The Importance of Cybersecurity for Nonprofit Organizations

Why Cybersecurity is a Priority

It seems like every time I scroll through my news feed, there are multiple articles about cybersecurity. But when you consider that data breaches exposed 7 billion records in the first half of 2024 (source: IT Governance), it’s understandable that cybersecurity is such a hot topic right now.

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. Maintaining that security is a problem for all industries, but it has become a particular challenge for nonprofit organizations. Nonprofits often operate on very limited budgets and dedicate most of their funds to fulfilling their missions. This makes it difficult not only to prioritize cybersecurity, but also to attract the talent needed to stay secure.

But we can no longer afford to ignore it. It’s more important than ever for cybersecurity to be a priority, embedding it in your organization’s culture from the ground up. If you think “that would be nice, but we just can’t afford it”, then I would ask “what is your organization’s reputation worth”? Because a breach that exposes the data of your donors, supporters, and/or clients can destroy it in an instant.

Cybersecurity and Your Workforce

Here are some staggering statistics to highlight why your workforce should be well-versed in security practices:

1. Over 75% of targeted cyberattacks start with an email, meaning phishing is still the number one tool for cybercriminals. (Source: Verizon)
   • Millennials are the most frequently targeted age group, making up 37.4% of phishing targets.
2. 94% of malware is delivered by email. (Source: Verizon)
3. The average employee reuses each password as many as 13 times.
4. 49% of employees change or add a character to their password when updating it. (Source: HYPR)

If your organization is still conducting cybersecurity training once a year for its employees to prepare them to protect your networks and data, these statistics should tell you that more is needed.

The reality is cybercriminals know that the easiest way to gain access to secure networks or steal data is to target people who already have access and steal their login credentials. That means your employees are prime targets. Providing them with “one-and-done” security training is like sending them out into a hurricane with only an umbrella. But a robust cybersecurity culture empowers your employees, ensuring they understand the importance of security measures which, in turn, makes the entire organization more resilient to cyberattacks.

A successful cybersecurity strategy is one that is always evolving. It is a team effort that should be championed from the top, down.

Where do we start?

Creating a culture of cybersecurity awareness is not as daunting a task as it may it seem. Here are some recommendations that can immediately improve your organization’s security disposition:

Forget Your Password with a Password Manager

Most of us are juggling a considerable number of accounts on a daily basis. There’s simply no practical way for your employees to memorize such a large quantity of unique, complex passwords. They’ll either repeat the weak passwords they already have across agency accounts, or they’ll create new passwords that they have to write down somewhere in order to keep track. Neither of these options are acceptable because both put your organization at major risk of a breach.

More statistics – in 2023, 80% of hacking-related breaches were caused by compromised, weak, and reused passwords (source: Verizon). Approximately 65% of users reuse the same password for multiple accounts.

How many applications is your organization currently using? And how much of your agency’s information is spread across all these applications? Scary, isn’t it? One person’s weak password has the potential to compromise not only the entire organization’s data, but also the data of those served by that organization.

The first step your organization should take is to eliminate weak or reused passwords. Consider implementing a password service agency-wide (like DashLane or LastPass) to generate and autofill complex passwords. Remember this simple adage: the best possible password is one that even you don’t know.

Train Your Employees…Then Go Phishing

Prevention is only possible by training and preparing users against the variety of threat scenarios that impact organizations. The best training is live training where you can see who understands and who needs more help. After training, you can simulate phishing attacks at your organization so you will be better prepared for real attacks. Microsoft’s Attack Simulator and KnowBe4 offer free programs that gauge your organization’s awareness and response to hacking attempts. Regular phishing attack simulations will not only reinforce training for your users, it will also give you insight into how well they’ve learned so your training program can continue to evolve.

Use Multiple Lines of Communication

Phishing emails don’t always come from strangers. They can often come from friends and co-workers. If you receive a request for sensitive information — a routing number, login information, password verification, or even access to a document — it’s always best to reach out to the sender through a different route to confirm that the message isn’t fake. For example, if a coworker sends you a request for sensitive information in an email – you should call or text them to ensure the validity of their request.

Employ Multi-Factor Authentication (MFA)

Multi-factor authentication is a security method that requires two or more forms of identification to verify your identity before granting access to an account or resource. The more barriers we put in place, the more difficult it will be for cybercriminals to infiltrate our data infrastructure. Technology like multi-factor authentication can significantly reduce the likelihood of a breach.

Remember, the idea is to reduce risk by creating layers of protection. Imagine your organization’s data are priceless jewels. You put those jewels into a locked box. Then you put that box into a locked chest and shut it all inside a locked vault.  Each of these locks has its own unique key (password). So, a hacker might be able to get past one layer of defense, but additional protection measures can make it harder for the wrong people to get to your data.

Creating a successful MFA program is essential. It’s also important that employees understand why it’s essential, so make sure they do.

Don’t Use Public Wi-Fi

Many organizations still haven’t developed policies to address work from an alternate location or, if they have, those policies often don’t address security.

Connecting to public WiFi in a cafe, airport, or hotel can be risky for several reasons. Most public Wi-Fi networks are unencrypted, meaning any data transmitted over them can be easily intercepted by cybercriminals. Hackers can also set up a fake Wi-Fi networks to trick users into connecting. Once connected, they can steal your data. Additionally, public Wi-Fi networks can be used to distribute malware to connected devices.

If connecting to public Wi-Fi is absolutely necessary for any of your employees, your organization’s policy should stipulate that they must use a VPN (Virtual Private Network) to secure their connection.

Don’t Ignore Application Updates

Cybercriminals love hardware that’s running outdated software. They use weaknesses in software and apps to attack your devices. Software and app updates may feel like a hassle, but they are designed to fix these weaknesses and installing them as soon as possible will keep your devices secure.

A Worthwhile Endeavor

Cybersecurity awareness is an investment of time and money, but a very worthwhile one. When considering the cost of cybersecurity and cybersecurity awareness training, it’s easy to argue that there are bigger battles to fight. But the reality is the costs to recover from a data breach could be insurmountable, effectively shutting down your organization and the good work you do.

If that thought keeps you awake for the next few nights; I’m glad. It’s not that I want you to lose sleep, but I do want you to understand the seriousness of the threat, and that it is very real for all of us. Cybersecurity must be the responsibility of your entire organization. Creating a culture of cybersecurity awareness empowers all employees to be cyber crime-fighters, proactively protecting your organization from cybercriminals.