It’s critical to emphasize to your team that these are not theoretical risks, and that poor handling of cyberthreats may result in not only physical damage, but also reputational harm. Demonstrating you take cybersecurity seriously can be a boon to your nonprofit.
“Prioritizing cybersecurity can help a nonprofit add value to its brand and strengthen donors’ trust,” says Samuel Bocetta, a former security analyst for the Department of Defense, in a blog post for the nonprofit clearinghouse Candid.
Train Employees to Detect Phishing Attacks
The level of risk that comes with a potential cyberattack can be disproportionate to the kinds of mistakes that can make your nonprofit vulnerable. It can take just one missed setting or one wrong click to give an outside attacker access to your technology.
The cost of remediating a cyberattack can add up. A 2019 study from the technology company Radware found that the estimated cost of recovering from a cyberattack averaged $1.1 million; that figure grew to $1.67 million when organizations actually calculated the costs.
One area where nonprofits should focus their energy is the prevention of phishing attacks. As the nonprofit tech supplier TechSoup notes, bad actors can take advantage of publicly available information to infiltrate an organization or deliver a highly targeted message.
“Hackers use publicly available information on websites, including your own nonprofit website, to identify key information that can be used to trick you, such as your email domain and senior staff names,” Tech Impact’s Linda Widdop and TechSoup’s Michael Enos write.
One way to prevent this is to limit the use of online staff or member directories. Another way is to train your team members.
Understand the Importance of Best Practices
In recent years, privacy regulations, such as the European Union’s General Data Protection Regulation, have put data protection front and center for many nonprofits — in part because, if they have an interest in the EU, as many global nonprofits do, compliance is required.
As the National Council of Nonprofits (NCN) notes: “US nonprofits that raise money in the European Union, or provide services to citizens of the EU, AND collect data about those citizens, must follow the EU’s General Data Protection Regulations.”
With this in mind, any nonprofit subject to GDPR should emphasize compliance within their organization.
NCN’s guide to cybersecurity for nonprofits offers tips that organizations can follow, including the use of the National Institute of Standards and Technology’s Cybersecurity Framework.
By undergoing a cybersecurity assessment, nonprofits can learn where their vulnerabilities are, address them, and refine their procedures to reflect industry best practices.
It won’t be easy, but considering what’s at risk, it’s far better (and less expensive) than cleaning up after a cyberattack.