SLSQ Governance Manual

7.7. Cyber Security

Cyber security may come across as an IT issue and/or responsibility, but it is also a governance one. All Clubs and Branches hold sensitive information including member records, financial data and banking details. Protecting all information is critical to maintaining member trust and meeting legal and regulatory obligations.

Across Australia, not-for-profit organisations, like SLSQ, are increasingly being targeted by cyber criminals due to volunteer based systems, shared logins and limited technical controls. Common risks include:

  • Phishing emails impersonating SLSQ, suppliers or committee members
  • Business Email Compromise (BEC) targeting Treasurers and Presidents
  • Fake invoice scams
  • Malware and ransomware attacks
  • Unauthorised access due to weak passwords or shared accounts
  • Data breaches from lost devices or unsecured cloud storage

Clubs and branches should ensure the following minimum controls are in place:

  1. Strong Access Controls
    • Use Multi-Factor Authentication (MFA) wherever available (email, banking, Microsoft 365, cloud storage).
    • Avoid shared logins – each officer bearer should have their own account.
    • Remove access immediately when committee members step down.
  2. Password Hygiene
    • Use strong, unique passwords (minimum 12 characters).
    • Consider using a reputable password manager.
    • Never reuse banking passwords across other platforms.
  3. Email Vigilance
    • Always verify changes to bank details via a secondary method (phone call).
    • Be cautious of urgent payment requests.
    • Check sender email addresses carefully for slight variations.
  4. Secure Record Management
    • Store governance and financial documents in secure, access-controlled platforms.
    • Avoid storing sensitive documents on personal devices.
    • Ensure regular backups are in place.
  5. Incident Response
    • If a scam, breach or suspicious activity occurs, act immediately:

Cyber security should be discussed at least annually at committee level as part of risk management oversight. It is recommended that clubs include cyber risk within their risk register and ensure officer bearer inductions include basic cyber awareness responsibilities.
Proactive cyber practices protect members, volunteers, donors and the broader Surf Life Saving brand.

Revision: 5

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment