Digital Transformation for First Nations Organisations: A Quick Guide for Navigating Cybersecurity

At a glance:

Digital transformation is changing how we live and work — but it also brings risks.
Cybercrime is growing fast: globally, it may cost $24 trillion by 2027; in Australia, small businesses lose around $50,000 on average per incident.
High-profile breaches (Optus, Medibank) show how damaging cyber incidents can be.
First Nations organisations face extra challenges — limited resources, digital inclusion gaps, and high community expectations.
The law requires action: directors must ensure proper cyber governance, protect personal data under the Privacy Act, and comply with the new Cyber Security Act.
Practical steps include: staff training, strong passwords and multi-factor authentication, regular backups, cyber insurance, and having an incident response plan.
Reputation and community trust are at stake — prevention and preparation are critical.

What is the Digital Transformation?

Digital transformation is the way technology is changing how we live and work. It includes using devices, accessing information on the internet, sending emails, and applying artificial intelligence. This transformation is accelerating quickly. It brings both opportunities and risks, particularly around cybersecurity.

What is cybersecurity?

Cybersecurity refers to the processes and systems used to manage risks from technology.[1] With digital transformation moving so quickly, managing cybersecurity is becoming more complex – both internationally and in Australia.

Globally, cybercrime is expected to cost more than $24 trillion by 2027.[2] The International Monetary Fund has reported that cyber-attacks have doubled since COVID-19.[3] In response, the United Nations recently adopted a Convention against Cybercrime.[4]

In Australia:

Most cybercrime reports are from small businesses, with an average cost of around $50,000.[5]
The most frequent source of cybercrimes were email compromises.[6]
About 1 in 3 adults in Australia have been exposed to data breaches.[7]
On 29 November 2024, the Cyber Security Act 2024 (Cth) became law.

High-profile breaches highlight the risks. For example, the 2022 Optus breach exposed the details of 9.8 million customers, and the 2022 Medibank breach affected 9.7 million customers.

How is this relevant to First Nations Organisations?

All organisations use technology, and cybersecurity is a known risk. For First Nations organisations, the challenges can be greater. For example:

Many are for-purpose organisations with limited resources.
Broader issues around digital inclusion can increase both the likelihood and impact of cybersecurity incidents. [8]

A cybersecurity breach can:

Disrupt service delivery
Cost time and money
Damage reputation and erode community trust

There have already been examples of cyber incidents affecting First Nations organisations, such as a cyberattack on a native title representative body.[9]

What do some of the laws say about cybersecurity?

Directors’ duties
Directors must ensure good governance of technology and cybersecurity, in accordance with their duties. This includes, for example:

Preventing and managing hacking attempts.
Training staff.
Managing data.

Directors must also oversee cybersecurity risks relating to personal information. If the organisation has an annual turnover of more than $3 million, the Privacy Act 1988 (Cth) applies. This law requires organisations to:

Notify affected individuals and the Office of the Australian Information Commissioner of serious data breaches.
Take active measures to protect personal information.[10]

Case law
The courts have made it clear that failing to manage cyber risks has consequences. In ASIC v RI Advice Group Pty Ltd, the Court found the company failed to have reasonable systems and policies in place to manage cybersecurity risks.[11] Regulators have since taken further action against other organisations.[12] The same obligations apply to directors of First Nations organisations.

New legislation
The Cyber Security Act 2024 (Cth) introduced new reporting obligations. Businesses with a turnover of $3 million or more must now report any ransom payments made to ransomware operators or cyber extortionists.[13]

What are some things that First Nations organisations can do to navigate cybersecurity?

For individuals
The Federal Government recommends a six-step checklist to reduce the risk of cyber-attacks:[14]

Keep your devices updated
Back up data regularly
Turn on multi-factor authentication
Use secure passphrases
Recognise and report scams
Stay alert to online threats

For boards
The Australian Institute of Company Directors (AICD) recommendations include four strategies for good governance:[15]

Document who is responsible for cybersecurity
Appoint a cyber “champion” to promote resilience and answer questions
Consider appointing a director (or committee) to actively oversee cyber risks
Identify key digital providers and check their cyber controls

AICD also suggests directors ask:[16]

Do we understand cyber risks well enough to oversee and challenge management?
Who has primary responsibility for cybersecurity in our team?
Do we need a board committee for cyber governance?
How are responsibilities managed when key staff leave?
Do we have cyber insurance, and do we understand the coverage and gaps?

Practical steps for organisations
First Nations organisations should consider:

Regular cyber training for boards, management, and staff.
Reviewing data management and IT infrastructure.
Developing clear policies (e.g. password management, multi-factor authentication, data backups).
Creating and testing a cyber incident response plan.
Exploring cyber insurance options.

This is general commentary only and does not constitute legal advice. MPS Law is not an expert in cybersecurity and professional advice from cybersecurity experts should be sought as required. In addition, if you are unsure how this commentary relates to you, legal advice should be obtained.

For more information, contact us.

[1] See Commonwealth of Australia, Australian Signals Directorate, ‘Glossary’, available at https://www.cyber.gov.au/learn-basics/view-resources/glossary.

[2] World Economic Forum, ‘Strategising cybersecurity: Why a risk-based approach is key’, 2 April 2023.

[3] International Monetary Fund, ‘GLOBAL FINANCIAL STABILITY REPORT: The Last Mile: Financial Vulnerabilities and Risks’, April 2024, Chapter 3, p. 1.

[4] United Nations Convention against Cybercrime, resolution 79/243, 24 December 2024.

[5] Commonwealth of Australia, Australian Signals Directorate, Annual Cyber Threat Report 2023-2024, available at https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2023-2024.

[6] Ibid.

[7] Breach for the Stars – ASIC’s Renewed Focus on Cybersecurity (2023) 21(10) FSN 160.

[8] See, generally, Commonwealth of Australia, National Indigenous Australians Agency, First Nations Digital Inclusion Plan – July 2023, and, Central Land Council, ‘Indigenous Digital Inclusion Discussion Paper, Submission from the Central Land Council’, November 2021.

[9] See, for example, Yamatji Marlpa Aboriginal Corporation, ‘Important information about a cyberattack on YMAC’, 8 December 2022.

[10] Australian Privacy Principle (APP) 11

[11] 160 ACSR 204; [2022] FCA 496; BC202203795.

[12] Australian Securities and Investments Commission, ‘ASIC sues FIIG Securities for systemic and prolonged cybersecurity failure’, 13 March 2025.

[13] See Cyber Security Act 2024 (Cth) ss 26, 27, 32 and 44. See, also, Mandatory Reporting in Australia on Ransomware and Cyber Extortion Payments (2025) 27(4) INTLB 68.

[14] Commonwealth of Australia, Australian Signals Directorate, ‘Learn the Basics’, available at https://www.cyber.gov.au/learn-basics.

[15] Australian Institute of Company Directors and Cybersecurity Cooperative Research Centre, ‘Cybersecurity Governance Principles’, Version 2, November 2024, p. 19.

[16] Ibid, p. 2.