Cybersecurity for Nonprofits: A Complete Checklist

Cybersecurity breaches, and cyberattacks, are a very serious issue in the world of today, where almost everything is done online.

Huge amounts of data, including bank account information, emails, names, addresses, and so on, are being held online, therefore such data is often being targeted for attacks.

Interesting fact: Did you know that in 2022, in the US, the average cost of a data breach was $9.44 million!

Yikes! And since specialists predict that by 2025, that cost will rise to $10.5 trillion annually, you know that you better take all steps to ensure reliable online security.

Now, one might think that nonprofit organizations are not an appetizing target for cyberattacks, however that is not true. In reality, there are two main factors that make nonprofits an ideal target for hackers.

First, nonprofit organizations usually keep tons of data – personal information, account data, payment details, and so on.

Second, typically nonprofits have their guard down, thinking that they are not a target for attacks, which, ironically, makes them the most vulnerable for such attacks.

Readers Also Enjoy: Interactive Guide: the Definitive Guide to Securing Your WordPress Website – DevriX

What Is Cybersecurity?

Cybersecurity is the act of defending computers, mobile devices, servers, networks, and data from malicious attacks. This process can also be referred to as electronic information security, or technology security.

Generally, cybersecurity can falls into one of the following categories:

• Information security. Aims to protect the privacy of data and information, both in transit and in storage.
• Application security. Intents to keep software and devices free of threats.
• Network security. Focuses on securing computer networks from attacks.
• Operational security. The process of handling and protecting information and data assets.
• Disaster recovery and business continuity. How an organization responds to cyberattacks, and other events that may result in a loss of data. Also, the plan by which the organization tries to operate without specific resources.
• End-user education. Addresses the human factor in security, and educating users to recognize and avoid any attempts to breach an organization’s security and privacy.

Another interesting fact: The first attack on a computer network was back in 1971 by Bob Thomas at BBN. It was the first computer worm, called Creeper. It was, however, purely experimental, and not loaded with any malicious software. The next year – 1972 – it was destroyed by Reaper, created for the specific purpose by Ray Tomlinson.

Common Cyber Threats For Nonprofits

In general, cyber threats fall into two categories:

• Cyberattacks are malicious activities, like hacking, phishing, spam, DoS (Denial of Service) attacks, etc. Their goal is to use devices and networks for criminal purposes.
• Cybercrimes are illegal activities that include bank fraud, stealing credit card information, identity theft, and so on.

Now let us review some of the most common cyber threats for nonprofit organizations.

1. Third-party vendor data breaches. Quite often, nonprofits delegate storing data to third-party vendors. This, however, means that, in case that third-party vendor gets breached, the sensitive information kept there is also at risk of being stolen.
2. Ransomware. Ransomware is a form of malware that encrypts data on a device, so that then the hacker(s) demand payment, in order to unlock the infected device.
3. Email phishing. Emails are among the biggest cyber threats to nonprofits. Phishing schemes, in particular, as a form of social engineering, aim to hijack sensitive information, such as usernames, passwords, credit card info, and so forth.
4. Malware. Malicious software, like viruses, could infect all kind of devices connected to the network, exposing sensitive information to a risk.
5. Downtime. Not all cyberattacks are instantly visible. Some are quite subtle. Still, everything that can cause a forced downtime of your website will lead to negatives for your nonprofit organization. If your website hosting is offline, and your site is down, essentially, you will risk losing potential users, donations, and interest to your services, in general.
6. Baiting. Baiting is a method of tricking people into stealing their information. Most commonly, it is done by injecting malicious software into the user’s computer. For instance, the attacker could leave a USB flash drive in an obvious place, so that the user can find it, and driven by curiosity, place it into their computer/device. Once the USB is inserted, the system is compromised.

All the above sounds quite scary, and it is, but it doesn’t have to be. Staying protected before something bad happens will make sure to minimize the chances of it happening. Plus, there’s a chance that hackers will not target your website, if they see that your protection is on point, and it will take a lot of time to infiltrate your data.

Now, let us take a look at the best ways to enhance your nonprofit cybersecurity, and keep cyber threats away.

Readers Also Enjoy: 11 Nonprofit Marketing Ideas [2023] – DevriX

Cybersecurity For Nonprofits: How to Prepare?

1. Encryption.
2. Two-Factor Authentication.
3. Employee Training.
4. Up-to-Date Software.
5. Encourage the Best Practices for Privacy and Security.

1. Encryption

One of the best ways to protect your data from being stolen is to encrypt it. Data encryption is a way to encode data that only a person with the correct encryption key can access.

The encrypted data would otherwise appear as unreadable text to everyone trying to access it without the required permission. Sure, in theory, the encryption could be broken, but it will require large amounts of computing power. Hence, it will most likely stop potential hackers from trying to access the data. In addition to safeguarding your data, taking this step can also help protect yourself from identity theft, as it significantly reduces the risk of your personal information being misused.

2. Two-Factor Authentication

Two-factor authentication (a.k.a. 2FA, or dual authentication) adds another layer of security to an account, on top of the mandatory password. Basically, the dual authentication uses two methods to authenticate your identity.

Usually, the second method is for the user to receive an email, SMS code, input your fingerprint, or others, in order to verify the account in question is yours.

Since most passwords can be very easy to crack, adding a two-factor authentication can greatly enhance the safety of your accounts.

3. Employee Training

Probably the most important thing you can do to boost your nonprofit cybersecurity is to properly train your employees, and let them know about the main cybersecurity risks, and how to prevent them.

Less than 30% of nonprofits have performed a vulnerability assessment, which speaks volumes about the negligence on online security.

Let’s stop the bad practices! A knowledgeable employee is much less likely to make a simple mistake that would then cost millions of dollars to the entire organization.

So, instead of waiting for disaster to strike, take the necessary preventive measures by educating everyone in your organization on how to be safe online.

What’s more, some companies have appropriate policies in place, that aim to protect both employee and donor data. For example, these could include securing cloud workspaces, or using password manager applications like LastPass.

4. Up-to-Date Software

Outdated software is not all about missing new features, or making a website or application run faster. Above all that, you are exposing your business to vulnerabilities.

Obsolete software is much easier to target by hackers, and then your entire website will get infected.

5. Encourage the Best Practices for Privacy and Security

You’ve taken all the best steps to ensure the protection of your nonprofit. Awesome!

Yet, you can’t take complete control of what your users are doing, of course. However, you can, and you should do everything possible to keep them leaning in the right direction.

For instance, you can place mandatory regulations for passwords, like containing small and capital letters, numbers, symbols, etc. – this will make sure that noticeable weak passwords like “123456789”, “password”, and “qwerty” will not make their way to user’s accounts.

What’s more, you can review your own policies and make sure not to ask for more information than you need, and also add a payment gateway (PayPal), so that you don’t store credit card information directly on your website.

Readers Also Enjoy: Top 5 WordPress PayPal Plugins that Make Accepting Payments Easier – DevriX

Nonprofit Cybersecurity: What to Do When It Is Too Late?

It is not a good situation to be in, however, it is good to know what you can do should the worst case scenario occur. In simple words, what should you do when you’ve already been a subject of a cyberattack, and you have no idea how to proceed?

Here’s how.

• Change your passwords. Better late than never. One of the first things you should do if someone hacked you is to immediately change all your passwords, and not just change them, but make sure that they are much more secure. In short, everything that has any meaning is bad for a password. So, forget about passwords that include your birth year, first or last name, or any other personal information. If it is too much of an effort to remember your complex passwords, use specialized software.
• Add more log-in security. As we mentioned above, adding a two-factor authentication can be of great help to secure your users. Additionally, you can add a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) authentication, or even a biometric authentication (fingerprint, voice, and face recognition, etc.).
• Contact the authorities. You might be tempted to negotiate with hackers… that is not a good idea. Instead, if you suspect that someone has attacked your nonprofit, contact the local authorities. In the US, that would be: 24/7 Cyber Watch (CyWatch): 855-292-3937 or [email protected], and Internet Crime Complaint Center (IC3): https://www.ic3.gov

Over to You

The fact is that, unfortunately, most nonprofits have absolutely no strategy in case a cyberattack happens.

Why would you risk your nonprofit organization loosing millions of dollars, and the trust of your users? The dangers of cyberattacks are real, and they are not something that you should take lightly.

It is much better to take preventative measures, and keep the disaster away from your business. Cybersecurity for nonprofits is a very serious matter that requires the necessary attention, employee and user education, and applying the best practices for online protection.