Cybersecurity and compliance essentials for nonprofits

What do nonprofits need to know about cybersecurity in 2023?

There’s plenty of information out there on data security and compliance for industry sectors like finance, healthcare, government, education, and retail. But despite the volume and nature of data collected by nonprofits (and how critical their work is), very few people are talking about what nonprofits need to know (and do) about keeping their data secure.

So, let’s explore why nonprofits should be concerned about cyber security (now more than ever) and what they can do about it. To begin with, let’s set the scene…

Man presenting to a room of people with laptops, seated around a large table.

Nonprofits increasingly run on technology

Like other sectors, nonprofits are increasingly reliant on digital technologies and web platforms to get things done. Apps are used for marketing, communications, recordkeeping, fundraising, donations, and online purchases — and most of them collect and store sensitive data.

This enables organizations to use their data and technology to work more efficiently, make important decisions, drive growth, help more people, and report on their activities. These are all good things, of course. But shifting from paper to digital also comes with new responsibilities (and a whole lot more data…).

The volume of data is increasing

Tiny green letters and numbers streaming down a black background.

In 2025, it’s estimated that 181 zettabytes of data* will be created and replicated around the world, up from just 2 zettabytes in 2010. Each year, the volume of created data grows, but this growth was accelerated by the pandemic, as more and more people accessed resources for school, workplaces, and entertainment at home.

Today, there’s more volume and types of data than ever. For nonprofit companies, that data represents both opportunities and challenges — because with big data comes bigger risks. Risks that the data will be compromised, misused, or even end up in the wrong hands.

* Just in case this is your first time hearing about zettabytes, one zettabyte (ZB) is equal to a huge 1 000 000 000 terabytes (TB)!

Cyber attacks are on the rise

Speaking of risks… one research team found that in 2021, there were 50% more cyberattack attempts per week compared to 2020. 

Cybercrime is getting more sophisticated — and the need for strong cyber security is more important than ever. Organizations need to do more in order to protect themselves from potential attacks.

There’s increasing regulation around data and privacy

Due to the risks involved, many governments now have specific compliance requirements for organizations to ensure people’s data and privacy are protected. For example, some of the regulations you may have heard of include GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), VCDPA (Virginia Consumer Data Protection Act) and CPA (Colorado Privacy Act). 

The requirements vary depending on the sector, the location of the business, and the location of its customers, donors, or members. In some cases, laws may exclude nonprofit organizations from compliance, but that doesn’t mean it’s a wise idea to ignore your data security and privacy obligations.

It’s important to be aware of any laws that may apply to you so that you can put in place appropriate measures, ensure your nonprofit is compliant, and avoid a potential fine. To get up to date on the latest regulations, take a look at IIAP’s privacy legislation tracker, which has a map of current and proposed privacy legislation in each US state.

Nonprofits have a target on their backs

A charity organization handing out fresh, canned, and packaged food to the community.

Sometimes bad things happen to good people. 

Despite the amazing work done by nonprofits — that often support people when they need it most — they are still vulnerable to cyberattacks and data breaches.

Nonprofit organizations may be even more like to experience cyberattack than other sectors due to:

  • Legacy tech – Some nonprofits can be slower to adopt new technology or implement critical updates that might help to improve data security
  • Limited knowledge – Limited in-house knowledge can make it difficult to put in place a data security policy or implement measures that protect the organization’s data
  • Limited budgets – Compared to other sectors, nonprofits are less likely to have a dedicated budget for cyber security measures like consultants, training, and software
  • Poor security practicesLess than half of nonprofits enforce multi-factor authentication for online account access, and 70%+ haven’t even checked for potential risk exposure
  • Types of data – Nonprofit data is highly sought after by cybercriminals, as it may contain information like personal details and financial details of particularly important people, like corporate contributors, donors, vendors, and partners
  • Positive outlook – When it comes to cyber security, assuming the best in people might actually put nonprofits at a disadvantage

The consequences of weak cyber security are significant

People meeting together sit around a table and take notes on laptops.

Consider this: what would it mean for your organization if all your internal data ended up in the wrong hands, or even published on the internet, for all to see? 

Poor cyber security could lead to devastating consequences for your nonprofit. This might include:

  • Fines – Companies can be fined millions of dollars for data breaches or failing to protect consumer data
  • Ransoms – Some attackers take your data or systems hostage and may or may not restore them once they’re paid
  • Data theft – Stolen nonprofit data can be sold on to others, leaked, or used to compromise individuals
  • Personal losses – Individuals can lose huge amounts of money through exposure to cybercriminals (check out the FBI’s announcement from May this year, highlighting losses of US$ 43 billion worldwide on just one scam!)
  • Forced downtime – An attack or breach could cause systems to go offline, which can impact important work and disrupt donations
  • Loss of trust and reputation – Following a breach or security issue, current donors, future supporters, and other stakeholders may lose confidence in your brand

10 strategies to improve nonprofit cyber security

A small group of seated people lean in together around a desk with a large screen displaying data in the background.

Fortunately, there’s a lot that you can do to reduce your risk and improve compliance — even with limited budgets, time, and in-house skills.

Here are 10 strategies that nearly any nonprofit organization can implement:

1. Start with the basics

By implementing a few basic changes, you can significantly reduce your risk exposure. This is a great place to start:

  • Two-factor authentication
  • Unique passwords (on every account)
  • Stronger passwords
  • Password managers
  • Data encryption
  • Restricted account privileges
  • Secure networks

2. Educate your team

Some cyber security measures require everyone to work together and follow best practices. Get everyone on the same page by incorporating data security training into your team onboarding processes, as well as ongoing learning and development practices.

3. Make cyber security part of your culture

In the same way that industrial businesses strive for a culture of safety to reduce accidents, digital organizations need a culture of cyber security to reduce breaches. That’s because even with the best technology, training, and policies in place, your people still need to change their practices and respond to issues that arise.

A culture of cyber security comes from a combination of things, like good leadership and collaborating on solutions.

4. Create a data security policy

If you don’t already have one, set up a data security policy for your nonprofit — and keep it up to date. Document how you handle data, privacy, and cybersecurity measures so that you can train staff and act faster in the event of an attack.

5. Do an audit

It’s a good idea to examine your systems and practices from a cyber security point of view to look for potential holes (and repeat this process regularly). Some companies will even simulate an attack to test your systems and find vulnerabilities.

6. Implement backup & recovery systems

By maintaining securely stored backups, you can prepare for the possibility that your data and systems may become compromised, go offline, or even lost. Fortunately, most cloud-based systems (which we’ll elaborate on shortly), have built-in backup and recovery features.

7. Implement security monitoring & regular updates

It’s important to regularly scan for security issues so that if there is a breach (or even the potential for one), you know about it right away. You’ll also need to make sure your operating systems and software are updated whenever security issues are found and patched. Security monitoring and updates usually happen automatically with cloud-based software — but it’s always good to check, just in case.

8. Work in the Cloud

Your apps and file storage systems can be made more secure, compliant, reliable, efficient, and even cost-effective by moving them to the cloud. This is even backed up by a study that showed cloud management platforms helped nonprofits ‘create or optimize operations and improve internal and external relationships with stakeholders’.

Interested in moving to the cloud? As a nonprofit, you may be eligible for up to 10 free Microsoft Business Premium licenses — plus, a discounted rate for any additional users. This license includes a range of tools that your nonprofit can benefit from, like:

  • Web, phone, and desktop Office apps (Word, Excel, PowerPoint, etc.)
  • Microsoft Teams
  • Online meetings and web conferencing
  • File storage and sharing (1TB per user)
  • Business email, calendar, and contacts
  • Security measures, like Advanced Threat Protection and AccountGuard
  • Device management capabilities

Plus, you can add-on apps and components to further extend your capabilities. For example, Microsoft Dynamics 365, Azure Cloud, Power Apps, and Power BI can help with things like fundraising and engagement, constituent marketing journeys, volunteer engagement, and measuring your program’s impact.

Learn more about Microsoft’s nonprofit programs or watch their demos here

9. Switch to virtual desktops

Virtual desktops like Microsoft Azure allow you to securely store your entire desktop in the cloud — including files, apps, and the hardware to run them. This can help simplify cyber security because it allows you to manage user access, device access, file sharing, and keep everything backed up. It can also make it easier for IT service providers (like us) to remotely manage vulnerabilities, assess compliance, and implement things like antivirus protection, malware protection, 2-factor authentication, and audit logs. 

In fact, better security is one of the reasons why we helped this nonprofit training & apprenticeship center make the switch.

By the way, Microsoft offers eligible nonprofits a US$ 3,500/year grant towards Azure credits. Learn more about Azure for nonprofits here.

10. Engage an IT expert or consultant

Because cyber security is a complex, technical, and evolving space, many nonprofits choose to engage an external provider. A professional IT support team (like ours) can ensure you have the latest tools and expertise to support you with everything from audits and monitoring, to updates and software selection.

Get IT support for your nonprofit

Looking for support? Protek-IT is a Chicago-based cloud service provider specializing in IT support for nonprofits. We help you stay on budget, keep your data safe, sort out any infrastructure issues, and stay compliant. That way, you can stay focused on your mission.

We can help you implement cyber security strategies and make use of the many resources (and discounts) available so that your nonprofit isn’t an easy target for cybercrime.

To get started, contact our team for a chat so we can recommend the best solutions (and some pricing options) that will work for your nonprofit.