Strengthening Cybersecurity for Non-profit Organizations – Risks, Challenges, and Best Practices the Board Can Adopt

Cybersecurity for non-profit organizations is often not as robust as for commercial organizations, and, therefore, strengthening cybersecurity for non-profit organizations remains a point of concern for the board of directors. The board is expected to implement cybersecurity best practices to mitigate and manage the risks, but they must also ensure that the tone at the top is set correctly. Non-profit organizations work for public or social benefits and rely on donations from their volunteers and benefactors. They also have sensitive and confidential data of others in their possession, the same way as a commercial organization. These scenarios immediately raise some potential cybersecurity issues, for example, payment security, security of cardholder data, data privacy, data sovereignty, etc., to name a few. Hence, it is an essential obligation of the board to adopt cybersecurity best practices for non-profits, device cybersecurity strategies, and implement cybersecurity frameworks to safeguard the organizational information assets. They must also ensure the security of the data at rest, data in motion, and data in transit.

Cybersecurity Risks and Challenges Facing Non-Profits

A significant portion of non-profit organizations’ budgets is focused on the welfare of the cause they support. It is difficult for them to spend money on other expensive services such as cybersecurity despite cybersecurity risks in non-profits being an increasing concern. As per the “2021 NONPROFIT CYBERSECURITY INCIDENT REPORT” from  CommunityIT, government organizations, thinktanks/ NGOs/ government contractors and other sectors make up more than half of the recent cyberattacks victims.

Many non-profit workers are social workers who do not come from a technical background that can support their cyber security needs. The only option such organizations have is subscribing to external cybersecurity for non-profit consulting firms. From accidental data losses to ransomware and targeted phishing attacks, cybersecurity for non-profit continues to face the following risks due to inadequate control measures or its absence.

1. Online donations and payment risks: Online payment methods have gained popularity globally, and most donors make payments online, increasing the cybersecurity risks for non-profits. For these organizations, it is imperative to examine their payment processes and their data storage to avoid malicious actors interfering with the transactions.
2. Phishing, ransomware, and DoS attacks: Social engineering attacks, phishing, ransomware, and Denial of Service (DoS) attacks in non-profits occur at an increased rate due to lack of awareness or not following basic cyber-hygiene practices. Especially the pandemic has also paved the way for adversaries to explore more avenues to execute phishing attacks as more people and businesses move online.
3. Data privacy risks: Non-profit organizations store a lot of sensitive data related to their volunteers and donors. If such sensitive information is stolen, compromised, or publicly exposed, it may cause reputational or financial damage to the volunteer or donor and lead to a loss of trust in the organization.
4. Reputational losses: Data breaches and cyber-attacks on non-profit organizations can cause a loss of faith. They will lose their donors, volunteers, and the groups they support. It will affect the long-term funding of the organization, resulting in challenging conditions for the groups they assist.
5. Financial losses, lawsuits, and regulatory fines: When cyber threats to non-profit organizations can risk the loss of sensitive data belonging to the individuals they support, their volunteers, and their benefactors, further exposing these groups to direct cyber-attacks. As a result, they might sue the organization, causing financial losses in the form of lawsuits and regulatory fines. Nonprofit organizations can’t afford to ignore the regulations like GDPR.

Cybersecurity Best Practices for Non-profits Board

Cyberattacks are increasing at a rapid pace, which makes cybersecurity for non-profit that much more important. In a recent report from the Check Point Research, there was a significant increase in the average weekly number of cyberattacks on each organization between Mar-2020 to Sep-2021.

Non-profits must also follow cybersecurity industry best practices like other business organizations since they can compromise the sensitive data of many people by neglecting cybersecurity.

1. Tone at the top: The top-level executives or C-level in non-profit organizations should actively communicate the importance of information security at each level. With sustained efforts, risk management, and spreading cybersecurity for non-profit awareness, the board can elevate the organization’s cybersecurity posture and build a cyber-aware culture.
2. Provide employee awareness, training, and education: The employees and volunteers should be trained and educated on healthy cybersecurity practices to reduce cyber threats to non-profits. An aware employee is less likely to click on a suspicious URL or download files or apps from unknown websites that can expose the organization to cybersecurity risks.
3. Protect devices, applications, and network systems: Organizations should also subscribe to anti-malware services to protect the devices, networks, and servers from suspicious websites and malware. Also, the software, applications, and operating system must be updated and patched regularly.
4. Having well-defined policies, procedures, and guidelines: The board can formulate policies, but ensuring effective implementation will depend on how procedures and guidelines are defined and implemented. Ensuring that cybersecurity policies are aligned with the business objectives is the key to implementing a successful cybersecurity program.
5. Establish continuous monitoring, auditing, and compliance: Organizations should conduct regular audits and ensure continuous compliance with policies, best practices, and regulations. Employees, volunteers, and other stakeholders must keep a tab on their online behavior, especially on social media. They must also educate them on the importance of healthy cybersecurity practices or basic cyber-hygiene.
6. Nurture cybersecurity culture: A culture oriented toward healthy cybersecurity practices in non-profit organizations can reduce the risks of security threats to a significant extent.

Final Words

Cybersecurity is among the most significant concerns for organizations worldwide, where cyber-attacks occur daily, causing losses amounting to millions daily. Although non-profit organizations do not work for profit or have an expandable budget, not investing in cybersecurity can cause more damage in the long run. Hence, the board must inculcate healthy cybersecurity for non-profit organizations alongside subscribing to expert cybersecurity services or engaging with cybersecurity for non-profit consulting firms who can understand your unique IT and security environment and help your organization elevate its cybersecurity posture while remaining within the budget to safeguard the confidentiality, integrity, and availability of your valuable information assets.  

---

References

1. National Council of Nonprofits. Cybersecurity for non-profit. https://www.councilofnonprofits.org/tools-resources/cybersecurity-nonprofits
2. Bruce, A. (2020, February). Cybersecurity for Nonprofits A Guide. Nten https://www.nten.org/wp-content/uploads/2020/02/Cybersecurity-for-Nonprofits_-February-2020.pdf
3. Morley, J. (2021, July 8). Why cybersecurity is necessary for non-profits. SoftwareONE https://www.softwareone.com/it-it/blog/articles/2021/07/05/why-cybersecurity-is-necessary-for-nonprofits
4. TCA SynerTech. 2021 guide for cybersecurity for non-profit organizations. https://www.tcasynertech.com/2021-cybersecurity-guide-for-nonprofit-organizations/
5. AmtrustFinancial. cybersecurity for non-profit risks: Common attack methods. https://amtrustfinancial.com/blog/industry-specific/nonprofit-cyber-security-risk