Technology Guidance for Business Leaders | Ntiva Blog

The Ultimate Cybersecurity Guide for Nonprofits: 10 Best Practices

Written by Margaret Concannon | May 21, 2024

Cybersecurity is like a superhero in today’s world—it's needed now more than ever.

If we keep the analogy going, cyberattacks are like supervillains; targeting organizations of all shapes and sizes, from small businesses to multinational corporations.

Unfortunately, despite their good intentions, nonprofits are not exempt from cybercriminals' crosshairs. Because such organizations often handle sensitive or confidential data and support valuable causes, they are prime targets for these attacks. This makes cybersecurity for nonprofits a crucial piece of the puzzle.

71 percent of nonprofit organizations reported experiencing at least one cybersecurity incident in 2022.

(Source: 2022 Managing Nonprofit Tech Change Report)

According to a recent Nonprofit Technology Enterprise Network (NTEN) study, an alarming 71 percent of nonprofit organizations reported experiencing at least one cybersecurity incident in 2022 alone.

This statistic is a stark reminder of the critical need for robust cybersecurity protection within the nonprofit sector, and it is especially concerning considering that an earlier NTEN study concluded that as many as 80 percent of nonprofits don’t even have policies in place for responding to cyberattacks.

By understanding their unique challenges and adopting proactive security measures, nonprofits can continue making a positive impact while protecting themselves from malicious cyber threats.

 

Why is Nonprofit Cybersecurity Critical?

Nonprofit organizations collect a lot of personal and financial data from their donors, volunteers, and employees. They use this information for operations, fundraising, and marketing purposes.

Unfortunately, many nonprofits don’t take adequate cybersecurity measures to protect this sensitive information, which makes them easy targets for cybercriminals. According to a report by Net Diligence Cyber Claims, nonprofits are one of the top five most targeted industries for cyberattacks.

Here are a few reasons why nonprofits are targeted by bad actors ... 

First, nonprofits tend to have less staff and financial resources for effective cybersecurity than corporations.

Not only that, they are also more likely to operate on legacy systems that hackers can exploit.

This makes them vulnerable to attacks that can encrypt data or bring down their system for ransom payments.

Additionally, since more and more people are giving online donations and paying for services via digital channels, nonprofits must ensure that their payment processes are secure to avoid being exposed to hacking attempts.

Cybercriminals may be looking for a way to monetize this information or they might simply want to steal information for their own gain.

Most nonprofits depend on a large number of volunteers to conduct their operations. While the vast majority of volunteers are well-intentioned and security-aware, some may not be. They can also be a liability for the organization, as they do not go through the same background checks and training as paid staff members.

Despite the fact that most nonprofits are cash-strapped and are eager to do everything they can to fulfill their missions, this can leave them open to cybersecurity threats.

When a cyberattack happens, it can be extremely damaging to the organization. It can erode trust and lead to loss of support. It can also strain internal resources, which can cause a negative impact on the organization’s service delivery.

 

Cybersecurity Threats Facing Nonprofits Today

Nonprofits do some of the most important work in the world—from helping families through tough times to funding childrens education. However, they also have a lot of sensitive data, making them vulnerable to hackers and cyber criminals.

The good news is that nonprofit organizations and foundations have access to cybersecurity services that can help them protect their networks and information. In fact, many of these organizations can recover from a cyberattack by having the right preventive measures in place and ensuring they have the proper coverage nonprofit cyber insurance.

Some of the most common threats to nonprofits include third-party vendor data breaches, email phishing schemes, and ransomware attacks. These types of attacks can result in the theft of usernames, passwords, and personal financial information.

In addition, a third-party data breach can devastate nonprofits that do not regularly back up their information or use a cloud storage service to keep their information safe.

Another common threat to nonprofits is unprotected USB drives. While this may seem like a trivial risk, it can be an effective way for hackers to gain unauthorized access to confidential and sensitive information. Nonprofits can minimize this risk by only using secure USB ports, not leaving USB drives in public areas, and ensuring that staff members maintain strong passwords and update their antivirus software.

Lastly, unprotected laptops and desktops can also be a big security risk for nonprofits. Hackers can easily access confidential and sensitive information on a computer by simply connecting it to a public Wi-Fi network. Nonprofits can minimize the risk of these devices being compromised by requiring staff to keep their devices protected with strong passwords, setting monitors to auto-lock, and using a VPN when working remotely.

 

Nonprofit Cybersecurity Best Practices Checklist

It's clear that investing in cybersecurity is essential for nonprofits to stay secure and be able to continue their valuable work. Employing the following best practices can help protect your organization's assets, safeguard donor information, and maintain the trust of your stakeholders:

1. Develop a cybersecurity policy.

Create and distribute a comprehensive policy that outlines the organization's approach to cybersecurity. This policy should cover data protection, password management, employee responsibilities, incident response, and remote work/BYOD guidelines.

2. Educate and train staff.

Provide cybersecurity awareness training to all employees and volunteers. Teach them about common threats, such as phishing and social engineering, and how to recognize and report suspicious activities. Regularly reinforce the importance of following security protocols.

3. Use strong and unique passwords.

Encourage the use of strong passwords and implement multi-factor authentication (MFA) wherever possible. Discourage password reuse across multiple accounts, and consider using a password manager to securely store passwords.

4. Keep software and systems up to date.

Regularly update operating systems, applications, and software to protect against known vulnerabilities. Enable automatic updates whenever possible, or establish a patch management process to ensure timely updates.

5. Secure devices and networks.

Implement robust security measures for devices (such as computers, laptops, and mobile devices) and networks (like firewalls and intrusion detection systems). Use encryption for sensitive data both at rest and in transit.

6. Backup data regularly.

Regularly backup critical data to a secure off-site location. Test data restoration procedures periodically to ensure backups are reliable. This helps mitigate the impact of data loss due to cyber incidents or hardware failures.

7. Implement strong email security measures.

Use email filtering and spam protection to block malicious emails. Train staff to identify phishing emails and avoid clicking on suspicious links or opening attachments from unknown sources.

8. Establish an incident response plan.

Develop a clear and documented incident response plan that outlines the steps to be taken during a cybersecurity incident. Assign roles and responsibilities through access control measures, establish communication channels, and define escalation procedures.

9. Regularly assess and audit security.

Conduct periodic cybersecurity assessments and audits to identify vulnerabilities and weaknesses. Perform penetration testing and vulnerability scanning to uncover potential flaws in the organization's systems.

10. Partner with a reputable cybersecurity provider.

Consider recruiting a cybersecurity provider with expertise in the nonprofit sector. They can help assess the organization's security posture, provide recommendations, and assist with incident response if necessary.

Remember that cybersecurity is an ongoing effort. Stay informed about the latest threats and best practices, and regularly review and update your security measures to adapt to evolving risks.

 

Understanding Nonprofit Cybersecurity Risk

A strong culture of cybersecurity is essential for any nonprofit, and it should include executives, board members, staff, and volunteers. Everyone should understand how important their actions are to keeping the organization safe, and they should be encouraged to report any potential vulnerabilities or risks to their supervisors.

Nonprofits without the resources to employ full-time cybersecurity personnel should consider partnering with a managed service provider like Ntiva that can help them assess their current risks and weaknesses as well as offer recommendations for improvements. Consider us your trusty sidekick in the ongoing battle against cybercrime.

Most importantly, our dedicated team of experts can help your nonprofit organization get the most out of its IT investments—ensuring your technology syncs with your workflow and provides the protection and ease you need to serve your mission.