Cybersecurity at Nonprofit Organizations: Challenges and Solutions
We all know about the Blackbaud data breach from 2020 wherein over 120 nonprofit organizations fell victim to a ransomware attack. It caused many of these organizations to rethink their cybersecurity measures. The first State of Nonprofit Cybersecurity report published by Microsoft and the Nonprofit Technology Network (NTEN) in 2018 estimated that 59 percent of nonprofits do not include cybersecurity training for their staff, showcasing the need to address cybersecurity measures before the next major breach.
So, what challenges do nonprofits face with cybersecurity, and what solutions exist to help protect them?
The Cyber Threats Nonprofits Face in the Modern World
Nonprofits, unfortunately, are ideal targets for cyberattacks. For example, the same report states that more than 50 percent of nonprofit organizations do not require multi-factor authentication for logins, which in and of itself makes them vulnerable.
It is no surprise that nonprofits have a lot of sensitive information on their donors that cybercriminals would consider a “gold mine” should they get their hands on it. Additionally, the pivot to remote work since 2020 presents its own security risks.
There are many types of cyberattacks that could befall an organization. Consider some of the most common:
- Ransomware: This cybersecurity threat is an attack via software that can hack into and encrypt data within an organization. It takes the data of an organization and holds it “hostage.”
- Phishing: Phishing involves emails that are designed to trick recipients into clicking links. These links often ask for sensitive information, which the user is likely to submit if they think the link is safe.
- Scareware: As its name implies, this cyberattack is meant to scare users into installing malicious software that compromises the entire system. Oftentimes, scareware comes in the form of a popup declaring that the user’s system has been compromised and they must “take action” immediately to fix the issue.
- Baiting: Baiting uses false promises to trick users through curiosity to infect their IT system. Sometimes this can be in the form of hardware, such as a USB drive that, once inserted into the computer, infects the system.
- Forced downtime: This cyberattack forces an organization’s digital operations to stop. For example, forced downtime could cause a charity’s website to go down. When a website goes down, it can result in missed donations; missed correspondence with important donors; and make accessing data near impossible.
- Advanced persistent threats: These threats are sustained attacks on an organization’s system. They can remain undetected for extended periods and can conduct surveillance on the organization. Moreover, such attacks can continuously steal data from the nonprofit’s network without anyone noticing.
These cybersecurity threats illustrate some of the risks nonprofits should be concerned with regarding their reputation; financial breaches; and compromised systems.
The reputation of an organization may also be compromised, for example, if the system is hacked and spam is sent out under the name of the charity. This spam may contain controversial subject matter, or it may contain links to further attack other individuals. Either way, it will require a good PR fix.
CCK OBSERVATION: When an organization’s digital system is compromised, a nonprofit cannot carry forth its philanthropic goals because their resources must be spent fixing the breach. Not only does it take time to fix such issues, but it takes a considerable amount of money, too.
What Can a Nonprofit Do to Strengthen Their Cybersecurity?
Data breaches happen every year and are increasingly common, creating worry among organizations both large and small. How, then, do nonprofits protect themselves from such criminals? As Sir Francis Bacon said in 1597, “knowledge itself is power.” This ageless quote points us in the right direction.
To protect oneself from cyberattacks, one must know the dangers they face and how to identify them. The most crucial step to take is continuously educating the entire organization, from the executives down to the weekend volunteers. This includes teaching them what to look for; what to avoid; and the procedures to follow when they believe they have spotted something suspicious.
What Are Some “Best Practices” a Nonprofit Organization Can Implement?
Nevertheless, educating the staff is only one thing an organization can do to strengthen their cybersecurity. Here are some best practices nonprofits can begin implementing directly:
- Use multi-factor authentication whenever possible, this includes all logins and with any new software;
- Create a detailed cyber incident response plan (i.e., a detailed strategy for handling cyberattacks);
- Hire (if possible) an in-house cybersecurity employee;
- Use strong passwords and a secure password manager;
- Ensure digital signature and notarization software and hardware are secure through public key infrastructures (PKIs) and certificate authorities (CAs);
- Use a VPN and avoid public Wi-Fi networks that are not password protected;
- Update hardware and software regularly or when the product vendor releases a critical patch;
- Apply firmware updates to hardware;
- Apply OS updates to all cell phones and mobile devices within the nonprofit whenever available;
- Use encrypted emails;
- Verify all monetary transactions via a secondary method; and
- Make sure to have backups of all important data in case the system is compromised, which includes the “3-2-1” principle wherein an organization keeps three copies of all critical data: the original; a local backup, such as a local hard drive; and an offsite backup, such as a cloud-based backup.
These measures paired with the proper training can help prepare an organization for cyberattacks. While no method is entirely foolproof, these measures will help protect the sensitive information nonprofits have within their system.
CCK COMMENT: When training your staff, remind them to keep their software, hardware, and personal communications devices updated; avoid public Wi-Fi networks; use encrypted computers; and refrain from using external hardware such as USB drives. Moreover, it is important to continuously update your training and procedures and inform your staff accordingly.