United States

IT risk management for nonprofits: Securing your technology and data


For nonprofit organizations, information technology (IT) risks are prevalent and continue to escalate, where organizations must keep pace with threats and emerging regulatory requirements. Unfortunately, many nonprofits have limited internal resources that are focused on maintaining operations and may not have visibility into potential technology risks. However, your organization must understand how to implement strategies to protect your technology and information assets, allowing you to better accomplish your mission.     

The IT concerns within many organizations center on two key areas: IT strategy and IT security. In many cases, nonprofits do not have a defined IT strategy, leading to applications not aligned to mission critical objectives, and not being able to efficiently access data when needed. In addition, many organizations do not establish key performance indicators (KPIs) that help make better decisions or have systems that can scale with growth or automate manual processes.

While IT strategic challenges can hinder operations, IT security issues can present significant threats to your IT environment which may result in a loss of data and reputational damage. With outdated or ineffective technology in place, many nonprofits can have vulnerable systems and weak controls, potentially exposing key donor, employee and volunteer information to unauthorized users and external threats. In addition, data privacy regulations are evolving, and many organizations are not aware of them, or don’t think they apply when in actuality, they do.

For example, your IT systems may need to comply with the European Union’s (EU) new General Data Protection Regulation (GDPR) guidelines that go into effect in 2018, strengthening protections for EU resident data, whether that data resides in the EU or not. Therefore, GDPR is applicable to organizations worldwide that collect or process EU resident data, including those not based in Europe and without European operations. Many nonprofits handle or process EU resident data, and would be subject to significant fines and reputational damage for noncompliance.

Your organization can implement multiple processes to secure the critical applications, supporting systems and databases to ensure the confidentiality of your key information assets. These include:

  • IT gap assessment: An assessment will typically project your organization’s IT and system needs in future years. It will document opportunities to enhance your governance structure, policies and procedures, and evaluate the use of KPIs and dashboards to make strategic decisions that align with your business objectives and goals.

          In addition, the gap assessment can focus on regulatory privacy expectations and general data protection expectations.   

  • Comprehensive enterprise-wide information security risk assessment: This assessment evaluates your entire security environment, and provides an understanding of the risks prevalent within your organization, evaluating threats so you can direct efforts and controls toward the most significant risks. This assessment also emphasizes documenting your organization’s processes and key controls to determine whether they mitigate your risks and effectively scale with growth.

As threats continue to evolve, the IT control environment for nonprofits becomes more challenging to monitor and threatening to operations. To help identity and manage the most critical IT risks and also achieve compliance with regulatory guidelines, organizations must implement an effective IT security and privacy posture that look at both current needs, as well as future demands.  



Bob Billig
National Practice Leader