Non Profit Cyber Security

Non-Profit Cyber Security

 Non-Profit Cyber Security


If your non-profit engages in any e-commerce such as processing donations, any storing or transferring of personally identifiable information (such as sending to a cloud) about anyone including donors, or collection of information on preferences and habits of donors and patrons, it is time to get serious about taking steps to address cybersecurity risks.

Not to mention there are real risks to your own nonprofit’s data security.

So, what are the risks and what should we do?

Data breaches that are both likely to happen and can result in serious harm. Most nonprofits collect and store sensitive personal information that is protected by law as confidential. When there is a breach of the confidentiality of this data, it poses a risk for the individuals whose data was disclosed, AND for the nonprofit that will now potentially be subject to liability for the breach. It makes sense for EVERY nonprofit to - at a minimum - assess the risks of a data security breach and protect its data from unauthorized disclosure. This is why utilizing a platform such as is so beneficial to any nonprofit organization. Our servers are protected by, an industry leader in cybersecurity and secure hosting.

First Step |Risk Assessment

The first step should be taking an inventory of all the data your nonprofit collects and where/how it is stored. Ask: What data do we collect about people? What do we do with it? Where do we store it? Who is responsible for it? Think about the cost/benefit of maintaining all that data. You may find that there is data your nonprofit is currently asking for and keeping that it doesn’t really need. If so, reducing or limiting the data that your nonprofit collects, and streamlining the storage process (as well as diligently destroying data in accordance with the nonprofit’s policy) could be easy first steps towards mitigating risk.

Second Step | Is Your Data Protected and Confidential

Second, know whether the data your nonprofit collects and maintains is covered by federal or state regulations as “personally identifiable information.” If so, forty-seven states’ laws require nonprofits to inform persons whose “personally identifiable information” is disclosed in a security breach, and 31 states have laws that require disposal of such data in certain ways. Additionally, the Federal Trade Commission's Disposal Rule also requires proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” Protecting personally identifiable information is all about training staff how to collect/store/dispose of and generally protect this data.

Even if you are collecting data that doesn’t rise to the level of “personally identifiable information, a breach of that data can be harmful to the organization’s reputation and ability to bring in contributions. All data reflecting personal preferences are important to keep secure.

Third Step | Identify Actual Risks

Look at the likelihood of some cybersecurity risks: What is the risk of a third party compromising your nonprofit’s data security? Many nonprofits use outside assistance, such as an outsourced bookkeeper, IT consultant, payroll service, or even a cloud storage service. If any of these third-party vendors do not employ adequate data security protection, the nonprofit’s data security will be at risk. Other types of third-party access might include a donation processing service or any outside professionals with authority to access the administrative side of your nonprofit’s website or shared electronic files. Consequently, when hiring third parties for any projects that involve data access by the vendor, make sure that you are satisfied with the firm’s data security protocol.

The idea of someone hacking your nonprofit’s website or data storage is unnerving, but in today’s world such incidents have become practically commonplace. Failing to assess and address cybersecurity risks is like failing to lock your doors: is it worth the risk?