Oct 03 , 2022

Cybersecurity for Nonprofits


Secure Data Begins with a Secure Plan


Imagine one day your donors open their mail with a letter from your organization stating, “there has been a data breach to our records and your information may be compromised”? The unfortunate reality is that it is happening to businesses around the country, including nonprofit organizations. Is your organization prepared to respond to this type of data compromise?

Protecting your data should be a central part of your organization’s planning and crisis planning. Not only does it keep your systems and information safe, but it also protects your clients, and validates the trust they have placed in you. Fortunately, many organizations you may be familiar with do offer guidance on how to fight cyber crimes before they happen. The National Council for Nonprofits offers a comprehensive list of Cybersecurity recommendations if, as they outline, you “conduct e-commerce on its website, such as processing donations or event registrations; store and transfer personally identifiable information about anyone, including donors; and collect information from opt-in email forms when you communicate with your clients and donors,” whether that be in the United States, or in foreign countries.

Since financial information is one of the types of data your organization will use to conduct business, we recommend the following three suggestions if you are just getting started.


Etsy Item Listing Photo (2)

ONE: If your organization accepts any form of online credit card donations or payments, ensure the payment system being used is PCI compliant. Being non-compliant can be a very big risk exposure. Learn more about other areas of PCI compliance.

TWO: DO NOT exchange sensitive personal information (e.g., social security numbers, driver’s licenses, birth dates, account numbers, PIN numbers) via regular email or text messaging. If exchanging such information electronically, use a secure email service with data encryption.

THREE: NEVER store, even for convenience purposes, any sensitive personal information in your organization’s files, either paper or electronic.

If you have a plan in place already, here are three suggestions to help maintain and enhance your current program.

  • Discuss cybersecurity coverage with your insurance provider and add this coverage if not already in place.
  • Incorporate 2-factor authentication for all access to email, accounting software, online financial accounts and cloud-based third-party software.
  • Implement a regular and robust staff training focused on cybersecurity, fraud prevention and data protection.

Secure data begins with a secure plan. Keep yourself informed and assess the risks against unauthorized disclosure. As budgets are being planned, software tools are being chosen, third-party vendors are being reviewed to develop your digital systems like a website, or storefront—this is the time to discuss the risks candidly, to ensure you, and the team around you, are following the proper protocols to keep cyber criminals out. And if they get in? Having a crisis plan in place will help everyone on the team understand how to spring into action and combat the attack. What are some tips you recommend?