The National Disability Insurance Scheme (NDIS) is a landmark reform that aims to provide support and services to people with disability, their families and carers. 

However, as NDIS providers operate in a complex and evolving digital environment, they also face significant cyber risks that could compromise their business operations, client data and reputation.

In this article, we will explore some of the cyber threats that NDIS providers need to be aware of, the potential impacts of a cyber-attack, and the best practices to prevent and respond to cyber incidents.

Cyber Threats for NDIS Providers

NDIS providers are exposed to various types of cyber threats, such as phishing, ransomware, malware, denial-of-service, data breaches and invoice fraud. These threats can target the provider's IT systems, networks, devices, websites, emails, online platforms and payment systems. Cyber criminals may attempt to steal, manipulate or destroy sensitive information, such as personal details, health records, financial data, NDIS plans and invoices. They may also demand ransom payments, disrupt service delivery, extort money or damage the provider's reputation.
Some of the factors that make NDIS providers vulnerable to cyber-attacks include:

  • The use of outdated or unsecured software, hardware and devicescyber security for NDIS
  • The lack of adequate cyber security policies, procedures and training
  • The reliance on third-party vendors and contractors who may have access to the provider's data and systems
  • The increased use of online and remote services due to the COVID-19 pandemic
  • The high turnover and casualisation of the disability workforce
  • The low cyber awareness and preparedness of the disability sector in general

Impacts of a Cyber Attack

A cyber-attack can have serious and lasting consequences for NDIS providers, such as:

  1. Financial losses: According to a report by the Australian Cyber Security Centre (ACSC), over 60% of Australian SMEs do not survive more than 6 months after a cyber-attack. Small businesses experienced an average financial loss of $46,000, while cybercrimes cost medium businesses an average of $97,200, and large businesses an average of $71,600. These losses can include direct costs, such as ransom payments, data recovery, legal fees and fines, as well as indirect costs, such as lost revenue, reduced productivity, increased insurance premiums and reputational damage.cyber security threat landscape
  2. Legal liabilities: The legal environment is also changing with a ruling from the ACT Civil & Administrative Tribunal which discussed a case of invoice fraud, the company who paid the invoice to the fraudulent entity was found liable for the debt for the original invoice, despite having already paid in good faith. This has serious implications for SMEs around Australia. Moreover, the Small Business Exemption it likely to be revoked – previously businesses needed to have a turnover of $3m or higher to have to adhere to the Privacy Act. under the proposed changes, this will be reduced to $0. Any Business making more than $1 annually in revenue will need to comply with the Act once this change is passed into law. This means that NDIS providers have a legal obligation to protect the personal information of their clients and staff, and to report any data breaches to the Office of the Australian Information Commissioner (OAIC) and the affected individuals.
  3. Social and emotional impacts: A cyber-attack can also have negative effects on the well-being and trust of the NDIS providers, their clients and their staff. For example, a data breach can expose the clients' sensitive information, such as their disability, health, financial and family status, to unauthorised parties, which can cause them distress, anxiety, embarrassment and stigma. A cyber-attack can also erode the trust and confidence that the clients and the staff have in the provider's ability to deliver safe and quality services. Furthermore, a cyber-attack can damage the provider's reputation and brand image, which can affect their competitiveness and sustainability in the NDIS market.

Best Practices for Cyber Security

To prevent and mitigate the cyber risks faced by NDIS providers, it is essential to adopt a proactive and holistic approach to cyber security. RSM has developed an affordable and bespoke Cyber Security package that helps you follow best practice and protect your business. It involves a cyber security review, a security policy, user education training and integration of technology to protect your data and systems. We will work with you to bring in best practises including:

  • Conducting a cyber security risk assessment to identify the provider's assets, threats, vulnerabilities and controls
  • Developing and implementing a cyber security policy and plan that outlines the provider's roles, responsibilities, objectives, strategies and actions for cyber security
  • Updating and patching the provider's software, hardware and devices regularly and ensuring that they have the latest security features and protectionshow to protect your business and clients
  • Using strong passwords, encryption, firewalls, antivirus and anti-malware software to secure the provider's data and systems
  • Educating and training the provider's staff, clients and vendors on cyber security awareness and best practices, such as how to recognise and avoid phishing emails, how to create and manage passwords, how to backup and restore data, and how to report and respond to cyber incidents
  • Establishing and testing a cyber incident response plan that defines the provider's procedures, roles, resources and communication channels for managing and resolving a cyber incident
  • Reviewing and monitoring the provider's cyber security performance and compliance regularly and making improvements as needed
  • Seeking professional advice and assistance from cyber security experts and organisations, such as the ACSC, the NDIS Quality and Safeguards Commission, the OAIC and the NDIS Cyber Security Support Service (NCSSS)

Cyber security is a vital and ongoing challenge for NDIS providers, as they operate in a dynamic and complex digital environment that exposes them to various cyber threats. A cyber-attack can have devastating impacts on the provider's business operations, client data and reputation, as well as their legal and regulatory obligations. Therefore, it is imperative that NDIS providers take proactive and holistic measures to protect their business and clients from cyber risks, and to prepare and respond to cyber incidents effectively. By doing so, NDIS providers can enhance their cyber resilience, trust and quality, and deliver better outcomes for people with disability. 

Don't leave your NDIS business vulnerable to cyber threats. Protect your business operations, client data, and reputation, safeguard your business and clients from cyber risks and prepare for potential cyber incidents. Learn how to enhance your cyber resilience, trust, and quality of service by contacting RSM cyber specialist Ashwin Pal today.


Learn how to enhance your cyber resilience, trust, and quality of service by contacting RSM cyber specialist Ashwin Pal today.