Why cyber security is necessary for nonprofits and how to protect your nonprofit organization

Although nonprofit organizations exist to do good in their communities and across the world, many of their daily operations parallel those in the commercial space. For example, they collect sensitive information, whether from volunteers or as part of donation campaigns. However, unlike commercial enterprises, nonprofit organizations often have fewer monetary and staffing resources which can cause them to struggle with securing data while keeping it accessible.

Since nonprofits rely on the goodwill and trust of their benefactors, protecting their data should be a mission-critical priority. Keep reading to learn why cyber security is necessary for nonprofits who want to protect their data – and therefore, their mission.

Why do nonprofits need cyber security?

Nonprofits collect, process, transmit, and store more sensitive information than they may realize. Despite their focus on their mission and goals, they also engage in many similar business operations as for-profit organizations that incorporate personally identifiable information, including:

• E-commerce: processing donations, registering people for events, selling organization-branded items
• Human resources: payroll processing, health insurance records
• Marketing: email marketing, direct mailing

Nonprofits manage a lot of data and applications, but often don’t have the financial flexibility to invest in the technology and expertise necessary to protect their landscape. This leaves nonprofits of every size vulnerable to malicious actors. For instance, the Utah Food Bank recently fell victim to hackers who used the nonprofit’s website to access the sensitive data of more than 10,000 donors. This is a strong testament to why nonprofit organizations must carefully secure every solution and service they employ.

What are the cyber security risks nonprofits face?

In many ways, nonprofits face the same risks as organizations in other industries. To protect themselves, they need to be able to identify risk and understand how to best mitigate it.

Online donations

A growing number of donors choose to give online, with a 2020 Blackbaud report finding that online giving grew 20.7 percent year-on-year. With this in mind, many nonprofits have found their online giving channels an indispensable resource.

However, as demonstrated in incidents like the SolarWinds breach, third parties can leave nonprofit organizations open to risk. Nonprofits must carefully evaluate the services they use to collect and process these payments, and ensure their organization is prepared for the worst by conducting a risk and vulnerability assessment – otherwise, they might put their donor’s most sensitive information at risk.

Volunteers

Nonprofits often employ volunteers or short-term employees for specific, on-the-ground efforts. However, volunteers often do not go through the same rigorous security training or background check process as full-time employees.

This may make volunteers less cyber-aware, putting the organization at risk. For example, they may not understand how to create a secure password, or they may misuse access, accidentally or purposefully. Either way, this places nonprofit-sensitive information at risk.

Phishing scams and ransomware

To communicate with partner organizations and volunteers, nonprofits use email, SMS, instant messaging, and more. Each of these communication channels leaves employees vulnerable to social engineering attacks – and for malicious actors, nonprofits provide a prime opportunity.

Social engineering attacks usually start with phishing scams as a way to deliver malware, like ransomware.

Phishing scams and ransomware

To communicate with partner organizations and volunteers, nonprofits use email, SMS, instant messaging, and more. Each of these communication channels leaves employees vulnerable to social engineering attacks – and for malicious actors, nonprofits provide a prime opportunity.

Social engineering attacks usually start with phishing scams as a way to deliver malware, like ransomware.

Malware attacks

Generally, malware attacks start with phishing scams. However, malicious websites are another malware threat vector. Volunteers and employees looking for information on the internet may accidentally click on a malicious website and download the malware to their device.

SQL Injection attacks

Even though SQL injection attacks sound extremely technical, they are a common, easy-to-use attack methodology for malicious actors. Hackers may target website login portals that collect a username and password. They look for ones that are less secure and insert malicious code. The web application accepts this new code as valid, giving them access to the database where they can view, change, or download sensitive information.

How to protect nonprofits from threats

As nonprofits digitize their operations, they need to focus on protecting their data and reputation. The first step to putting a cyber security plan into place is to identify, analyze, and understand sources of risk.

Understand data sources and risks

Before doing anything else, every organization needs to identify and classify the data it collects, transmits, processes, and stores.

1. When starting the identification process, nonprofits should look to see whether they collect:
• Names
• Birth dates
• Home addresses
• Email addresses
• Social security numbers
• Financial account information
• Credit card information
• IP addresses
• Healthcare information
2. Next, they need to know where they store this information, including the following locations:
• Laptops/desktops
• Mobile devices, like smartphones and tablets
• Cloud services providers, like M365, Google Suite, or Box.
• Servers, both on-premises and in the cloud
• Removable hardware, like USB drives
3. Finally, they need to understand who has access to the data, including:
   • Employees
   • Volunteers
   • Third-party contractors
   • Third-party technology services providers

Conduct a risk assessment

After collecting these lists of data, places, and people, nonprofits should assess their risk. For example, some users may be at a greater risk than others. An IT admin who can create accounts or change any information is a higher risk than a volunteer who might only be able to access a single computer with limited internet connectivity.

After determining the risk that each data type, user, and device poses, the organization needs to analyze the impact that a data breach would have. This means looking at the likelihood that a data breach would occur in combination with the financial and reputational impact that the breach would have on the organization. This will help nonprofits create a cyber security strategy that protects against a wide variety of vulnerabilities.

Drill down on the actual risks

Not every risk is equal. Some assets are low risk. For example, a single computer located on-site that has no internet connection is a low-risk asset. Meanwhile, a cloud database that stores sensitive information and is outfitted with many third-party applications is a high-risk asset.

By drilling down into the actual risks, the nonprofit can decide how to prioritize its cyber security risk mitigation strategies. In some cases, a risk may be too high, so the organization finds another tactic to avoid the risk entirely. For example, a certain provider may not have a great reputation for security, so they pivot to a different provider with cutting-edge security. In other cases, the organization may decide to mitigate the risk by putting security controls in place or transfer the risk by purchasing cyber risk insurance.