IronSights

Industries · Not For Profit

Cyber security for Australian not-for-profits.

Charities and not-for-profits hold donor records, financial details and information about the people they help, and they run on tight budgets with small teams. We help Australian organisations protect that data, get real value from their Microsoft nonprofit licences, and meet the obligations that funders and the Privacy Act put on them.

IronSights works with charities, foundations and community organisations across Australia. We are ISO 27001 and ISO 9001 certified, Microsoft certified, and based in Sydney. Australian-owned, and used to working within the funding a not-for-profit actually has.

Threat landscape

Why not-for-profits are targeted.

Attackers do not skip an organisation because it does good work. Charities hold exactly what a criminal wants: donor names, contact details, giving history, bank and card records, and often sensitive information about vulnerable people. They also tend to run on small IT budgets, with volunteers and staff who wear several hats, which means fewer controls and fewer people watching. That combination makes the sector an easy mark, and reporting from the ASD and others shows attacks on Australian charities and not-for-profits have climbed, with ransomware against the sector rising sharply through 2025.

Most incidents start the same quiet way. Someone is phished for their Microsoft 365 password, and that one login opens the mailbox, the shared files and the donor database behind them. From there the common play is business email compromise: the attacker reads the finance officer's email, waits, and sends a supplier or payroll payment to a new account that looks legitimate. The Infoxchange sector research has found most not-for-profits have no documented cyber plan and little staff awareness training, usually because budget goes to the mission first. That gap, more than any single piece of technology, is what gets organisations hurt.

Microsoft for nonprofits

Microsoft funds most of the licensing. We make it protect you.

Microsoft gives registered charities and not-for-profits a real head start on security, and most organisations never use it. If your organisation is eligible, Microsoft discounts Microsoft 365 Business Premium by around 75 percent, which brings a full business security stack down to a few dollars per user each month. The catch is that a licence is not protection. Buying Business Premium and turning it on are two different things, and the second one is where we come in.

The offer changed in 2025

The old free grant of Business Premium ended on 1 July 2025. Microsoft still grants up to 300 seats of Business Basic at no cost, but Basic has none of the security tools. Business Premium is now the discounted offer, and it is the one worth having, because it carries the parts that actually defend an organisation.

What Business Premium includes

Business Premium comes with Microsoft Defender for Business for your laptops and PCs, to manage and secure devices, and Plan 1 for and . On paper that is close to what a large enterprise runs. Left at default settings, most of it sits dormant and does very little.

Owning it is not the same as deploying it

This is the work we do. We turn on across every account, set rules, configure Defender so threats are actually blocked and alerted, and bring devices under so a lost laptop is not a lost donor database. The licence you are already paying a fraction for starts doing the job it was built for.

A path to Essential Eight and SMB1001

A properly configured Business Premium tenant lines up closely with the controls in the and with the certification tiers. For a not-for-profit, that turns a cheap Microsoft licence into a real path towards the security standard that government grants, insurers and corporate partners increasingly ask for. You get protection and the paperwork to prove it, without an enterprise budget.

How we help

How IronSights supports not-for-profits.

Organisations come to us for plain answers: where they are exposed, what to fix first, and how to show their board, their funders and their insurer that cyber risk is under control.

Fortify — managed security

We watch your systems around the clock and step in quickly when something is wrong, so your team can stay on the mission rather than on security alerts. You get steady improvement and a plain monthly report your board and treasurer can read. Built for organisations with no in-house IT security.

Microsoft 365 security

Most charities already run on , often on discounted nonprofit licences that were never fully set up. We turn on , , Defender and , and configure DMARC, DKIM and SPF so your domain cannot be spoofed. The result is far fewer ways in, from licences you already hold.

Audit and assurance

We measure your organisation against the and give you a documented baseline you can hand to funders, insurers and your board. If you are working towards for a grant or a contract, we map the shortest sensible path to the tier you need.

Penetration testing

External, internal and web application testing to a method, for organisations that need to prove their systems stand up. You get a report in plain English, clear fixes your IT support can action, and a free retest 30 days later to confirm the gaps are closed.

Incident response

Available 24 hours a day for , email fraud and data breaches. We handle containment, notification to the where the breach is notifiable, and the insurance paperwork, and we help you decide what to tell donors and the people you support.

Security reviews

Where most organisations start. We find your biggest gaps, show you where you stand against the Privacy Act and against funder expectations, and tell you what to fix first. No obligation to go further.

Compliance

The obligations that apply to your organisation.

Not-for-profits sit under a mix of legal duties and funder expectations. Most organisations are touched by at least two of these.

Privacy Act

APP obligations for charities

If your organisation turns over more than $3 million a year, the Privacy Act 1988 and the Australian Privacy Principles apply to you. Plenty of smaller organisations are caught too, including health service providers and any group that trades in personal information, so turnover alone does not settle the question.

The OAIC has updated its guidance for not-for-profits and charities. In short, donor data cannot be shared or sold without consent, it should not be kept forever, and any third-party fundraiser or software handling that data has to be checked. Good intentions are not a defence if the data is mishandled.

NDB Scheme

Notifiable Data Breaches

If you are covered by the Privacy Act and a breach is likely to cause serious harm, you must notify the OAIC and the people affected. Donor financial records and information about vulnerable clients clear that bar without much difficulty.

The obligation is to assess and notify promptly, not to wait and hope. Having a plan for who does what, and who starts the clock, is the difference between a controlled response and a scramble.

Essential Eight

Grant and contract eligibility

The Essential Eight is the ASD's baseline of eight practical controls, such as multi-factor authentication, patching and application control. No law forces it on a private charity, but it increasingly appears in government grant conditions and in contracts with larger partners.

If your organisation bids for government-funded work, being able to show Essential Eight progress is becoming part of the price of entry. It is also the clearest way to demonstrate to your board that cyber risk is being managed.

SMB1001

A certification funders recognise

SMB1001 is a tiered Australian cyber security certification, from Bronze through to Gold, designed for smaller organisations rather than large enterprises. It is recognised by insurers and funders, and it fits the not-for-profit, aged care and community sectors well.

For many charities it is a more realistic first target than a full ISO 27001 program. We help you reach the tier a specific grant, insurer or partner is asking for, and no more than that.

Common risks

What we see when we work with not-for-profits.

Donor database exposure

Your donor database is the single most valuable thing you hold, and it usually sits behind one Microsoft 365 login. If that account is phished and multi-factor authentication is not switched on, an attacker gets names, contact details, giving history and often payment records in one go. The fix is not complicated, but someone has to actually turn the controls on.

Payment redirection and BEC

Business email compromise is the attack that costs not-for-profits the most. Someone reads the finance officer's mailbox, then emails a change of bank details for a supplier, a grant recipient or payroll, timed so it looks routine. The money moves before anyone questions it and rarely comes back. Multi-factor authentication and a verify-by-phone habit on payment changes are what stop it.

Volunteer and staff turnover

Not-for-profits run on volunteers and often see people come and go. Accounts get created quickly and are rarely closed properly, so former volunteers and staff keep access to email, files and the donor system long after they have left. Every one of those forgotten accounts is a door that no one is watching.

Licences bought but never deployed

Many organisations hold discounted Microsoft Business Premium licences and run them on default settings, which means paying for security tools that are switched off. Defender is not blocking, conditional access is not set, devices are not managed. The protection was purchased and then left in the box.

Third-party fundraising and CRM platforms

Fundraising platforms, CRMs, email tools and payment providers all connect into your systems and hold copies of donor data. Each connection is a possible way in, and most organisations have no list of what is connected or what those tools are allowed to reach. When one of them is breached, your donors are exposed through no fault of your own systems.

No tested incident response plan

Most organisations have never worked out what they would do in the first hour of a breach. When it happens, no one is sure who calls the insurer, when the OAIC obligation starts, or what to say to donors. A short, tested plan turns a panic into a process.

Common questions

Asked by organisations like yours.

Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.

  1. Does the Privacy Act apply to our charity?

    If your organisation turns over more than $3 million a year, yes, and the Australian Privacy Principles apply in full. Smaller organisations are often caught too, particularly if you provide a health service or handle personal information as part of your work. If you are not sure which side of the line you sit on, it is worth checking rather than assuming you are exempt.

  2. Is our organisation eligible for Microsoft's nonprofit offers?

    Generally yes if you are an ACNC-registered charity or hold DGR endorsement. Microsoft validates nonprofit status through a partner such as TechSoup or Goodstack before you can buy the discounted licences. Commercial or mutual-benefit associations without a charitable purpose often do not qualify, so eligibility is worth confirming early.

  3. Isn't Microsoft 365 Business Premium free for nonprofits?

    It used to be. Microsoft ended the free grant of Business Premium on 1 July 2025. You can still get up to 300 seats of Business Basic at no cost, but Basic has none of the security tools. Business Premium is now offered at around 75 percent off, which is still a very good deal for what it includes.

  4. What security do we actually get with Business Premium?

    Business Premium includes Microsoft Defender for Business for your computers, Intune to manage devices, and Entra ID Plan 1 for multi-factor authentication and conditional access. It is a genuine business security stack. The important part is that it does very little until someone configures it properly, which is the work we do.

  5. Do we need Essential Eight or SMB1001 to get grants?

    It is becoming more common. Government grants and contracts increasingly ask for Essential Eight progress, and some funders and insurers recognise SMB1001 certification. Neither is legally forced on a private charity, but being able to show one of them is turning into part of qualifying for funded work.

  6. What is business email compromise and why does it hit not-for-profits?

    It is when an attacker gets into a mailbox, usually a finance one, and uses it to redirect a payment to their own account. Not-for-profits are targeted because they move grant money and supplier payments, often with a small finance team and limited checks. A phone call to confirm any change of bank details, plus multi-factor authentication, stops most of it.

  7. How much does this cost for a small charity?

    Less than most boards expect, because a lot of the value comes from configuring licences you already hold or can get cheaply. We scope the work to what your organisation can actually fund and start with the fixes that remove the most risk. A security review is the usual first step, and it comes with no obligation to go further.

  8. Do you work with volunteer-run organisations?

    Yes. We work with small, volunteer-run groups through to larger charities with paid staff. Smaller organisations usually start with a security review, then close the gaps that matter most. Not everyone needs a managed service, and we will tell you if you do not.

  9. What is a security review and where do we start?

    A security review is a structured look at your Microsoft 365 setup, your logins, how donor and client data is stored, and whether you have a plan for a breach. You come away with a clear, ordered list of what to fix first and where you stand against your obligations. It is the sensible starting point for almost every organisation we work with.

  10. What are our obligations under the Notifiable Data Breaches scheme?

    If you are covered by the Privacy Act and a breach is likely to cause serious harm, you have to notify the OAIC and the people affected, and do it promptly. For a charity holding donor financial records or client information, most serious breaches will meet that test. Knowing this in advance, and having a plan, is far better than working it out during an incident.

Start with a review

See exactly where your organisation stands.

We look at your Microsoft 365 setup, your logins, how donor and client data is held, and whether your breach plan covers your Privacy Act duties. You get a clear, ordered list of what to fix, scoped to what your organisation can fund. Most charities are surprised how much protection is already sitting unused in the licences they have.

ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.