Skip to Content
People at computer
Article

Eight steps nonprofits should take to prevent cyberattacks

February 10, 2023 / 4 min read

Nonprofits are increasingly at risk for cyberattacks and security breaches. While financial costs to repair the damage can be high, the harm to your reputation and brand can be devastating. Follow these eight steps to defend your organization against threats.

While cyberattacks and security breaches at major retail, financial, and technology companies might be in the headlines more often, nonprofit organizations are equally at risk from malicious hackers and innocent exposure. For nonprofits, beyond the financial impacts, which could include ransoms, settlements, notifying parties, and more, a malicious attack could deeply damage confidence in your organization brand and reputation.

Nonprofits typically handle a great volume of personally identifiable information (PII) for both donors and recipients, including credit card records; employee files; medical records; and other sensitive information, such as donor contact information (i.e., phone numbers, addresses, and email addresses) and transaction information.

The following are eight steps your nonprofit can take to help protect against a cyberattack or unintended security breaches.

1. Establish a perimeter defense

Think of this as defending your castle (and think of your castle as being anywhere you have employees working). Determine how secure your organization is, and patch up any holes related to access and communication using the following strategies:

2. Conduct a data inventory

Every organization has sensitive information that lives in many different places, such as network files, laptops, and mobile devices. In our increasingly electronic world, more and more sensitive information is migrating from hard copy to soft copy format, making it potentially accessible to anyone.

In our increasingly electronic world, sensitive information is migrating from hard copy to soft copy format, making it potentially accessible to anyone.

3. Meet compliance standards

Privacy policies are constantly changing. Nonprofits must be aware and informed of changes and how they will affect data security. For example, if your organization accepts credit cards, ensure you understand the Payment Card Industry Data Security Standards (PCI DSS).

If your organization maintains patient medical records, it should be vigilant of compliance related to HIPPA. The Health Information Trust Alliance’s (HITRUST) Common Security Framework (CSF) is another compliance option to guarantee proper creation, access, storage, and exchange of sensitive and regulated data. Other compliance recommendations include:

4. Manage your users

Make sure you know who, what, when, and how when it comes to user access. For nonprofits, this can include employees, volunteers, participants, and business partners.

5. Authenticate passwords

Is your password policy too simple? Do you have a policy? Are there different password requirements for different systems, roles, and levels of access? Weak passwords can mean big trouble; don’t make it easy for hackers.

6. Monitor for suspicious activity

It can feel a little like Where’s Waldo? when it comes to protecting your infrastructure. Nonprofits must continually monitor for threats and identify suspicious network traffic. There’s an avalanche of information in system log data, so determine which tools you’ll use to detect threats:

7. Be resilient

In the unfortunate event that a breach occurs, nonprofits need an overall information security strategy and ironclad cybersecurity plans in place to quickly get back on their feet. They should include:

8. Be aware

No business or organization leader wants to be the victim of a cyberattack, but chances are someone will fall victim of a Nigerian prince once in their lifetime.

People are the weakest link in the cybersecurity chain, so awareness training is one of the best preventative measures you can take.

This includes being mindful of more subtle ploys like:

The risk to nonprofits for a cyberattack or security breach is real, but many of these attacks can be prevented through careful planning and thoughtful execution. Regardless of your organization’s size or type, it’s the leadership’s responsibility to ensure the peace of mind of stakeholders and keep all of its data secure by utilizing best practices. The worst possible strategy is to not seek experienced guidance for how to protect against this risk.

Related Thinking

Image of a digital LED wall
November 17, 2022

Seven-point cybersecurity assessment: Identify your organization’s digital risks

Article 3 min read
Person looking at business documents.
October 7, 2022

PCI DSS Version 4.0 – Are you ready?

Article 4 min read
Woman sitting on a table on her laptop while talking on a headset
July 27, 2020

The vicarious liability of data breaches and how to protect your organization

Article 4 min read