GUEST ESSAY: Essential cyber hygiene practices all charities must embrace to protect their donors

By Zac Amos

Charities and nonprofits are particularly vulnerable to cybersecurity threats, primarily because they maintain personal and financial data, which are highly valuable to criminals.

Here are six tips for establishing robust nonprofit cybersecurity measures to protect sensitive donor information and build a resilient organization.

•Assess risks. Creating a solid cybersecurity foundation begins with understanding the organization’s risks. Many nonprofits are exposed to potential daily threats and don’t even know it. A recent study found only 27% of charities undertook risk assessments in 2023 and only 11% said they reviewed risks posed by suppliers. These worrying statistics underscore the need to be more proactive in preventing security breaches.

•Keep software updated. Outdated software and operating systems are known risk factors in cybersecurity. Keeping these systems up to date and installing the latest security patches can help minimize the frequency and severity of data breaches among organizations. Investing in top-notch firewalls is also essential, as they serve as the first line of defense against external threats.

•Strengthen authentication. Nonprofits can bolster their network security by insisting on strong login credentials. This means using longer passwords — at least 16 characters, as recommended by experts — in a random string of upper and lower letters, numbers, and symbols. Next, implement multi-factor authentication to make gaining access even more difficult for hackers.

•Train staff regularly. A robust security plan is only as good as its weakest link. In most organizations, that exposure comes from the employees. Roughly 95% of cybersecurity incidents begin with a staff member clicking on an unsuspecting link, usually in an email. A solid cyber security culture requires regular training on the latest best practices so people know what to look out for and what to do.

•Get board involvement. Effective nonprofit cybersecurity starts at the top. Just as it’s common practice to task board members with budget reviews for fraud prevention, organizations can appoint trustees to oversee cybersecurity explicitly. Board involvement can cut through red tape and implement improved safeguards for donor information and funds

Conduct Internal Reviews. In a 2023 survey, 30% of CISOs named insider threats one of the biggest cybersecurity threats for the year. The risk factor is higher among nonprofits, as they store data about high-net-worth donors. A disgruntled employee or persons with malicious intentions can gain unauthorized access to these records to demand payments from patrons, knowing full well they can afford it.

Charity exposures

Threat actors continue to explore new methods to steal information. The usual attack vectors include:

•Data theft: Charities are rich in valuable data, whether in their email list or donor database. The hackers then sell the information or use it themselves for financial gain.

•Ransomware: This attack involves criminals holding a network and its precious data hostage until the enterprise pays the demanded amount.

•Social engineering: These attacks exploit human error to gain unauthorized access to organizational systems. Lack of proper staff training is the biggest culprit in this case.

•Malware: Hackers deploy malicious software designed to cause significant disruptions and compromise data integrity.

Amos

If any of these attacks proves successful, the consequences for nonprofits are often severe and far-reaching. In the immediate, there’s the loss of funds or sensitive information. There’s also the risk of financial penalties for breaching data protection laws. Beyond financial and reputational loss, the ripple effects become more evident with a decline in donor confidence.

Cybersecurity is a must for charities. Cyber attacks have become an increasing concern, so charities and nonprofits must commit to safeguarding private data as part of their success. By adopting proactive measures, they can stay on top of cybersecurity trends and foster enduring relationships with donors.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

March 4th, 2024