Suburban Secureby Suburban Australia

30 June 2026

NFPs named in Australia’s next cyber security action plan

Illustration showing churches, charities and not-for-profits connected to a cyber security roadmap.
The Horizon 2 plan recognises that charities and not-for-profits need practical cyber security support, not just enterprise-scale advice.

Australia’s 2023-2030 Cyber Security Strategy has moved into its Horizon 2 action plan, covering the next stage of national cyber security work. For churches, charities and community organisations, one detail matters: charities and not-for-profits are specifically named in the plan.

The Community Directors summary frames this as welcome news for NFPs, pointing to work involving the Department of Home Affairs, the Australian Charities and Not-for-profits Commission, the Australian Signals Directorate and the Department of Social Services. The practical goal is to support the sector to build cyber resilience in a way that fits the reality of resource-constrained organisations.

The plan names several useful directions for smaller organisations: CyberSmart resources, a dedicated NFP cyber security community of practice, targeted NFP cyber uplift services, an enhanced Cyber Health Check, a stronger “human firewall” through training, and easier reporting pathways when something goes wrong.

It also points to risks that community organisations already feel on the ground: data governance, training, incident reporting, and the security of internet-connected edge devices such as routers and small office equipment. For a church or charity, those are not abstract policy themes. They show up as shared mailboxes, old admin accounts, unmanaged Wi-Fi gear, weak file permissions, missing backups and volunteers who are expected to make high-trust decisions without enough support.

That matters because many NFPs carry high-trust data without enterprise-scale IT teams. Churches and charities may hold donor records, pastoral information, child safety records, volunteer rosters, financial data, website access, cloud files, social media accounts and livestreaming platforms. A compromise can affect trust, operations and the people the organisation exists to serve.

The opportunity is not just more awareness. It is the chance for boards, pastors, CEOs, treasurers and volunteer leaders to turn cyber security into practical governance: knowing who has access, protecting email, enabling multi-factor authentication, reviewing cloud sharing, separating administrator accounts, backing up important data and documenting offboarding.

Suburban Secure will respond to this direction by keeping our work deliberately practical. For customers, that means leadership technology reviews, plain-English risk findings, Microsoft 365 or Google Workspace hardening, email security, device management recommendations, backup and access reviews, and staged implementation plans that respect budgets and volunteer capacity.

The most useful first step for many organisations will be a short cyber and technology review rather than a large transformation project. A review can identify immediate wins, such as MFA gaps, unmanaged administrator accounts, weak DNS/email protection, exposed website access, risky file sharing, missing backups, unsupported devices or incomplete offboarding processes.

If you are reading this as a board member, pastor, CEO, treasurer or operations leader, the call to action is simple: do not wait for a grant program, a near miss or an incident before mapping your cyber risk. Start with the systems that hold trust: email, finance, giving, cloud storage, website access, social media, devices, backups and volunteer access.

Suburban Secure can help with that first step. We can review your current environment, produce a plain-English cyber and technology roadmap, prioritise low-cost controls, and help implement the changes that matter most. For many organisations, the first improvements are not glamorous: MFA, email protection, admin cleanup, backups, device updates, DNS review, password practices and documentation. They are also exactly the kind of work that prevents avoidable pain later.

This national focus should help leaders explain why cyber security needs attention. It is no longer just an IT concern sitting off to the side. It is part of protecting mission, trust, people, records and continuity. If your organisation has not reviewed its cyber posture in the last year, now is a sensible time to start.