Global site
Africa
Americas
Asia Pacific
Europe
Middle East

Services

Every organisation faces unique challenges throughout the business lifecycle. We understand the factors that govern growth and profitability and can tailor our...

See Overview

Financial advisory services

We deliver full advisory service capability to navigate the array of opportunities, complex challenges and risks to help dynamic organisations achieve their...

See Overview

Business valuations
We offer expert valuation advice in transactions, regulatory and administrative matters, and matters subject to dispute – valuing businesses, shares and intangible assets in a wide range of industries.
Capital markets
You need corporate finance specialists experienced in international capital markets on your side if you’re buying or selling financial securities.
Complex and international services
Our experience of multi-jurisdictional insolvencies coupled with our international reputation allows us to deliver the best possible outcome for all stakeholders.
Corporate insolvency
Our corporate investigation and recovery teams can help you manage insolvency situations and facilitate the best outcome.
Debt advisory
An optimal funding structure for your organisation presents unprecedented opportunities, but achieving this can be difficult without a trusted advisor.
Expert witness
Our expert witnesses analyse, interpret, summarise and present complex financial and business-related issues which are understandable and properly supported.
Financial models
A sound financial model will help you understand the impact of your decisions before you make them. Talk to us about our user-friendly models.
Forensic and investigation services
We provide investigative accounting and litigation support services for commercial, matrimonial, criminal, business valuation and insurance disputes.
Independent business review
Is your business viable? Will it remain viable in the future? A thorough independent business review can help your organisation answer these fundamental questions.
IT forensics
Effective ESI analysis is integral to the success of your business. Our IT forensics experts have the technical expertise to identify, preserve and interrogate electronic data.
Mergers and acquisitions
Grant Thornton provides strategic and execution support for mergers, acquisitions, sales and fundraising.
Raising finance
Raising finance - funders value partners who can deliver a robust financial model, a sound business strategy and rigorous planning. We can guide you through the challenges that these transactions can pose and help you build a foundation for long term success once the deal is done.
Relationship property services
Grant Thornton offers high quality independent advice on the many financial issues associated with relationship property from considering an individual financial issue to all aspects of a complex settlement.
Restructuring and turnaround
Grant Thornton’s restructuring and turnaround service capabilities include cash flow, liquidity management and forecasting; crisis and interim management; financial advisory services to companies and parties in transition and distress
Transaction advisory
Our depth of market knowledge will steer you through the transaction process. Grant Thornton’s dynamic teams offer range of financial, commercial and operational expertise.
Virtual asset advisory
Helping you navigate the world of virtual currencies and decentralised financial systems.

Tax

Does your tax bill get the same attention as your cost of sales or salaries and wages? Tax rates might be fixed but the rules and the risks aren't.

See Overview

Corporate tax
Grant Thornton can identify tax issues, risks and opportunities in your organisation and implement strategies to improve your bottom line.
Employment tax
Grant Thornton’s advisers can help you with PAYE (payroll tax), Kiwisaver, fringe benefits tax (FBT), student loans, global mobility services, international tax
Global mobility services
Our team can help expatriates and their employers deal with tax and employment matters both in New Zealand and overseas. With the correct planning advice, employee allowances and benefits may be structured to avoid double taxation and achieve tax savings.
GST
GST has the potential to become a minefield and can be expensive when it goes wrong. Our technical knowledge can help you minimise the negative impact of GST
International tax
International tax rules are undergoing their biggest change in a generation. Tax authorities around the world are increasingly vigilant, especially when it comes to global operations.
Research and Development
R&D tax incentives are often underused and misunderstood – is your business maximising opportunities for making claims?
Tax compliance
Our advisers help clients manage the critical issue of compliance across accountancy regulations, corporation law and tax. We also offer business and wealth advisory services, which means we can provide a seamless and tax-effective offering to our clients.
Tax governance
Mitigate tax risks and implement best practice governance that will stand up to IRD scrutiny and audits.
Transfer pricing
Tax authorities are demanding transparency in international arrangements. We businesses comply with regulations and use transfer pricing as a strategic planning tool.

Audit

Our experts have extensive experience in audit and assurance and produce outstanding work for leading New Zealand organisations in both the public and private...

See Overview

Audit methodology
Our five step audit methodology offers a high quality service wherever you are in the world and includes planning, risk assessment, testing internal controls, substantive testing, and concluding and reporting
Audit technology
We apply our audit methodology with an integrated set of software tools known as the Voyager suite. Our technology has been developed to produce quality audits that are effective and efficient.
Financial reporting advisory
Our financial reporting advisers have the expertise to help you deal with the constantly evolving regulatory environment.

Consulting

Consulting is a multi-disciplinary team, delivering a range of expertise including internal audit, risk management, IT advisory, project assurance, and...

See Overview

Business architecture
Our business architects help businesses with disruptive conditions, business expansion and competitive challenges; the deployment of your strategy is critical to success.
Cloud services
Leverage the cloud to keep your data safe, operate more efficiently, reduce costs and create a better experience for your employees and clients.
Internal audit
Our internal audits deliver independent assurance over key controls within your riskiest processes, proving what works and what doesn’t and recommending improvements.
IT advisory
Our hands on product experience, extensive functional knowledge and industry insights help clients solve complex IT and technology issues
IT privacy and security
IT privacy and security should support your business strategy. Our pragmatic approach focuses on reducing cyber security risks specific to your organisation
Payroll assurance
Our specialist payroll assurance team can conduct a review of your payroll system configuration and processes, and then help you and your team to implement any necessary recalculations.
PCI DSS
Our information security specialists are approved Qualified Security Assessors (QSAs) that have been qualified by the PCI Security Standards Council to independently assess merchants and service providers.
Process improvement
As your organisation grows in size and complexity, processes that were once enabling often become cumbersome and inefficient. To maintain growth, your business must remain flexible, agile and profitable
Procurement/supply chain
Procurement and supply chain inputs will often dominate your balance sheet and constantly evolve for organisations to remain competitive and meet changing customer requirements
Project assurance
Major programmes and projects expose you to significant financial and reputational risk throughout their life cycle. Don’t let these risks become a reality.
Risk management
We understand that growing companies need to establish robust internal controls, and use information technology to effectively mitigate risk.
Robotic process automation (RPA)
RPA is emerging as the most sophisticated form of automation used to help businesses become more agile and remain competitive in the face of today’s ongoing digital disruption.

China services

If you're a Chinese investor wanting to explore business opportunities in New Zealand, or a Kiwi business keen to do business in China, our China Services team...

See Overview

Industries

Aged care & retirement villages

Helping aged care and retirement village operators deliver on their mission and purpose in an increasingly demanding environment.

See Overview

Financial services

Our unique offering to the financial services sector may be the catalyst you need to take your business forward, safely and prosperously.

See Overview

Not for profit

The true measure of society is how it treats its most vulnerable people. Your success is vital to ensuring our country remains a fair and civil one.

See Overview

Property & construction

Minimise your risk and cost while maximising your returns for the best chance of success in today’s market.

See Overview

Public sector

Our public sector team goes beyond expectations so you can too.

See Overview

Insight

Cybersecurity: A vulnerable spot for NFPs

By:

Barry Baker,

Brent Kennerley

02 Aug 20236 min read

Is your Not for Profit enterprise prepared for a cyberattack? If the answer is 'no', you're not alone.

Contents

Our research report, Here for Good? uncovered some alarming statistics that highlighted cybersecurity as a major vulnerability in the sector:

Only 43% of NFPs invested in cyber security over the past two years.
Just 27% plan to invest in cyber security over the next two to three years.
37% of NFPs do not have effective procedures to detect and report data breaches.

This data along with many high profile cyber attack events is a huge concern, so we recently hosted a roundtable event about cyber security with some local NFPs. We talked about why the sector is particularly prone to underinvesting in cybersecurity and what the sector can do to start addressing this weakness. Afterall, phishing attempts and ransomware attacks show no signs of abating, and it only takes one person to inadvertently click on a malicious link and give a cybercriminal access to all of your organisation’s sensitive information. The financial and reputational impacts can be devastating.

Why do NFPs often underinvest in cyber security?

NFPs face some challenges that make it harder for them to invest in cyber security. First and foremost, NFPs are always trying to minimise spending, particularly on administrative and back-office costs. There’s a lot of pressure on charitable organisations to spend as much as possible on frontline assistance to those in need, and as little as possible on the behind-the-scenes processes that deliver that assistance.

This often means eking an extra year (or three!!) out of technology. NFPs are still using laptops that should be replaced, relying on outdated software, and legacy platforms – creating greater vulnerability to cyber attacks."

Cyber security can also seem like a non-priority. When there hasn’t yet been a data breach or hack, that can give NFPs a dangerous false sense of security.

The problem of underinvesting in cybersecurity can be exacerbated by the Board – it’s rare to see a board member who has experience or knowledge of IT, let alone cyber security. Boards tend to recruit accountants and lawyers, who are experienced in their areas, but without expert guidance, it’s easy to inaccurately assess technical risks. And it’s unlikely board members are being trained in cyber risk, since our research found that 59% of boards do not undertake any board training.

Even if you don’t know anything about cyber security, it is a major risk, and NFPs should commit more time and money to mitigating it.

The potential risks cannot be overstated

It’s not a matter of if your business will get hacked, it’s a matter of when and how bad it will be. For an NFP, this could result in a complete halt on operations, snarling up frontline services and potentially demanding a ransom to restore systems.

Worryingly, that ‘smash and grab’ approach by bad actors is being superseded by a more insidious attack: the actors can get into your systems, look around undetected, and steal any of your data, including donors’ and/or members’ personal data. They also can compromise backups.

Then there’s the reputational fallout. Donors who see your name connected with a data breach can easily switch their contributions to another organisation. For example, in Australia, telecoms company Optus reported a data breach in 2022 that saw nearly 10 million customers’ personal details stolen; a few months later it was reported that 10% of customers had left since the attack. Just think how much easier it is to move your donation to another charity than it is to move your telecom provider.

Five ways NFPs can start improving cybersecurity

Change the mindset: Give cybersecurity the same attention as health and safety

The vital first step in improving cybersecurity is to start taking the risks seriously. It should be on par with health and safety – there’s just as much risk and the consequences for organisations can be just as severe. Instead, cyber risk is often buried in the risk register.
Improve relationships between IT and cybersecurity suppliers

NFPs typically use three or four providers for their various IT and cybersecurity requirements, explained Martyn Newman-Hall, Director Core Business at the Nursing Council and an experienced commercial manager, who spoke at our roundtable event. Vulnerabilities are often created by gaps between the various services and human risks. Providers must work together, so each one understands its responsibilities and every risk has a provider who takes responsibility for it. Martyn explained the Council produced significant benefits by co-ordinating the relationships between their suppliers into a partnership model.
IT collaboration is essential – internally and externally

A single head of IT at your organisation can be a powerful force for positive change, but they can’t do everything on their own. There is a risk they become reluctant to involve outsiders or internal management; someone at the roundtable described it as “the God complex IT guy” – protecting their patch. Your NFP’s IT people must work closely with suppliers & internal management and build trusting relationships.
Review your data practices

Do you keep private data from donors? Does your NFP process donor transactions? Then you need to comply with certain PCI DSS standards. For example, it may be well worth investing in third-party payment gateway to take over processing credit cards, which reduces the data you're keeping and the level of compliance required of your organisation.
Look for tech expertise for your board

We know that in the case of one high-profile health sector cyberattack, the board had been presented with a case for improving its cybersecurity a short time before the hack occurred. The board said no.

If your board doesn’t have any members with technical expertise, look for opportunities to appoint someone with a tech background. Alternatively, train your existing board members about technical risks. Your board and C-suite needs to know what questions to ask when they’re presented with options and solutions in the IT sphere.

Tech problems are ultimately people problems

Tech problems aren’t really about technology – they’re about people. NFPs need to take cyber risks seriously, which means thinking about not only their systems, but also their people. Upskilling everyone who works at the organisation, including the board, and encouraging teams and suppliers to work together harmoniously. Only with cooperation and education can your organisation protect itself from the ongoing risks of cyberattacks.