Nonprofits and Cybersecurity

Ann Fitzgerald President AC Fitzgerald author

Ann C. Fitzgerald, President

Corporations are not the only entities at risk. Nonprofits must begin to take a more serious look at the considerable threats to their data. Nonprofits are collecting more and more sensitive information on donors at the same time that an increasingly virtual work environment makes data accessible from unsecured locations and devices. And “hacktivists,” who want to disrupt your operations for a cause, are on the rise.

Recently, Microsoft and the Nonprofit Technology Enterprise Network surveyed 250 nonprofits across the U.S. and produced the first State of Nonprofit Cybersecurity Report. The good news: 70 percent of nonprofits in the survey had backup policies, while more than half had policies for risk, usage, and privacy. But few nonprofits are prepared for a cyberattack or have provided cybersecurity training to staff.

Here are some steps every nonprofit, including yours, should take:

  • Get an IT audit. Have your IT provider or an outside expert assess your systems, policies, and potential threats.
  • Take inventory. Who has access to what? Evaluate both staff and external partners.
  • Set a policy on sharing donor files with external agencies. And never email unsecured files with donor information to outside vendors.
  • Require multi-factor authentication (MFA) to log into online accounts. This means using a password, plus another authentication method (such as having a code texted to your phone), to access email or other online services.
  • Establish a virtual private network (VPN) to protect internal-only resources. Ensure all remote staff access files via a secure VPN login. No more using the free WiFi at Starbucks!
  • Offer user awareness training. Remind the board and staff about cybersecurity policies and ask IT to run security tests regularly.
  • Establish a password policy. Use a secure password management tool (such as LastPass) for storing and sharing user IDs and passwords.
  • Create a disaster recovery plan. If you do get hacked or donor data is breached, what steps will you take? Devise a plan outlining who will handle IT security, inform staff and constituencies, and manage public relations.

The costs of a cybersecurity attack – from legal and remediation costs to a loss of credibility – can devastate a nonprofit and its mission. Take steps today to strengthen your security and systems.

Ann C. Fitzgerald is Founder and President of AC Fitzgerald, using her decades of experience in fundraising, management, leadership, and sales to help nonprofits build their capacity and achieve success. She is a sought-after speaker, writer, and advisor.

Subscribe to our free ACF Nonprofit Partner blog for insights to help your nonprofit thrive.