Jan 25 2021

How to Get Nonprofit Staffers Ready to Defend Against Cyberthreats

Your nonprofit’s staff members are on the front lines in more ways than one — and encouraging a proactive approach could help you avoid a costly cyber incident.

Nonprofits today face serious challenges in ensuring their missions continue to move forward, but a major security incident could make things a lot worse. Because most nonprofit employees are working remotely right now, it’s more important than ever to understand the issues that could emerge with a lax approach to cybersecurity.

Instead of taking a reactive approach to cybersecurity concerns, your organization should be proactive in addressing insider threats, phishing and remote security. Despite lean times, there are steps nonprofits can take to withstand these potential vulnerabilities.

Know What’s at Risk for Nonprofits

The types of threats organizations face are myriad, ranging from insider attacks to failing to update your tools on a regular basis. One of the biggest challenges can involve theft of data — or even money — from an organization.

Cyberattackers can infiltrate nonprofits in dramatic ways, even using trickery to breach a nonprofit’s financial distribution mechanisms. Vendors may be involved, so it’s important to know who has access to your data or financial information, and how to manage that surface area.

It’s critical to emphasize to your team that these are not theoretical risks, and that poor handling of cyberthreats may result in not only physical damage, but also reputational harm. Demonstrating you take cybersecurity seriously can be a boon to your nonprofit.

“Prioritizing cybersecurity can help a nonprofit add value to its brand and strengthen donors’ trust,” says Samuel Bocetta, a former security analyst for the Department of Defense, in a blog post for the nonprofit clearinghouse Candid.

Train Employees to Detect Phishing Attacks

The level of risk that comes with a potential cyberattack can be disproportionate to the kinds of mistakes that can make your nonprofit vulnerable. It can take just one missed setting or one wrong click to give an outside attacker access to your technology.

The cost of remediating a cyberattack can add up. A 2019 study from the technology company Radware found that the estimated cost of recovering from a cyberattack averaged $1.1 million; that figure grew to $1.67 million when organizations actually calculated the costs.

One area where nonprofits should focus their energy is the prevention of phishing attacks. As the nonprofit tech supplier TechSoup notes, bad actors can take advantage of publicly available information to infiltrate an organization or deliver a highly targeted message.

“Hackers use publicly available information on websites, including your own nonprofit website, to identify key information that can be used to trick you, such as your email domain and senior staff names,” Tech Impact’s Linda Widdop and TechSoup’s Michael Enos write.

One way to prevent this is to limit the use of online staff or member directories. Another way is to train your team members.

MORE FROM BIZTECH: These are the top nonprofit tech trends to watch in 2021.

Tools that can boost security awareness, from companies such as Proofpoint and Sophos, can help train employees to recognize phishing so they won’t be surprised when a phish occurs.

Understand the Importance of Best Practices

In recent years, privacy regulations, such as the European Union’s General Data Protection Regulation, have put data protection front and center for many nonprofits — in part because, if they have an interest in the EU, as many global nonprofits do, compliance is required.

As the National Council of Nonprofits (NCN) notes: “US nonprofits that raise money in the European Union, or provide services to citizens of the EU, AND collect data about those citizens, must follow the EU’s General Data Protection Regulations.”

With this in mind, any nonprofit subject to GDPR should emphasize compliance within their organization.

NCN’s guide to cybersecurity for nonprofits offers tips that organizations can follow, including the use of the National Institute of Standards and Technology’s Cybersecurity Framework.

By undergoing a cybersecurity assessment, nonprofits can learn where their vulnerabilities are, address them, and refine their procedures to reflect industry best practices.

It won’t be easy, but considering what’s at risk, it’s far better (and less expensive) than cleaning up after a cyberattack.

Giulio Fornasar/Getty Images