CyberSecurity for Nonprofits: How to Protect Your Donor Data
In February 2020, the social enterprise cloud services company, Blackbaud, was hacked as part of a ransomware attack. As a result, important personal information, including financial data, were exposed. Not only did they not find out they had been hacked until May, but they also didn’t announce the hack until July, leaving nonprofit professionals wondering just how secure their data might be.
Blackbaud serves as an important reminder that any organization, including nonprofits, that collects data is responsible for ensuring its security. But if you look at the statistics, nonprofits often do less than the bare minimum to protect their donors, staff, and volunteers’ confidential information.
According to a study by Community IT:
- Nonprofits aren’t watching for cyber threats: 70% of nonprofits have not performed a vulnerability assessment to check cybersecurity risks.
- Nonprofits don’t seem to be worried about cyberattacks: 80% of nonprofits lack a cybersecurity policy.
- The threat is real: Hackers attack more than 2,000 times per day on average.
Despite these statistics, you might still be wondering why nonprofit organizations need to bother with cybersecurity. After all, most nonprofits aren’t exactly sleeping on a big pile of money at night, right? Well, let’s break it down together.
Estimate Your Nonprofit Revenue with the Fundraising Forecasting Tool
Use this tool to accurately forecast gift sizes, grant funding from foundations, government, and corporations, individual and recurring donations, and much more!
Why Nonprofits Should Watch for Cyber Attacks
Nonprofit organizations are not known for having lots of cash on hand, so it may seem like the risk of theft, especially digitally, is low. However, consider the fact that hackers most often aren’t after your cheddar, at least not directly.
In 2017, the Economist noted that “the world’s most valuable resource is no longer oil, but data.” Payment information, phone numbers, email addresses, passwords, social security numbers, etc., all have value in legitimate and illegitimate markets. Once acquired, they can be sold to whoever needs them—from honest companies looking to build their sales contact lists to nefarious organizations who want to use data to perpetrate further crimes.
Nonprofits store a lot of donor information, which makes them a delicious target for threat actors. If your organization does any of the following, it’s time to review your cybersecurity:
- E-commerce activities: such as donation processing or event ticketing.
- Storing and transferring personally identifiable information: such as medical information, employee records, drivers’ licenses, addresses, social security numbers, credit card information, especially when stored in conjunction with contact information like phone numbers and email addresses.
- Collect and store personal preference information: such as donation habits, areas of interest, newsletter subscriptions, etc.
Chances are, your nonprofit does more than one thing on this list, which makes you a target. So let’s take a closer look at the possible threats to your systems.
What are the Potential Cyber Threats to Nonprofits?
While it’s fine to know that there are general threats to your computer systems, it can be helpful to understand more precisely what types of threats are out there so you can better plan your next course of action.
Here are the most common potential cyberattacks on nonprofits:
1. Data Breaches
A data breach occurs when someone gains unauthorized access to your systems and extracts data that can be sold. Access may be gained due to employee error, malicious employee intent, or by guessing or inferring login credentials.
2. Forced Downtime
Hackers who disagree with an organization’s mission may breach a system and install malware that prevents it from continuing operations. For example, a propaganda-based organization may want to hack a human rights nonprofit organization in advance of an election to prevent it from advocating for pro-truth candidates.
Ransomware is a term that refers to any software, virus, or malware that uses encryption to hold your computer and data hostage. These software attack your systems displays messages that require you to take questionable actions before you can regain control over your systems or retrieve your data.
Why Are Nonprofits at Higher Risk of Cyberattacks?
There are many reasons that nonprofits are at a higher risk for cyberattacks compared to other organizations. Still, it all comes down to a foundational belief that nonprofits have about themselves: that they aren’t high-value targets.
Most nonprofits don’t have a lot of financial resources that would be worth the effort for criminals, so security is low on the list of things to do. But now that we’ve discussed that data is the real target and that nonprofits are stocked up with plenty of personal information, it should be easy to see why security needs to be prioritized.
Here are six factors that make nonprofits vulnerable to cyberattacks:
- Nonprofits have Limited Resources: Security costs money, and when push comes to shove, most nonprofits will choose to put limited financial resources into programs instead and just hope to fly under the radar of criminals. Charity First observed that only 29% of nonprofit executives have plans to increase their cybersecurity budgets, even as hacks are rising.
- Lack of Basic Security Measures: Though there are many easy-to-implement measures that nonprofits can take to safeguard their data, most nonprofit organizations just don’t because they don’t think they’re at risk. Unfortunately, this mindset makes nonprofits susceptible to dangerous and malicious cyberattacks.
- Outdated Technology: Due to limited budgets, nonprofits often use obsolete hardware and software that are especially susceptible to outside attacks.
- Ignorance or Lack of Awareness: Many nonprofit organizations aren’t thinking about threats and don’t even realize that hackers may be trying to access their systems. Many nonprofit professionals may simply not be aware of the possibility and negative impacts of cyber attacks, and as such, they don’t take measures to protect themselves.
- Inadequate Storage Systems for Donor Data: In their effort to fundraise more effectively, nonprofits collect many donor data, including payment information, and hackers are well-aware of this fact. Unfortunately, many nonprofits do not have proper systems in place for storing donor data. CRMs, like Keela, are designed to protect you and your donors from losing valuable information to cyber attacks.
- Volunteer Access: Giving non-employees access to your systems may seem like a necessity. Are you sure you can trust every volunteer with your data?
Donors, Data, and Doing What’s “Right”
– An Ethical (and Lego-Centered) Look at Prospect Development
In this free webinar, T. Clay Buck, CFRE explores the new realities in data management, how ethics plays a role in how we manage data and how best to ensure you’re managing donors most trusted asset appropriately.
10 Ways to Improve Your CyberSecurity
We’ve discussed the many reasons for nonprofits may have inadequate data security. But none of those reasons should be an excuse. Your organization is legally obligated to protect your donor data. If you aren’t safeguarding donor data, you run the risk of damaging your nonprofit’s brand if something goes wrong.
Luckily, there is plenty you can do to ensure you can protect your organization. Here are ten ways you can improve your nonprofit’s cybersecurity
1. Keep Software and Systems Updated
Outdated systems are one of the main reasons organizations get hacked. Ensure every software and computer you use is updated regularly. Assign a team member to be in charge of updating your systems. If no one on your team is tech-savvy, hire an IT consultant who can occasionally come in to get you sorted out.
2. Strengthen Authentication
Using strong login credentials is a great way to ensure that only authorized users are accessing your system. Users should use complex passwords and avoid using the same password on multiple accounts.
Consider implementing multi-factor authentication (MFA), an extra layer of security that combines standard log-in information with a unique code sent to another device such as a smartphone. It’s also a good idea to use a password management system that lets you control password usage and share passwords between users in a secure way.
3. Restrict and Manage Privileges
The more people can access your information and donor data, the more susceptible you are to cyber-attacks. Only give access to team members who need it to do their work. More so, make sure your passwords are stored safely and, if possible, use two-factor authentications for logins.
4. Restrict Private Devices
As much as possible, encourage team members to only access your donor data while using your organization’s computers or network. If team members have to work from home and use their devices, make sure their private devices are encrypted.
5. Acceptable Use Policies
There are many reasons your employees need to be using the internet at work. Downloading illegal software is not one of them. Visiting the questionable corners of the World Wide Web can open you up to attack. It’s up to you to decide what is an acceptable use of work devices; make sure they understand the line between reading TMZ on their lunch break and dealing counterfeit bitcoins.
6. Back-Up Data
In the event of a hack, you’ll be happy to have your data backed up, especially in the case of a ransomware attack. Backing up your data periodically to a computer that is not always connected to your network is a great idea, but backing up information to a server in a different location is even better. Try to find a backup service that keeps your data in a fireproof location. Within your country that is seismically low risk and far enough away, major disasters that could affect your office won’t also affect the server.
7. Document Your Security Protocols
NTEN reports that only about one-fifth of nonprofits document their security programs. But it’s one of the best things you can do to ensure that your organization is following preventative measures and recovery protocols following a hack. Document your policies and procedures and then train employees to follow them.
8. Encrypt and Secure Your Systems
Making your systems harder to access is more than just updating software. Install antivirus and anti-malware software, consider installing a firewall, and use monitoring software so that you are aware of attempted hacks.
9. Educate Your Nonprofit’s Team Members about Cybersecurity
Many breaches result from human error, yet a substantial number of nonprofits don’t provide any cybersecurity training to their staff. Simply explaining the risks and mitigating protocols (everything we’ve discussed so far) goes a long way toward securing your systems.
10. And Lastly…Use Keela.
Did you think we wouldn’t toot our own horn?
Using Keela means that your data is securely stored in your home country and safe from foreign influence. For example, if you run a Canadian nonprofit, you can rest assured that your data isn’t being transferred across borders where it may be subject to different, less secure laws.
Keela also encrypts your data using an algorithm that hides personal information in the unlikely event of a breach. So instead of seeing “Dave Johnson,” hackers see a sixteen-digit code that is worthless to them. Like everything at Keela, it’s just the smart way to do it.