Keeping donor information secure is essential for nonprofits.
Nonprofits need to assess their data and create clear policies on how to protect it.
There are several best practices that nonprofits can embrace to enhance their cybersecurity.
Donors entrust their personal and financial information to nonprofits with the expectation that organizations will protect this data from malicious actors. But as cyberthreats grow more sophisticated, nonprofits must work harder than ever to safeguard donor information. Failure to do so erodes donor trust, undermines the nonprofit’s mission and even endangers the organization’s financial foundation.
Several issues can compromise the security of donor data. Poor data handling, such as storing sensitive information in unsecured places, is a common area of weakness. Organizations that lack proper encryption controls or active management of access controls increase the risk of unauthorized data access.
Furthermore, nonprofits are vulnerable to social engineering tactics, such as phishing emails or fraudulent calls, that trick employees into disclosing sensitive information.
In addition, nonprofits may leverage older infrastructure for which security patches or vulnerability remediation are no longer available. With outdated systems or software in place, an organization is more vulnerable to threats such as ransomware attacks which can halt operations and cause financial and reputational harm.
The first step toward shielding donor information is for a nonprofit to understand the type of data it processes, its ability to protect sensitive data and what data it needs to retain. Nonprofits often collect extensive information to understand donor behavior and enhance engagement, but excessive data retention can lead to increased exposure during breaches.
Classifying donor data and defining retention policies ensure that only essential data is kept, minimizing potential losses in case of an attack. Data security policies will assist in defining proper security mechanisms in line with the classification and the risk profile of the organization’s data.
With the increase in remote work and in the use of software as a service, organizations need more refined identity and access management controls. These controls should incorporate principles of least privilege, providing individuals with access only to the systems and data needed to perform their role. Nonprofits should also regularly review the necessity of access and enforce strong password and multifactor authentication.
Comprehensive security awareness training can increase the ability of employees to recognize social engineering attempts. Secondary process controls are particularly effective for financial security.
For example, a nonprofit could institute a policy that any request for a financial data change must involve a secondary verification step, like a callback to an established point of contact or a safe word, to confirm the request’s legitimacy. Additionally, nonprofits should educate donors on secure practices and provide secure portals or other authorized channels for sensitive exchanges, limiting the risks of unauthorized access or the compromise of data. Helping donors recognize red flags, such as signs of social engineering, can reduce the likelihood of a security event.
Nonprofits should also implement endpoint threat detection and response tooling across their infrastructure. Organizations should require regular vulnerability assessments and remediation to identify and address security gaps that malicious actors could exploit.
Nonprofits should conduct regular assessments of cybersecurity tools and practices, ideally engaging third-party professionals to ensure comprehensive reviews. Assessments might include a technical configuration check, a procedural review or even a full program audit to verify that all layers of security are properly implemented. Smaller organizations can leverage resources like the National Institute of Standards and Technology Cybersecurity Framework 2.0, which provides accessible guidance on leading practices for smaller budgets.
In the event of a security incident, nonprofits must respond with precision and transparency. This process should include consulting with legal counsel, insurance providers and cybersecurity forensics firms.
For smaller organizations, outsourcing to vetted cybersecurity firms can provide access to professional support without requiring in-house resources.
Whether handling a cybersecurity event internally or outsourcing the response to an external provider, nonprofits should document lessons learned and define the changes they will make to reduce the likelihood of future incidents.
Protecting donor information isn’t just about shielding sensitive data from malicious actors. It’s also about preserving the trust that sustains nonprofits. By investing in comprehensive cybersecurity measures, nonprofits can demonstrate their commitment to safeguarding donors’ data, promoting trust and mitigating the risk of security incidents.
RSM US MMBI
