Cybersecurity Challenges and Best Practices for Nonprofits

Nonprofits and nongovernmental organizations (NGOs) face significant cyber threats. In fact, 27% of nonprofits worldwide have fallen victim to cyberattacks, according to the 2023 Nonprofit Tech for Good Report. Unfortunately, many of these organizations remain vulnerable due to outdated security protocols.

A report published by the Nonprofit Technology Enterprise Network (NTEN) revealed:

• 68% of nonprofits do not have documented policies and procedures in place should a cyberattack occur.
• Less than 50% of nonprofit organizations have internal procedures or policies in place to manage how data is shared with external agencies.
• 71% of nonprofits allow staff members to use unsecured personal devices to access organizational emails and business files.

Since many nonprofits lack proper security protocols or up-to-date defense measures, they are considered low-hanging fruit for cybercriminals.

Why are Nonprofits Vulnerable to Cyberattacks?

In the realm of cybersecurity, nonprofit organizations face a distinct array of challenges. These arise from their organizational structure, the constraints of their funding, and the limitations of the tools at their disposal. Furthermore, the sensitive nature of the information they manage adds a layer of complexity to their cybersecurity needs.

These organizations often store personal, financial, or other sensitive information about donors and clients. Additionally, many nonprofits are associated with secondary organizations, such as healthcare or government entities, which possess their own data, services, and vulnerabilities. If a cybercriminal can exploit any weaknesses within these interconnected components, they can gain significant leverage.

Moreover, nonprofits frequently collect information from individuals who are vulnerable and at-risk, like low-income families, children, and the elderly. This also makes their data highly valuable to cybercriminals.

Other vulnerabilities specific to nonprofits include:

• Limited cybersecurity expertise:

  Nonprofits often lack dedicated IT departments or cybersecurity professionals due to budget constraints. This lack of expertise and resources can make it challenging to implement and maintain robust security measures.

• Third-party service providers:

  Nonprofits frequently collaborate with third-party vendors or service providers for various functions like fundraising platforms, cloud storage, or website management. These external partnerships can create additional entry points for cyberattacks if proper security protocols are not established and monitored.

• Lack of awareness and prioritization:

  Nonprofits may underestimate the severity of cyber threats or believe that they are less likely to be targeted compared to larger organizations. This perception can lead to a lack of awareness and a failure to prioritize cybersecurity, making them more susceptible to attacks.

When cyberattacks specifically target nonprofits, the aim is often to obtain various types of information, such as research surveys, mailing lists, donation forms, meeting records, and donor details.

What Kinds of Cyberattacks Do Nonprofits Commonly Face?

The shift from traditional paper-based systems to digital storage means that personal and financial information is now increasingly vulnerable. It's crucial to recognize that any member of your team could unintentionally provide a "key" to cybercriminals.

Common cyberattacks endured by nonprofits include:

Ransomware:

In a ransomware attack, cybercriminals identify the most valuable data and compromise it until you pay a specific amount, often within a set timeframe. This is carried out by a form of malware that encrypts data on an infected computer or device. Cybercriminals demand payment for the decryption key.

Social engineering:

Cybersecurity for nonprofits often fails at the staff level due to a lack of proper training and resources. Cybercriminals employ deceptive tactics, often via email, phone calls, or text messages, to manipulate individuals and gain unauthorized access to organizational systems. Social engineering attacks exploit human error rather than relying solely on technical weaknesses.

Data breaches from employees:

Many data breaches occur due to employee negligence or malicious intent, leading to unauthorized access and theft of sensitive information. This can occur through actions such as mishandling data, sharing credentials, or falling victim to phishing attempts.

Malicious software:

Viruses and other forms of malware can infiltrate computers or mobile devices connected to the nonprofit’s network, putting sensitive information at risk. Malicious software can cause significant disruptions and compromise the integrity of data.

These cyberattacks can lead to serious consequences for nonprofits, including:

• Exposure of confidential or sensitive information.
• Inaccessibility of organization, donor, or client data.
• Disruptions to operations, potentially leading to reputational damage and loss of support.
• Strain on internal resources and management due to the need for data recovery and restoration.
• Unforeseen costs associated with addressing a compromised environment, such as legal expenses, regulatory fines, and identity protection measures.

Best Practices to Strengthen Your Nonprofit’s Cybersecurity

The last thing you want to do is leave yourself—and your data—out in the open. And the worst time to start thinking about how to respond to a cyberattack is when you’re being breached. Therefore, proactive planning is key. To strengthen your nonprofit’s cybersecurity, it is essential to establish a culture of cybersecurity that is driven and emphasized by leadership. With this in mind, take the following steps to develop an effective cybersecurity program—and culture—at your nonprofit.

Assess and Test

Conduct a thorough audit of your current IT infrastructure to identify weaknesses, potential risks, and areas for improvement. This assessment will provide visibility over what’s happening in your environment and help create a roadmap for enhancing cybersecurity.

Align and Plan

Align your organizational risk with cyber risk and the threats that are relevant to your operations and data, as discovered in your assessment and testing. Engage with a consultant with expertise in your industry who can help you identify relevant threats to your organization type, the data you protect, your region, and more.

Formalize and Document

Document policies, plans, and procedures, defining acceptable use and roles in data protection. This includes developing your incident response plans, which outline how you’ll respond to specific incidents and who is involved when. Policies should also outline expectations for volunteers accessing your network and devices.

Educate and Advocate

Educate and train your staff on cybersecurity awareness, policies, and procedures. Emphasize the importance of cybersecurity and explain the rationale behind security measures. Help your team understand the value of cybersecurity in ensuring mission continuity and maintaining security.

Regularly exercise your incident response plans through simulated scenarios. Organizations that are prepared realize a savings of about 40% on data breaches because they’re able to respond and recover faster.

Next Steps for Ensuring the Security of Your Nonprofit

The cyber threat landscape is incredibly dynamic and ever-changing. It is imperative you have a strategy that is fluid enough to adapt with this changing landscape.

With proactive planning and trusted advice, you can better understand your risk and empower the right people, processes, and technology to protect your data. A clear plan and a trustworthy team will help you prevent, detect, and respond to new cyberattacks and threats.