In an increasingly digitized world, where humanitarian missions are championed via online platforms and digital infrastructures, the realm of cybersecurity has emerged as an indispensable guardian for nonprofit organizations. Nonprofits, driven by altruism rather than profit, often navigate complex landscapes of data protection, financial integrity, and stakeholder trust in the digital sphere. Yet, despite their noble goals, they are not immune to cyber threats.
Below, we’ll explore the intersection of nonprofits’ altruistic spirit in an increasingly digitized world, where humanitarian missions are championed via online platforms and digital infrastructures, the realm of cybersecurity has emerged as an indispensable guardian for nonprofit organizations. Nonprofits, driven by altruism rather than profit, often navigate complex landscapes of data protection, financial integrity, and stakeholder trust in the digital sphere. Yet, despite their noble goals, they are not immune to cyber threats.
Below, we’ll explore the intersection of nonprofits’ altruistic spirit and cybersecurity’s pragmatic imperative. We’ll also dive into the unique challenges nonprofits face when safeguarding their digital assets, the consequences of cyber vulnerabilities, and the proactive strategies they can adopt to fortify their missions against the evolving threats of the digital age.
As we uncover the unique cyber risks, we’ll talk about how nonprofits can harness the power of cybersecurity to preserve their integrity, uphold their values, protect donor data, and continue making a positive impact in a world where every click carries the potential for both promise and peril. and cybersecurity’s pragmatic imperative. We’ll also dive into the unique challenges nonprofits face when safeguarding their digital assets, the consequences of cyber vulnerabilities, and the proactive strategies they can adopt to fortify their missions against the evolving threats of the digital age.
As we uncover the unique cyber risks, we’ll talk about how nonprofits can harness the power of cybersecurity to preserve their integrity, uphold their values, protect donor data, and continue making a positive impact in a world where every click carries the potential for both promise and peril.
Why It’s Time For Non-Profits to Get Serious About Cyber Security
In excerpts from an article by NCN, they wrote, “If your nonprofit engages in any of the three activities below, it’s time to get serious about taking steps to address cybersecurity risks. Does your nonprofit:
- Conduct e-commerce on its website, such as processing donations or event registrations?
- Store and transfer (such as by sending to the cloud) “personally identifiable information” about anyone, including donors? (Common examples of personally identifiable information include clients’ medical information and employee records – including driver’s licenses, addresses, and personal security numbers.)
- Collect information about the preferences and habits of donors, patrons, newsletter subscribers, etc.
If so, there are real risks to your nonprofit’s data security, as well as to the data security of its donors and the individuals it serves.
What are the risks?
Data breaches that are both likely to happen and can result in serious harm fall into the “high priority” category. Many nonprofits collect and store sensitive personal information that is protected by law as confidential. When there is a breach of the confidentiality of those data, that poses a risk for the individuals whose data was disclosed AND for the nonprofit that will now potentially be subject to liability for the breach. It makes sense for EVERY nonprofit to – at a minimum – assess the risks of a data security breach and protect its data from unauthorized disclosure.
First Step | Risk assessment
The Nonprofit Technology Network (NTEN) suggests that the first step in assessing your nonprofit’s data risks is to inventory all the data your nonprofit collects and identify where it is stored. NTEN offers a template assessment tool. These inventory tools ask: What data do we collect about people? What do we do with it? Where do we store it? Who is responsible for it?
Think about the cost/benefit of maintaining all that data. You may find that there is data your nonprofit is currently asking for and keeping that it doesn’t really need. If so, reducing or limiting the data that your nonprofit collects and streamlining the storage process (as well as diligently destroying data in accordance with the nonprofit’s document retention policy) could be easy first steps toward mitigating risk.
Second Step | Is the data your nonprofit maintains “protected” or “confidential”?
Second, know whether the data your nonprofit collects and maintains is covered by federal or state regulations as “personally identifiable information.” If so, forty-seven U.S. state laws require nonprofits to inform persons whose “personally identifiable information” is disclosed in a security breach, and 31 states have laws that require the disposal of such data in certain ways.
Additionally, the Federal Trade Commission’s Disposal Rule also requires proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” Protecting personally identifiable information is all about training staff about how to collect/store/dispose of and generally protect this data.
Even if you are collecting data that doesn’t rise to the level of “personally identifiable information,” such as a community theatre collecting information on attendees’ preferences for plays or musicals, a breach of that data can be harmful to the organization’s reputation and ability to bring in contributions. All data reflecting personal preferences are important to keep secure.
Third Step | Drill down on the actual risks
Third, consider using the US National Institute of Standards and Technology (NIST) Cybersecurity Framework to help your nonprofit identify risks and make management decisions to mitigate those risks. This framework is not intended to be a one-size-fits-all approach but to allow organizations to manage cybersecurity risks cost-effectively based on their own environment and needs.
Take a look at the likelihood of some cybersecurity risks: What is the risk of a third party compromising your nonprofit’s data security? Many nonprofits use outside assistance, such as an outsourced bookkeeper, IT consultant, payroll service, or even a cloud storage service. If any of these third-party vendors do not employ adequate data security protection, the nonprofit’s data security will be at risk.
RELATED: The Importance of Cyber Security Discussions with Vendors
Other types of third-party access might include a donation processing service or any outside professionals with authority to access the administrative side of your nonprofit’s website or shared electronic files. Consequently, when hiring third parties for any projects that involve data access by the vendor, make sure that you are satisfied with the firm’s data security protocol.
Here is a set of questions developed by Digital Impact.IO as a starting point for questions to ask the vendor about their approach to data security…
How likely is it that hackers will take over your nonprofit’s website?
Hackers can access your nonprofit’s site through a security breach and transform it into something you would not recognize, like an online pharmacy.
- How likely is this to happen? That depends on the strength of the security of individual nonprofits’ websites and how consistently users follow strong password protocols.
- How serious are the risks? Typically, the main website remains intact, but the hackers create additional content that isn’t good for your nonprofit’s reputation – or Google Analytics. So, on balance, a site takeover does not create the same type of liability risks that other security breaches do, but cleaning up the mess can be time-consuming and costly.
Managing these risks is much like brushing your teeth. We all need to get in the habit of keeping software updated and being vigilant about usernames and passwords (for example: Using “admin” as a user name creates vulnerabilities, say the experts.) Regular maintenance can go a long way towards reducing this and other data security risks.”
RELATED: The Power of Cybersecurity Conversations
In short, the importance of addressing cybersecurity risks for nonprofits cannot be overstated. As highlighted in the excerpts from NCN’s article, engaging in e-commerce, handling personally identifiable information, and collecting donor data all present significant vulnerabilities. The consequences of data breaches extend beyond mere inconvenience; they can result in legal liabilities and damage to the reputation of both the organization and its donors.
To mitigate these risks, nonprofits must undertake a systematic approach. This begins with a comprehensive risk assessment, understanding what data is collected, how it’s stored, and who is responsible for it. Streamlining data collection and storage processes can be an initial step toward reducing exposure. Furthermore, it’s imperative to ensure compliance with federal and state regulations regarding personally identifiable information and to educate staff on proper data handling procedures.
Vigilance is key, especially concerning third-party vendors and website security. Regular maintenance, software updates, and robust password protocols are akin to daily hygiene practices, essential for safeguarding against potential breaches. Ultimately, prioritizing cybersecurity is not just a matter of compliance but a fundamental aspect of maintaining trust with stakeholders and safeguarding the integrity of the nonprofit sector as a whole.
Protect the Future of Your Nonprofit’s Data – Basic Tips
In excerpts from a separate article by NCN, they wrote, “With all the news about recent data hacks, why wait until October’s National Cyber Security Awareness Month to consider best practices to help secure the future of your nonprofit’s data and online presence. According to the IRS, here are some steps you can take to protect the data of your nonprofit…
Be careful of email attachments and web links
Do not click on a link or open an attachment that you were not expecting. If it appears important, call the sender to verify that they sent the email and ask them to describe the attachment or link. Before you click a link (in an email or on social media, instant messages, or other web pages), hover over it to see the actual web address it will take you to. Train employees to recognize phishing attempts and who to notify when one occurs.
Use separate personal and business computers, mobile devices, and accounts
As much as possible, have separate devices and email accounts for personal and business use. This is especially important if other people, such as children, use personal devices. Do not conduct any sensitive business activities for your nonprofit (like online business banking) on a personal computer or device, and do not engage in activities such as web surfing, gaming, downloading videos, etc., on business computers or devices. Do not send sensitive business information to personal email addresses.
RELATED: Why Employees Should Never Use Personal Accounts When Conducting Business
Do not connect personal or untrusted storage devices or hardware to computers, mobile devices, or networks.
Do not share USB drives or external hard drives between personal and business computers or devices. Do not connect any unknown/untrusted hardware into the system or network, and do not insert any unknown CD, DVD, or USB drive. Disable the “AutoRun” feature for the USB ports and optical drives like CD and DVD drives on business computers to help prevent malicious programs from installing on the systems.
Be careful downloading software
Do not download software from an unknown web page. Be very careful with downloading and using freeware or shareware.
Watch out when providing personal or business information
- Never give out usernames or passwords. No company should ask for this information for any reason. Also, beware of people asking what kind of operating system, brand of firewall, internet browser, or what applications are installed. This information can make it easier for hackers to break into the system.
- Social engineering attempts to obtain physical or electronic access to business information by manipulating people. A very common type of attack involves a person, website, or email that pretends to be something it’s not. A social engineer will research a business to learn names, titles, responsibilities, and any personal information they can find. Afterward, the social engineer usually calls or sends an email with a believable but made-up story designed to convince the person to give them certain information.
- Never respond to an unsolicited phone call from a company you do not recognize asking for sensitive personal or business information. Employees should notify their management whenever sensitive business information is attempted or requested.
Watch for harmful pop-ups
When connected to and using the Internet, do not respond to popup windows requesting that users click “OK.” Use a popup blocker and only allow popups on trusted websites.
Use strong passwords
- Good passwords consist of a random sequence of letters (upper case and lower case), numbers, and special characters. The “best practice” recommendation is that passwords be at least 12 characters long. For systems or applications that have important information, use multiple forms of identification (called “multi-factor” or “dual-factor” authentication).
- Many devices come with default administration passwords – these should be changed immediately when installing and regularly thereafter. Default passwords are easily found or known by hackers and can be used to access the device. The manual or those who install the system should be able to show you how to change them.
- Passwords should be changed at least every three months.
- Passwords to devices and applications that deal with business information should not be re-used.
- You may want to consider using a password management application to store your passwords for you.
Conduct online business more securely
- Online business/commerce/banking should only be done using a secure browser connection. This will normally be indicated by a small lock visible in the lower right corner or upper left of the web browser window.
- Erase the web browser cache, temporary internet files, cookies, and history regularly. Make sure to erase this data after using any public computer and after any online commerce or banking session. This prevents important information from being stolen if the system is compromised. This will also help the system run faster. Typically, this is done in the web browser’s “privacy” or “security” menu.”
Cybersecurity Challenges and Best Practices for Nonprofits
In excerpts from an article by Eide Bailly, they wrote, “Nonprofits and nongovernmental organizations (NGOs) face significant cyber threats. In fact, 27% of nonprofits worldwide have fallen victim to cyberattacks, according to the 2023 Nonprofit Tech for Good Report. Unfortunately, many of these organizations remain vulnerable due to outdated security protocols.
A report published by the Nonprofit Technology Enterprise Network (NTEN) revealed:
- 68% of nonprofits do not have documented policies and procedures in place should a cyberattack occur.
- Less than 50% of nonprofit organizations have internal procedures or policies in place to manage how data is shared with external agencies.
- 71% of nonprofits allow staff members to use unsecured personal devices to access organizational emails and business files.
Since many nonprofits lack proper security protocols or up-to-date defense measures, they are considered low-hanging fruit for cybercriminals.
Why are Nonprofits Vulnerable to Cyberattacks?
In the realm of cybersecurity, nonprofit organizations face a distinct array of challenges. These arise from their organizational structure, the constraints of their funding, and the limitations of the tools at their disposal. Furthermore, the sensitive nature of the information they manage adds a layer of complexity to their cybersecurity needs.
These organizations often store personal, financial, or other sensitive information about donors and clients. Additionally, many nonprofits are associated with secondary organizations, such as healthcare or government entities, which possess their own data, services, and vulnerabilities. If a cybercriminal can exploit any weaknesses within these interconnected components, they can gain significant leverage.
Moreover, nonprofits frequently collect information from individuals who are vulnerable and at-risk, like low-income families, children, and the elderly. This also makes their data highly valuable to cybercriminals.
Other vulnerabilities specific to nonprofits include:
- Limited cybersecurity expertise: Due to budget constraints, nonprofits often lack dedicated IT departments or cybersecurity professionals. This lack of expertise and resources can make it challenging to implement and maintain robust security measures.
- Third-party service providers: Nonprofits frequently collaborate with third-party vendors or service providers for various functions, such as fundraising platforms, cloud storage, or website management. These external partnerships can create additional entry points for cyberattacks if proper security protocols are not established and monitored.
- Lack of awareness and prioritization: Nonprofits may underestimate the severity of cyber threats or believe that they are less likely to be targeted compared to larger organizations. This perception can lead to a lack of awareness and a failure to prioritize cybersecurity, making them more susceptible to attacks.
When cyberattacks specifically target nonprofits, the aim is often to obtain various types of information, such as research surveys, mailing lists, donation forms, meeting records, and donor details.
What Kinds of Cyberattacks Do Nonprofits Commonly Face?
The shift from traditional paper-based systems to digital storage means that personal and financial information is now increasingly vulnerable. It’s crucial to recognize that any team member could unintentionally provide a “key” to cybercriminals.
Common cyberattacks endured by nonprofits include:
Ransomware:
In a ransomware attack, cybercriminals identify the most valuable data and compromise it until you pay a specific amount, often within a set timeframe. This is carried out by a form of malware that encrypts data on an infected computer or device. Cybercriminals demand payment for the decryption key.
Social engineering:
Cybersecurity for nonprofits often fails at the staff level due to a lack of proper training and resources. Cybercriminals employ deceptive tactics, often via email, phone calls, or text messages, to manipulate individuals and gain unauthorized access to organizational systems. Social engineering attacks exploit human error rather than relying solely on technical weaknesses.
Data breaches from employees:
Many data breaches occur due to employee negligence or malicious intent, leading to unauthorized access and theft of sensitive information. This can occur through actions such as mishandling data, sharing credentials, or falling victim to phishing attempts.
Malicious software:
Viruses and other forms of malware can infiltrate computers or mobile devices connected to the nonprofit’s network, putting sensitive information at risk. Malicious software can cause significant disruptions and compromise the integrity of data.
These cyberattacks can lead to serious consequences for nonprofits, including:
- Exposure of confidential or sensitive information.
- Inaccessibility of organization, donor, or client data.
- Disruptions to operations, potentially leading to reputational damage and loss of support.
- Strain on internal resources and management due to the need for data recovery and restoration.
- Unforeseen costs associated with addressing a compromised environment, such as legal expenses, regulatory fines, and identity protection measures.
Best Practices to Strengthen Your Nonprofit’s Cybersecurity
The last thing you want to do is leave yourself—and your data—out in the open. And the worst time to start thinking about how to respond to a cyberattack is when you’re being breached. Therefore, proactive planning is key. To strengthen your nonprofit’s cybersecurity, it is essential to establish a culture of cybersecurity that is driven and emphasized by leadership. With this in mind, take the following steps to develop an effective cybersecurity program—and culture—at your nonprofit.
Assess and Test
Conduct a thorough audit of your current IT infrastructure to identify weaknesses, potential risks, and areas for improvement. This assessment will provide visibility into your environment and help create a roadmap for enhancing cybersecurity.
Align and Plan
Align your organizational risk with cyber risk and the threats that are relevant to your operations and data, as discovered in your assessment and testing. Engage with a consultant with expertise in your industry who can help you identify relevant threats to your organization type, the data you protect, your region, and more.
Formalize and Document
Document policies, plans, and procedures, defining acceptable use and roles in data protection. This includes developing your incident response plans, which outline how you’ll respond to specific incidents and who is involved when. Policies should also outline expectations for volunteers accessing your network and devices.
RELATED: The Importance of Contingency Strategies, Backup Plans, and Employee Training
Educate and Advocate
Educate and train your staff on cybersecurity awareness, policies, and procedures. Emphasize the importance of cybersecurity and explain the rationale behind security measures. Help your team understand the value of cybersecurity in ensuring mission continuity and maintaining security.
Practice, Practice, and Practice Again
Regularly exercise your incident response plans through simulated scenarios. Prepared organizations realize savings of about 40% on data breaches because they can respond and recover faster.
Next Steps for Ensuring the Security of Your Nonprofit
The cyber threat landscape is incredibly dynamic and ever-changing. It is imperative you have a strategy that is fluid enough to adapt to this changing landscape.
With proactive planning and trusted advice, you can better understand your risk and empower the right people, processes, and technology to protect your data. A clear plan and a trustworthy team will help you prevent, detect, and respond to new cyberattacks and threats.”
Conclusion
In conclusion, safeguarding the digital assets and integrity of nonprofit organizations is not just a matter of compliance; it’s a fundamental necessity in today’s interconnected world. As we’ve explored, nonprofits face unique cybersecurity challenges stemming from their altruistic missions, limited resources, and the sensitive nature of the data they handle.
However, armed with proactive strategies and a commitment to prioritizing cybersecurity, nonprofits can mitigate risks and uphold the trust of their stakeholders. From conducting thorough risk assessments to implementing robust security protocols, educating staff, and fostering a culture of vigilance, there are numerous steps nonprofits can take to protect themselves against cyber threats.
Moreover, collaboration, ongoing learning, and leveraging emerging technologies can further strengthen the resilience of nonprofits in the face of evolving cybersecurity landscapes. By embracing these principles and a mindset of continuous improvement, nonprofits can not only safeguard their own futures but also ensure that they can continue making a positive impact in the communities they serve.
Ultimately, the importance of cybersecurity for nonprofits cannot be overstated. By proactively addressing cybersecurity risks, nonprofits can uphold their values, protect donor trust, and safeguard the integrity of the nonprofit sector as a whole. Together, let’s work towards a future where every nonprofit can thrive securely in the digital age.
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Every device connecting to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca