Safeguarding Good: Cybersecurity for Nonprofits 101

As technology advances, the fundraising landscape becomes more and more focused on digital solutions to reach wider audiences. However, these convenient fundraising options come with a risk many in the nonprofit world aren’t very familiar with—cybersecurity.

The importance of cybersecurity for nonprofits can’t be overstated, and your organization is not immune to the constantly evolving cyber threats that come with sharing information through the internet. Despite this risk, there are some best practices that you can implement that allow you to fundraise online without the constant worry of a cyberattack.  

• What is cybersecurity for nonprofits?
• Why do nonprofits need to worry about cybersecurity?
• Why are nonprofits vulnerable to cybersecurity attacks?
• Common type of cyberattacks
• NIST guidelines for cybersecurity
• Nonprofit cybersecurity best practices

What is cybersecurity for nonprofits? 

Cybersecurity for nonprofits is the practices, technologies, and strategies you employ to protect your digital assets, sensitive data, and online operations from possible cyber threats. Cybersecurity is the proactive approach you take to identify any vulnerable points, implement simple protective measures, and effectively respond to potential attacks. 

Why do nonprofits need to worry about cybersecurity? 

Did you know that, according to the 2023 Nonprofit Tech for Good Report, 27% of nonprofits have experienced a cyberattack? There are a few reasons why your organization should be concerned with cybersecurity, but the number one reason for concern is protecting personal information. Your nonprofit handles a lot of sensitive personal information from all the donations you receive and all the people you help. Your community trusts you to keep their private information safe, whether it’s your donors’ payment information or personal details about who you’re helping. Failing to secure this information not only exposes these people to privacy breaches, but it also puts your organization’s reputation and ability to help others at risk. 

When talking about cybersecurity with your team, it’s important to remember that cybersecurity is everyone’s responsibility. Every individual within your nonprofit, from staff to volunteers, plays a crucial role in maintaining cybersecurity. A collective effort from your entire team is required to maintain a strong defense against possible cyber threats. 

Why are nonprofits vulnerable to cybersecurity attacks? 

While your organization might not have as much personal information floating around as a large corporation, it doesn’t mean you’re not at risk. In fact, some cyberattacks can specifically target nonprofits because it’s assumed you’ll have less of a defense than a for-profit company. Nonprofits can underestimate cyberattacks. It’s easy to assume you’re not an appealing target for cyberattacks, which can leave you unprepared, making you an easier mark for cyber threats. 

Because nonprofits run off of donations, many organizations also have limited access to IT support. If you’re operating with limited resources, IT support might not seem like the biggest priority for you cost-wise. This limitation can make it even more challenging to implement and maintain comprehensive cybersecurity measures.  

Common types of cyberattacks 

There are many different cyber threats in the digital world, but four types of cyberattacks are more commonly seen in the fundraising world. 

• Phishing. Have you ever received an email from a fake account posing as Amazon or Apple, for example, asking you to click a link? That’s phishing! Phishing involves fraudulent attempts to obtain sensitive information by disguising the correspondence as if it were from a trustworthy entity. Your organization needs to educate your staff to recognize phishing attempts and avoid falling victim to these deceptive tactics. 
• Spoofing. Spoofing occurs when someone with malicious intent disguises their identity to gain unauthorized access to systems or data. This can be in the form of an email—similar to phishing. Or it can be an entirely fake website where someone creates a lookalike version of your donation form in order to trick your donors. Your organization must implement authentication measures to prevent spoofing. 
• Malware. Malware, which includes viruses and ransomware, poses a significant threat to nonprofits. There are many types of malware that can be downloaded onto a computer in different ways to steal information, so it’s best to educate your team on multiple malware types to defend against. Regularly updating your antivirus software and conducting security audits can help you mitigate the risk. 
• Denial-of-service attacks. Denial-of-service (DDoS) attacks aim to disrupt an organization’s online services by overflowing your system with fake requests. These attacks can prevent your donors from reaching your website to attempt to force your nonprofit to pay a ransom to the hackers. There are many resilient network infrastructures and DoS mitigation strategies your organization can use to minimize the risk of an attack. 

NIST guidelines for cybersecurity 

While you should still establish a comprehensive cybersecurity plan, The National Institute of Standards and Technology (NIST) provides a comprehensive framework for effective cybersecurity you can follow to get an understanding of what your plan should include. This framework consists of these five key elements: 

• Identify. Understand and document your organization’s assets, risks, and vulnerabilities. 
• Protect. Implement safeguards to ensure the security and privacy of all your data and systems. 
• Detect. Establish procedures for your team to identify and respond to cybersecurity events quickly. 
• Respond. Develop and implement an incident response plan for your organization to notify all necessary parties and mitigate the impact of cyberattacks. 
• Recover. Create strategies to restore any equipment that was impaired due to a cybersecurity incident and keep your community updated. 

Nonprofit cybersecurity best practices 

To decrease your nonprofit’s risk of experiencing a cyberattack, use these best practices to create a cybersecurity plan.

Assessing cybersecurity risks 

Before creating your cybersecurity plan, there are a few key risks your organization should assess to help you properly plan for cyber threats.  

• Vulnerable software. One of these primary risks for cyberattacks is vulnerable software. To prevent a cyber threat through software, you can regularly check your software’s security by conducting thorough vulnerability scans. These scans help you identify and address any weaknesses or outdated versions of old software. A simple way to stay ahead of potential weaknesses is by implementing automatic updates for software applications.  
• Staff. Another risk to assess is your staff. Your team can unknowingly expose your nonprofit to cyberattacks by clicking on malicious links or falling victim to phishing attacks. You can counter this risk by conducting scheduled training sessions to educate your team on cybersecurity best practices and common attack vectors.  
• Hardware vulnerabilities. The last key risk to assess is your organization’s equipment. Hardware vulnerabilities can pose a huge risk to your cybersecurity. Ensure that your nonprofit is regularly evaluating your equipment’s security, from your servers to your computers. Security measures, such as firewalls and antivirus software, can help keep your equipment safe from cyber threats. 

Creating a data breach response 

Once you’ve assessed your possible secuirty risks, you can start creating your own data breach plan. 

• Secure sensitive information. When creating your data breach response, one of your key focuses should be securing your sensitive information. If you experience a cybersecurity breach, it’s necessary to act as quickly as possible to prevent any further loss. Securing your sensitive information by isolating any affected systems, limiting system access, and taking measures to stop the spread of the breach needs to be your priority during a breach.  
• Fix vulnerable points. After the breach, your focus should be on fixing vulnerable points. The first step is identifying and addressing the points that led to the breach. To address these points, start by patching software, updating configurations, or implementing additional security measures to cover the vulnerable points. Being proactive about fixing vulnerabilities helps you prevent any future attacks and strengthens your overall cybersecurity. 
• Notify affected parties. If you experience a cyberattack, you must notify any necessary parties. Communicating any affected parties quickly is crucial for transparency, as well as to help your community secure their information.  

Educating your team 

Because the responsibility of cybersecuirty falls on everyone, you need to keep you and your team educated. 

• Best practices. To prevent a cyber threat, you need to train your team on best practices and common types of attacks to look for. Continuous education is key to maintaining a safe workforce. You can host regular training sessions to educate your team on the latest cybersecurity best practices and common threats they may face. This will help them recognize phishing attempts, practice safe browsing habits, and understand how to maintain healthy cybersecurity. 
• Breach plan. When you’re training your team, provide them with the steps for your breach plan. With clear and concise steps for reporting potential incidents, your team will be prepared in case of a threat. You can also outline the roles and responsibilities of each team member during a cybersecurity crisis to ensure everyone is ready.  
• Updated training. The digital world and the threats that come with it are constantly evolving, so you need to update training whenever necessary. Update any training materials to reflect the latest cybersecurity trends, threats, and prevention strategies to keep your staff up to date.  

Updating your software 

Another way to help you prevent any cyberattacks is to keep your software updated. 

• Automatic software updates. One way to keep your software up to date is to set your software to update automatically for any software applications and operating systems. This makes sure that your systems are operating with the latest security patches and bug fixes, reducing vulnerability to potential exploits. 
• Advanced cybersecurity software. You should also stay up to date on cybersecurity software and solutions. Implementing advanced software can help provide an extra layer of defense to your cybersecurity plans.  
• Cybersecurity audits. Consider performing regular cybersecurity audits to ensure all of your systems are up to date and rewview for potential new risks. 

Securing files and sensitive information 

Don’t let your physical security fall short because of a focus on the digital world! 

• Offline files. Your files and sensitive information need to be secured, even if they’re offline.  Ensuring your offline files and backups are secure can help you save data in the event of cyberattack.  
• Unattended devices. Another important part of securing your sensitive information is to not leave any devices unattended. Unattended devices are easy targets for theft or unauthorized access, and you should encourage your staff to lock their devices when not in use, no matter their location.  
• Encryption. Encrypting your devices is another way you can protect sensitive information and add an extra layer of protection. If one of your staff’s devices is stolen, the encrypted data remains unreadable without the appropriate decryption keys. 

Keeping your accounts safe 

Another way to keep your information safe is by keeping your accounts safe. 

• Strong passwords. Strong passwords are a critical line of defense for your cybersecurity. You should create password policies that include a combination of uppercase and lowercase letters, numbers, and special characters. These policies should also discourage the use of easily guessable passwords and encourage frequent password changes. 
• Password management software. An easy way to ensure everyone’s passwords are secure is by implementing password software. Password management software helps facilitate the creation and secure storage of complex passwords. Using a password manager not only enhances your security but also helps simplify the management of multiple credentials across various accounts. 
• Multi-factor authentication. Multi-factor authentication can also help you add an additional layer of security by requiring your team to provide multiple forms of identification. Implement multi-factor authentication for important accounts to mitigate the risk of unauthorized access, even if the login credentials are compromised. 

Securing your router 

Our final tip for better cybersecurity is to secure your router. 

• Default name and password.  Routers are a primary target for cyber attackers because it’s an easy way for them to get on your network and access your data. When you set up your router, change the default name and password.  
• Remote management capabilities. You should also turn off remote management capabilities to avoid them being exploited by attackers.  
• Encryption. Your nonprofit should also use at least WPA2 or WPA3 encryption for your network. Wi-fi encryption is crucial for protecting the confidentiality of data transmitted over your network. 

Final thoughts 

Cybersecurity isn’t a one-time training session. As the digital world evolves, your cybersecurity practices will require continuous attention and adaptation. Prioritize the safety of your digital assets and confidentiality of sensitive information your community entrusts in your nonprofit.  

By utilizing these best practices, keeping informed about emerging threats, and creating a culture of cybersecurity awareness, your organization can continue to navigate the digital landscape with resilience and confidence. 

Additional resources 

• Fraud Prevention 101: How Qgiv Keeps Fraud at Bay. Learn key ways Qgiv helps protect you from fraud. 
• Advanced Fraud Mitigation with Qgiv Donation Forms. Check out these advanced fraud mitigation tools implemented on Qgic donation forms. 
• Data Privacy for Nonprofits: What to Do (and What to Absolutely Stop Doing). Take a look at more tips to keep your data private. 
• Donors, Data Privacy & Security, and Doing What’s “Right” – Bloomerang. Learn more information on keeping your donors’ information secure.