Cybersecurity and Nonprofits

  • Nonprofits
  • 11/11/2021

Cybersecurity is a growing concern for the nonprofit community. Included are a few recommendations to remain secure.

With October — Cybersecurity Awareness Month — in the past, one big takeaway is that cybersecurity risks are becoming more sophisticated and a real threat for the nonprofit community.

Today, many nonprofits are operating lean work environments and navigating ongoing pandemic challenges, which typically means cybersecurity is lower priority, or even worse, left to basic firewalls and policies to address this growing concern. Unfortunately, cyberattacks have become more sophisticated and frequent. Risk is expedited by the advancement in automation and technology and by targeting the vulnerability and urgency of those navigating the pandemic, including nonprofit professionals working remotely. In many cases, these employees’ homes and personal financials have become vulnerable and susceptible to cyberattacks. 

The nonprofit community is a primary target as it usually has a wealth of sensitive information. This can range from academic records, personal identification information (i.e., name, social security, driver’s license numbers, government ID numbers), user credentials, donor information, and medical or health information of customers, patients, and employees. A breach and loss of any of this information can be damaging to a nonprofit’s reputation or ability to further its mission.

With that all said, it is critical that nonprofits take time to assess their current IT environment and cyber infrastructure, regardless of their size, type, or sophistication. A nonprofit’s IT environment and cyber infrastructure should be a regular conversation at management and board meetings, and all parties should be working collaboratively with internal and/or external IT professionals to understand their vulnerabilities.

Below are some basic and intermediate recommendations nonprofits can take to help remain secure:

Technology TeamHuman OperationsProcess and Policies
– Implement multi-factor authentication
– Encrypt all device hard drives
– Keep firewall current and properly configured
– Confirm anti-virus/malware detection is provided organization-wide
– Actively review/patch organization devices
– Periodically conduct baseline scans and review results for vulnerabilities
-Create and monitor logs of network events that could help detect, prevent, or recover from a cyberattack
– Create a standard approach for cybersecurity concerns
– Conduct baseline phishing attacks
– Include cybersecurity training as part of onboarding processes
– Establish regular cybersecurity trainings and educational opportunities for employees
– Conduct annual review of user logins and related user access rights to applications, software, and data
– Establish and require signoff of computer user policies
– Determine, communicate, and enforce controls about which devices and software programs can connect to the organization’s network
– Review and acquire cyber insurance or similar coverage
– Encourage technology leadership and key personnel to undergo annual cybersecurity professional development
– Conduct annual review of cloud-based security agreements
– Conduct third-party cybersecurity audits and assessments
– Review and confirm organization continuity plans
– Implement a documentation retention and destruction plan

How CLA can help

At CLA, we promise to know you and help you. We can help nonprofits navigate their cybersecurity vulnerabilities and provide them with the resources needed so they can continue to focus on their missions and communities. Check out the CLA cybersecurity website to learn more. Additionally, feel free to sign up to receive news and information from our cybersecurity team. 

This blog contains general information and does not constitute the rendering of legal, accounting, investment, tax, or other professional services. Consult with your advisors regarding the applicability of this content to your specific circumstances.

Experience the CLA Promise


Subscribe