Why Cybersecurity is Necessary for Nonprofits & How to Protect Your Nonprofit Organization

Although nonprofit organizations exist to do good in their communities and across the world, many of their daily operations parallel those in the commercial space. For example, they collect sensitive information, whether from volunteers or as part of donation campaigns. However, unlike commercial enterprises, nonprofit organizations often have fewer monetary and staffing resources which can cause them to struggle with securing data while keeping it accessible.

Since nonprofits rely on the goodwill and trust of their benefactors, protecting their data should be a mission-critical priority. Keep reading to learn why cybersecurity is necessary for nonprofits who want to protect their data – and therefore, their mission.

Nonprofits collect, process, transmit, and store more sensitive information than they may realize. Despite their focus on their mission and goals, they also engage in many similar business operations as for-profit organizations that incorporate personally identifiable information, including:

• Ecommerce: processing donations, registering people for events, selling organization-branded items
• Human resources: payroll processing, health insurance records
• Marketing: email marketing, direct mailing

Nonprofits manage a lot of data and applications, but often don’t have the financial flexibility to invest in the technology and expertise necessary to protect their landscape. This leaves nonprofits of every size vulnerable to malicious actors. For instance, the Utah Food Bank recently fell victim to hackers who used the nonprofit’s website to access the sensitive data of more than 10,000 donors. This is a strong testament to why nonprofit organizations must carefully secure every solution and service they employ.

In many ways, nonprofits face the same risks as organizations in other industries. To protect themselves, they need to be able to identify risk and understand how to best mitigate it.

Online Donations

A growing number of donors choose to give online, with a 2020 Blackbaud report finding that online giving grew 20.7 percent year-on-year. With this in mind, many nonprofits have found their online giving channels an indispensable resource.

However, as demonstrated in incidents like the SolarWinds breach, third parties can leave nonprofit organizations open to risk. Nonprofits must carefully evaluate the services they use to collect and process these payments, and ensure their organization is prepared for the worst by conducting a risk and vulnerability assessment – otherwise, they might put their donor’s most sensitive information at risk.

Volunteers

Nonprofits often employ volunteers or short-term employees for specific, on-the-ground efforts. However, volunteers often do not go through the same rigorous security training or background check process as full-time employees.

This may make volunteers less cyber aware, putting the organization at risk. For example, they may not understand how to create a secure password, or they may misuse access, accidentally or purposefully. Either way, this places nonprofit-sensitive information at risk.

Phishing Scams and Ransomware

To communicate with partner organizations and volunteers, nonprofits use email, SMS, instant messaging, and more. Each of these communication channels leaves employees vulnerable to social engineering attacks – and for malicious actors, nonprofits provide a prime opportunity.

Social engineering attacks usually start with phishing scams as a way to deliver malware, like ransomware.

These attacks are successful because they use victims’ emotions to get them to take actions against their best interests. Because nonprofit employees also communicate with other nonprofits and are likely to be empathetic people, they are less likely to be wary of an email coming from what looks like a donor or partner organization.

Malware Attacks

Generally, malware attacks start with phishing scams. However, malicious websites are another malware threat vector. Volunteers and employees looking for information on the internet may accidentally click on a malicious website and download the malware to their device.

SQL Injection Attacks

Even though SQL injection attacks sound extremely technical, they are a common, easy-to-use attack methodology for malicious actors. Hackers may target website login portals that collect a username and password. They look for ones that are less secure and insert malicious code. The web application accepts this new code as valid, giving them access to the database where they can view, change, or download sensitive information.

As nonprofits digitize their operations, they need to focus on protecting their data and reputation. The first step to putting a cybersecurity plan into place is to identify, analyze, and understand sources of risk.

Understand data sources and risks

Before doing anything else, every organization needs to identify and classify the data it collects, transmits, processes, and stores.

When starting the identification process, nonprofits should look to see whether they collect:

• Names
• Birth dates
• Home addresses
• Email addresses
• Social security numbers
• Financial account information
• Credit card information
• IP addresses
• Healthcare information

Next, they need to know where they store this information, including the following locations:

• Laptops/desktops
• Mobile devices, like smartphones and tablets
• Cloud services providers, like M365, Google Suite, or Box.
• Servers, both on-premises and in the cloud
• Removable hardware, like USB drives

Finally, they need to understand who has access to the data, including:

• Employees
• Volunteers
• Third-party contractors
• Third-party technology services providers

Conduct a Risk Assessment

After collecting these lists of data, places, and people, nonprofits should assess their risk. For example, some users may be at a greater risk than others. An IT admin who can create accounts or change any information is a higher risk than a volunteer who might only be able to access a single computer with limited internet connectivity.

After determining the risk that each data type, user, and device poses, the organization needs to analyze the impact that a data breach would have. This means looking at the likelihood that a data breach would occur in combination with the financial and reputational impact that the breach would have on the organization. This will help nonprofits create a cybersecurity strategy that protects against a wide variety of vulnerabilities.

Drill Down on the Actual Risks

Not every risk is equal. Some assets are low risk. For example, a single computer located on-site that has no internet connection is a low-risk asset. Meanwhile, a cloud database that stores sensitive information and is outfitted with many third-party applications is a high-risk asset.

By drilling down into the actual risks, the nonprofit can decide how to prioritize its cybersecurity risk mitigation strategies. In some cases, a risk may be too high, so the organization finds another tactic to avoid the risk entirely. For example, a certain provider may not have a great reputation for security, so they pivot to a different provider with cutting-edge security. In other cases, the organization may decide to mitigate the risk by putting security controls in place or transfer the risk by purchasing cyber risk insurance.

Nonprofits need to digitally transform their operations so that they can continue to have an impact on the world’s most critical social issues. SoftwareONE recognizes this need and is committed to working with nonprofits so they can deploy leading-edge, secure, and innovative technology to advance their mission.

SoftwareONE is committed to working with Microsoft Tech for Social Impact, building out affordable and accessible tools to protect nonprofits and their data while helping them transform. Through our ONEImpact services, we strive to empower nonprofits to upgrade their technological infrastructure in a way that ensures these typically understaffed and overstretched IT teams have the tools they need to protect data.