
However, reliance on external platforms also creates dependency. When something goes wrong within a vendor’s environment, it is rarely the vendor who must front the response. In our experience, the organisation is still the one working through the impact, meeting privacy obligations, supporting affected people, and maintaining trust.
Cyber security is often treated as a technical problem. In practice, the most significant risks we see tend to build quietly through gaps in ownership, access, and oversight rather than a single technical failure.
Common issues include:
These are not issues that sit solely with IT teams. They are matters of leadership, oversight, and accountability.
If recent events have caused your organisation to reflect, the following questions offer a practical starting point.
Do we know which systems hold our most sensitive information?
Many organisations underestimate how many platforms store personal or confidential data. We often find this only becomes fully visible when something goes wrong, which is not the ideal time to be mapping it out.
Is there a clear owner for each critical system?
Every key system should have an internal owner who is accountable for access, security settings, and vendor engagement. Without clear ownership, risks can sit unnoticed for long periods.
Are we confident that access is appropriate today?
Have user accounts been reviewed recently? Are there people with access who no longer require it? Are administrator privileges limited to a small, trusted group?
This is one of the most common areas where we see simple improvements make a meaningful difference.
Are strong protections such as multi factor authentication enabled?
Multi factor authentication significantly reduces the risk of unauthorised access. If it is available but not enabled, this represents a manageable and unnecessary risk.
Do we understand our vendors’ security responsibilities?
Boards should feel comfortable that management understands where data is hosted, how it is backed up, how incidents would be communicated, and what support would be available if something went wrong. We often find this is assumed rather than clearly understood.
If a platform we rely on was breached, would we know how to respond?
Who would lead the response? How would privacy obligations be assessed? How would clients, donors, staff, and other stakeholders be supported and informed?
These questions are far easier to answer before an incident occurs, and much harder to work through under pressure.
No organisation can remove cyber risk entirely. However, organisations that invest in clear ownership, sensible access controls, and basic incident readiness are far better placed to respond thoughtfully and responsibly when issues arise.
In our experience, preparation does not need to be complex. A small number of well understood practices can make a significant difference.
For boards and leaders, this is not about alarmism or technical detail. It is about good stewardship, meeting obligations, and maintaining trust when people entrust your organisation with sensitive information.
If recent events have raised questions or concerns for your organisation, there are two straightforward next steps.
Do you need immediate assistance?
If your organisation is dealing with an active issue or a concern about a vendor, we can help you interpret what is happening, understand your obligations, and respond with confidence. If you would value a steady hand to think this through, we are here to help.
Would you like our practical white paper?
We have prepared a clear, non technical white paper specifically for NFP leaders. It steps through how to think about third party platforms, cyber security, and privacy responsibilities in a practical and manageable way. We are happy to share it. Just send us a quick email.
.jpg)
%20(3).jpg)
