Why Cybersecurity Matters for Nonprofits

According to The NonProfit Times, more than 7 million people were impacted by data breaches at nonprofits in 2023. But many nonprofits still remain unprepared to defend against cyber attack, either due to lack of adequate funding or because they do not perceive themselves as prime targets for hackers and cyber criminals. And yet, 27% of respondents to a 2023 Nonprofit Tech for Good survey reported having experienced a cyber attack.

Information network security and defense against cybercriminals have shot to the top of governance agendas at nonprofits nationwide. Small and medium-size nonprofits in particular grapple with limited IT budgets and often are understaffed in terms of in-house IT expertise.

As a result, many nonprofits are turning to third-party managed service providers (MSPs) that can provide IT security technology and on-demand remote support with using software-based and Cloud-enabled solutions.

Click here to learn about the 5 most persistent threats to nonprofit cybersecurity.

A new model for making sure your organization’s data is secure

Many nonprofits have fewer than 50 employees. Many have fewer than 10! Much of the time, it’s just not an option for a nonprofit to hire an in-house IT team. And even if they have someone who “knows about tech” there’s still a challenge in properly building out and maintaining a network that is secure and safe from cyber threat and also configured to support intensive data requirements, remote and hybrid work realities, and the ever-present need to be mindful of cost.

Fortunately, as technologies become more and more service-based, nonprofits can take advantage of efficient, outsourced support for IT security, phone and data management, and desktop support to ensure that staff computers are kept healthy and secure when outfitted with a variety of web-based tools that are ubiquitous in the modern office: Google, Dropbox, Slack, Adobe, Teams, and many others. Although remote IT support has become more affordable and logistically feasible for nonprofits, many organizations still struggle to create an IT strategy and budget or go through the process of researching, negotiating and onboarding new vendors when there are so many competing priorities for nonprofit leaders to consider at any given moment.

What steps can nonprofits take to improve cybersecurity?

Protect Every Device

Nonprofits should develop device policies that give employees clear guidance on how to responsibly use their smartphones, laptops, tablets, and desktop computers to conduct business on behalf of the organization. Antivirus software should be installed on all devices. Whenever possible, organization’s should provide phones to their employees, whether desktop handsets or mobile phones. Many telcom providers today will provide phones as part of their service offerings, so nonprofits don’t need to worry about purchasing large quantities of phones for their employees. This also helps to ensure that any device that connects to the organization’s network is secure and functioning properly. Real-time monitoring by a remote managed service provider (MSP) is a smart step that nonprofit leaders can take to proactively protect their organization’s data and sensitive information as the threat landscape constantly changes and criminals become more sophisticated.

Secure Networks

Having the proper hardware in place—switches, firewalls, etc.—will help fortify your networks and prevent bad actors from getting inside. Following best practices for passwords and changing them often is a simple step that anyone can take to protect their data. Any online activity that involves processing financial information—credit cards, social security numbers, addresses and passwords—should be protected by data encryption, two-factor authentication and other basic measures.

Routine Training and Reminders

Cybersecurity training isn’t something that’s done just once. It should be an ongoing program that is prioritized and taken seriously by all members of an organization. Nonprofits leaders can set the example by ensuring that training is done on an ongoing basis. Many MSPs also offer security awareness training that promotes safe handling of data, responsible use of email and other forms of digital communication, and how to stay alert against hackers, scammers and thieves.  

Backup Data Often and Store Copies in Multiple Locations

Data storage is affordable and accessible. Your organization’s data is critical and loss of access to that data could cause catastrophic irreversible damage. Having a plan and process for routine backups to more than one secure storage location is critical.

Have an IT Policy and Incident Response Plan

Having an IT policy guide that is available to all employees is a critical piece of any IT security plan. Everyone who uses your organization’s technology or logs on to your network should use basic common sense and follow best practices to make sure you can protect your organization’s data and guard against cyber attack. Regular training can reinforce good habits and give periodic reminders on how employees can protect themselves—and the organization—online.

No matter how well you prepare, there’s never a 100% guarantee against falling victim to an attack. Nonprofits should plan ahead and create an Incident Response Plan to minimize the negative impacts and recover quickly from any successful attack. Protecting data, isolating the threat, and learning from the experience will strengthen cybersecurity over the long haul.

Bottom Line

There’s no shortage of reasons why nonprofits need to prioritize a robust cybersecurity strategy. Understanding the risks and taking a reasonable approach can help organizations see quick improvements to where they are today. Affordability of equipment and the emergence of the “IT as a service” model offer increased opportunity for savings and the ability to add expert 24/7 support.

Next Steps

A cyber audit is a quick assessment that can give you an actionable plan for addressing cybersecurity priorities. We offer them at no cost. Get started here.