Most nonprofits probably don’t consider themselves serious cyberattack targets. But any organization that gathers personally identifiable information or processes transactions (donations) needs to protect its information technology infrastructure.
Failure to prevent a cyberattack could expose the personal information of your donors and make your nonprofit liable for the resulting financial damage. Identifying all your potential tech vulnerabilities and adequately securing all sensitive data can greatly minimize that risk.
Take an Inventory of Sensitive Information and How It’s Used
Before developing a cybersecurity plan for your nonprofit, review your organization’s data to understand what sensitive donor and financial data you have on file. Also keep track of files and information related to your nonprofit’s operations and projects. Even when there is no sensitive or confidential information in a file, consider the results if you were to lose it. If losing it would harm your nonprofit’s workflow, prioritize having a backup storage system in place for those files.
Once you know where the important data is stored, make sure all electronic devices – including computers and mobile devices – use up-to-date malware software and password-protected employee logins. Ancillary devices also need to be properly encrypted. Printers and fax machines also store data and create an exposure point for a cyberattack if left unprotected.
Use Secured Networks for Data Transmission
Once you have an idea of what data your nonprofit stores, only send sensitive information over secured networks. If your website is using HTTP protocol instead of HTTPS protocol, not only is any data that’s transmitted at risk, your site could be flagged as unsecure by certain web browsers.
Also review the cybersecurity protocol used by your vendors, including third parties handling payroll, cloud data storage, accounting and donation transactions.
Depending on the office setup, your nonprofit may allow WiFi access to visitors. If this is the case, keep all employee activity on a WiFi network that is private and properly secured. Either use the built-in firewall with the office’s wireless routers or install a separate firewall hardware device. Only allow guests on a separate, public network so that unauthorized users can’t get access to the practice’s main network.
Comply with Laws and Regulations
Inadequate cybersecurity could create legal and financial risks. Federal, provincial and international laws could lead to fines and other punishment if sensitive data is exposed in a cyberattack.
Many countries have laws on the books requiring that organizations notify users if their personal information was exposed in a data breach. Federal and provincial rules may also mandate certain procedures to “dispose” of sensitive information in a certain manner.
The implementation of the European Union’s (EU) General Data Protection Rule (GDPR) should also be factored into your nonprofit’s cybersecurity plans, if you are likely to come across EU-based users.
Train Staff on Proper Cybersecurity
Even employees who don’t handle sensitive information daily should be aware of your nonprofit’s cybersecurity protocols. They should know what data they may come across and how to protect it.
Employees could be targeted by email phishing scams or accidentally download malicious code on a website. Keep your entire staff aware of any suspicious email activity, remind them to always stop and think
BEFORE they provide sensitive data externally or even just click on a link, and emphasize the importance of surfing the web in a safe, professional manner.
Cybersecurity also involves controlled physical access to office resources. Don’t leave software programs open and unattended and carefully store any paper files that could allow an individual to access your network without authorization.
By using updated malware software, vetting each of your vendors carefully, training your employees, and securing all electronic devices, you can reduce your nonprofit’s cyberattack risk and protect your organizations financial and reputational image.
We’re Here to Help
If you have any questions about the management of your NPO, please do not hesitate to
contact our NPO team, who will gladly assist you or point you to someone who can.