Skip to content
Change industry

You said ·  We've had a breach or close call

Industry ·  Not-for-profit

A breach or close call means you need a plan now.

The first hour after a phishing click or invoice redirection fraud determines whether you recover or close. Not-for-profits hold donor data and volunteer credentials that attract targeted attacks. You need to stop the bleed, satisfy the ACNC, and restore trust with your grant funders. We help you do that without guessing.

See if we're a fit More on not-for-profit

What this usually looks like

What a breach looks like for a not-for-profit.

Your Xero or Salesforce NPSP has been compromised. A volunteer account with excessive privileges was used to redirect a donation. The ACNC Cyber Warden guidelines are clear on reporting, and your grant funders are asking for evidence of control. You are under pressure to respond while keeping your team focused on service delivery.

The damage is not just technical. It is reputational. Donors expect their data to be safe. Volunteers need to trust the platform they use. Your board needs to show due diligence. The gap between your current setup and what is required usually involves identity governance, email security, and a tested incident response plan.

Most NFPs operate with limited IT budget and rely on internal champions. When a breach happens, that reliance becomes a bottleneck. You need external expertise to guide the immediate response and to build a defensible posture that meets privacy obligations and funder requirements.

Where we'd start

Where we start in the first 72 hours.

  1. Step 01

    Contain and assess the damage

    We isolate compromised accounts and devices immediately. We review email logs for redirection rules and check Xero for unauthorised payments. We identify the entry point, usually a phishing email or weak password. We document everything for your records and for any regulatory reporting.

  2. Step 02

    Restore trust and compliance

    We help you draft the ACNC notification if required. We advise on donor communication to maintain transparency. We review your privacy policy and data handling procedures against the Privacy Act. We ensure your grant funders receive clear evidence of the steps taken to secure their funds.

  3. Step 03

    Harden the estate to prevent repeat

    We enforce MFA on all admin and donor-facing systems. We restrict volunteer access to only what is necessary. We implement email security controls to stop phishing. We set up monitoring to detect future anomalies early. This is not a one-off fix. It is a baseline that protects your mission.

CCP's security floor

Every CCP client is covered by the Client Security Baseline.

The CSBO is our contractual security floor. MFA on everything that matters. Application control. Vulnerability management. Backups restored, not just scheduled. Account offboarding the same day someone leaves. Password management staff will adopt. Annual awareness training.

If you won't do the basics, we'd rather decline than take responsibility for an incident you chose to ignore.

  • Multi-factor authentication

    Phish-resistant MFA on everything that matters.

  • Application control

    Allowlisted applications. Nothing else runs.

  • Vulnerability management

    Known vulnerabilities remediated inside thirty days.

  • Tested backups

    Backups that have actually been restored, not just scheduled.

  • Same-day offboarding

    Account access cut the day someone leaves the business.

  • Password management

    A password manager your staff will actually use.

  • Awareness training

    Annual cybersecurity training. No one opts out.

  • The full baseline

    Eleven controls in total. Seven shown here. See what's included in Managed IT Complete.

Track record

Twenty years in. A hundred-plus clients. The numbers are load-bearing.

Years in business
0+
Loved clients
0+
Aussie techs
0%

4.8 average · 46 reviews on Google

“The new investors are making us offshore IT. It sucks. You guys were perfect. I don't want to change.”
Paraphrased. A client forced to leave after an acquisition.

Our clients measure their tenure with us in years, not renewals. When they do have to leave (almost always because they've been acquired), they're sad about it. That's the metric that matters.

“Night and day working with CCP. They came in from day one, spent the time to ensure everything was set up and secure properly, and now everything just works. Due to the success we've had with them, we further engaged them to manage our phone systems and website. If you work with CCP you will never have to worry about your IT systems again.”
Trent Martin Google review
“We have been using CCP since the early 2000s and have always had great service on our 20-plus PCs and server. We recently moved to a managed service and cannot rate the experience highly enough. Well done Lee and team.”
Kelvin Mansfield Flexi Google review
“We have been continually impressed with CCP over the several years we have used them. They are extremely efficient, excellent customer service and well priced. I would recommend Lee and his team.”
ProcessWorx HR consulting, Perth Google review
See if we're a fit

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.

Step 1 of 7

How big is your team?

Counting everyone: staff, contractors, anyone with an account.
See if we're a fit