Software updates: the unglamorous habit that protects Australian not‑for‑profits

Posted on by Steve

If you run a small not‑for‑profit organisation, chances are you’re juggling a lot – programs, funding, volunteers, compliance, reporting – often with very limited time and resources.

IT rarely sits at the top of the list and that can make you very vulnerable.

Many of the organisations we work with don’t have an internal IT person or team. We often look after their website, making sure WordPress and its plugins are kept up to date and secure. But for their office computers, laptops, phones and home devices people use every day, we can only advise keeping these things up-to-date.

Why this is suddenly more important

Advances in artificial intelligence are making it far easier for bad actors to find weaknesses, automate attacks, and convincingly impersonate real people.

You might have seen recent coverage of a new AI model, Mythos, that is ridiculously good at finding security weaknesses. The company behind this, Anthropic, say it’s just too dangerous to release, it will make it trivial for anyone to hack into almost anything. While Anthropic have made this advance today, other AI companies who may not be quite so cautious will be following closely behind.

This isn’t just a “big business” problem.

Small Australian not‑for‑profits are often attractive targets because:

  • they hold money in bank accounts
  • they manage sensitive personal information
  • they rely on trust, email and shared access
  • they don’t usually have dedicated security staff

Attackers know this.

“We’ll update it later” – a very human response

We completely understand why software updates get delayed. We hear the same reasons over and over:

  • “I’m worried something will break”
  • “I don’t want to risk lose features I rely on”
  • “Something might change and it will slow me down”
  • “I’m busy right now, I’ll do it later”

When you sit down at your computer or phone, it’s usually because you have work you need to get done. Waiting 10 minutes for an update feels inconvenient at best, and risky at worst.

Unfortunately, attackers rely on exactly this hesitation.

What updates actually do (in plain English)

Most software updates aren’t about shiny new features. They’re about closing security holes.

When a weakness is discovered in Windows, macOS, a web browser, email app or phone operating system, that information quickly becomes known, not just to software companies, but to criminals too.

Once an update is released, attackers know:

  • what the weakness was
  • how to exploit it
  • which systems are still unpatched

Delaying updates doesn’t keep you safe from change, it leaves the door open.

The real risks for not‑for‑profits

When systems aren’t kept up to date, organisations can be exposed to very real threats, including:

Ransomware: Files are encrypted and access is locked until a ransom is paid.

Email compromise: Attackers gain access to an email account and use it to request payments, change bank details, or trick staff and volunteers.

Financial theft: Funds are redirected or accounts accessed, sometimes without being noticed until much later.

Devices being used against others: Out‑of‑date computers can be hijacked and used in attacks on other organisations, creating legal and reputational risk.

None of these scenarios require sophisticated hacking. Often they’re automated, AI‑assisted, and opportunistic.

AI is making this easier for attackers, and things are going to be much, much easier for them in coming months and years.

What “good enough” security looks like for small organisations

For Australian not‑for‑profits, these habits cover a huge amount of ground:

  • Enable automatic updates on computers and phones
  • Keep browsers (Chrome, Edge, Safari, Firefox) up to date
  • Check all the software you use, and see if an update is available
  • Restart computers and phones when updates ask for it
  • Be cautious with email links and attachments

It’s not about achieving perfection. It’s about reducing easy opportunities for attackers.

A mindset shift that helps

Instead of thinking of updates as inconvenient interruptions, it can help to see them as routine maintenance, like servicing a car.

Skipping one service doesn’t usually cause immediate failure, but over time, the risk builds up. Updates work the same way.

Ten minutes now can prevent weeks of disruption later.

And don’t forget, it’s not just the computer on your desk, it’s the computer in your pocket, your phone, that needs attention too.

Posted in AI, Not-for-profit

← Read more from the blog