Nonprofit organizations operate under a unique business model; while they have traditional employees and regular business expenses, their "revenue" comes from donations, volunteer work, and government grants. In many cases, they have slim budgets and little funding for the cybersecurity solutions that many businesses take for granted.
Most nonprofits do not have the funding to implement the latest cybersecurity defensive technology. This lack of information security makes them a prime target for threat actors looking to steal sensitive information. There are a few ways to keep your defenses up and avoid elementary cyber attacks for nonprofit executives and volunteers.
An essential first step is to adopt an information security posture of least privilege and limited access to sensitive data housed by the nonprofit entity itself. Nonprofits sometimes have a myriad of volunteers and staff who are transient. These staff members should not have access to any business systems nor be given a nonprofit email address unless warranted. If someone does need access, only grant permissions and privileges for the subset of data and applications they need instead of taking the easy route of making them an administrator of a resource.
While most mature organizations have a data retention policy and purge emails and files after an established period, most smaller businesses and nonprofits do not have the expertise or procedures to manage data in this manner. If a threat actor does succeed in breaching your environment, they could potentially have access to years of sensitive information, including donor records and transactions. Based on your local laws, determine how long you need to keep sensitive information and purge anything older periodically. You can sanitize portions of them to glean potential future donors, for example, but you can severely lower your risk by reducing the information a threat actor could steal.
Ransomware and malware target every business, person, and entity with an internet presence; nonprofits are no exception. With any cyber threat, the first and last line of defense is prepared leaders and employees. An effective user security training program ensures that employees have the resources and knowledge to recognize suspicious behavior from attackers. Training can take the form of whatever fits best into your company culture, whether it's a weekly newsletter, team meetings, or interactive quizzes -- the more engaging, the better.
Nonprofit organizations provide a world of hope in these troubling times, and the value they provide to a community could last for generations. Unfortunately, like any other business, they are susceptible to a cyberattack. Nonprofits potentially have a higher risk surface due to the lack of funding, expertise, and security discipline. With a few basic steps and a few properly placed questions to other businesses, nonprofits can improve their security postures to defend against some of the most basic and troubling attacks.