- Security and privacy simply aren’t part of the mission description and only become a priority when painful, reactive incidents move them forward.
- Donor/member data is on the line. Proper stakeholder stewardship is essential, and the consequences of cyber risks will impact their support of your movement and, further, your revenue.
- Cyber breaches have significant operational impact. Expect costly organizational interruptions, service delays, and potential fines and penalties.
Our Advice
Critical Insight
A nonprofit organization’s fiduciary obligation and mission promise to prioritize the interests of the stakeholders it serves must be interpreted to include its obligation to protect IT assets that hold personal data through privacy and cybersecurity protocols.
Impact and Result
- Articulate the importance of robust cybersecurity and privacy programs to key stakeholders by speaking the language the organization understands.
- Understand measures to mitigate the leak or loss of donor/member data by evaluating the intersection of privacy and security and their separately defined Info-Tech frameworks.
- Take the first step by assessing your privacy and security gaps.
Strengthen Your Nonprofit’s Privacy and Security Operations
Protect the information of your members, donors, and users.
Analyst Perspective
Security and privacy are part of the mission
Don’t neglect data security and privacy in favor of mission-focused tasks. It’s crucial to remember that if privacy and security fall short, it may become impossible to carry out tasks and initiatives that fulfill your mission. The stakes for nonprofits are much higher than for for-profit businesses. Data breaches can put your members, donors, and users at risk, disrupt nonprofit operations, expose liability, and ruin the reputation (and revenue) nonprofits have built.
We can see nonprofits are starting to pay attention, yet they are loath to make these changes due to capital and human resources, which remain major obstacles to the path of maturity and consistency.
This report is designed to encourage nonprofits in starting or continuing a security- and privacy-focused path by identifying key data protection challenges and outlining steps nonprofits can take to strengthen their operations, provide consistent protection, and overcome capital and human resource constraints.
Monica Pagtalunan
Research Analyst, Industry Practice
Info-Tech Research Group
Executive Summary
Your Challenge Security and privacy simply aren’t part of the mission description and only become a priority when painful, reactive incidents move them forward. Donor/member data is on the line. Proper stakeholder stewardship is essential, and the consequences of cyber risks will impact their support of your movement and, further, your revenue. Cyber breaches have significant operational impact. Expect costly organizational interruptions, service delays, and potential fines and penalties. |
Common Obstacles Financial resources, staff, and skills to combat security and privacy efforts efficiently are limited. Mission-focused budget initiatives will always win over operational ones. The industry uniquely faces more budget constraints than time constraints. The foundations of cybersecurity and privacy have not been defined, with the assumption that security and privacy are one and the same. Cyber insurance is inaccurately viewed as the end-all solution for lacking safety standards. |
Info-Tech’s Approach Articulate the importance of robust cybersecurity and privacy programs to key stakeholders by speaking the language the organization understands. Understand measures to mitigate the leak or loss of donor/member data by evaluating the intersection of privacy and security and their separately defined Info-Tech frameworks. Take the first step by assessing your privacy and security gaps. |
Info-Tech Insight
A nonprofit organization’s fiduciary obligation and mission promise to prioritize the interests of the stakeholders it serves must be interpreted to include its obligation to protect IT assets that hold personal data through privacy and cybersecurity protocols.
Every nonprofit is different but similar
Nonprofit organizations have different primary purposes… The nonprofit sector covers a wide range of organization types, each with their own complexity and uniqueness. |
…but overall have similar objectives… Each nonprofit’s mission is central to its purpose. Every decision the board makes focuses on the mission, vision, and values of the organization. |
…and sources of funding. Funding comes from operations, donations from generous stakeholders, grants, membership fees, philanthropic efforts, sponsorship, and government support. |
Info-Tech Insight
Any impact to your generous stakeholders’ satisfaction and perception of the organization will impact their generosity and support of the mission.
Cyber risk is heightened
Physical asset security is still valid for some nonprofit organizations, especially where paper-based manual processes are prominent. This component includes ensuring that physical devices cannot be easily carried away from the office, locking wall-to-wall filing cabinets, installing physical alarm systems, and storing external hard-drive backups in secure locations.
Data, security, and privacy are the foundations of digital transformation. For the most part, nonprofit organizations are shifting toward digital, with tools such as public-facing websites, social media, online donation forms, and cloud-based platforms.
Members, donors, and users are increasingly using smart devices to access information, engage with the organization, and make donations. Social media remains an important connection tool to promote events, share information, and build a community.
This change means the cybersecurity risks are heightened. Protecting cybersecurity includes enabling automatic software updates, enabling firewalls, setting complicated passwords that are regularly changed, and installing individualized screen locks on digital devices.
Cyber incidents are on the rise
Note: Community IT Innovators exclusively serve nonprofit IT teams from around the world. This report encompasses cyber incidents that have occurred among their clients alone. Therefore, these numbers are not representative of the entire nonprofit industry.
Source: Community IT Innovators, 2022.
The most concerning exposure for nonprofits is the leak of information
It’s not just an IT problem; the organization will be impacted.
Your External Stakeholders | Impacted Data | Risk Exposure | Impacts |
---|---|---|---|
Donors Members Users |
Traditional PII Personal data Sensitive personal data |
Data collection Processing donations Processing event registrations Transferring data, i.e. cloud Storing data, i.e. enterprise systems |
Exposed confidential/sensitive information Inaccessible data and compromised environment Reputational damage and loss of support and revenue Legal/regulatory fines and investigations Organization interruption |
Nonprofits are attractive as “low-hanging fruit”
"You don't want to become the headline. Our organization relies on people's generosity. If there's a massive breach, people will not donate. With that type of reputational damage, the organization's future would be in jeopardy."
– Ramadji Doumnande, Director of IT Operations and Security at National Parks Conservation Association
Cybercriminals want what nonprofits have – data. The most concerning data breach is the leak of sensitive donor/member information. Donors/members are important external stakeholders that nonprofits heavily rely on for their support, and the exposure of donor/member data can impact their trust and confidence in your organization. Consider the following pieces of personal data that your organization collects:
Traditional PII: Personal identifiable information |
Personal Data: Any information relating to an identified or identifiable person |
Sensitive Personal Data: Special categories of personal data (some regulations, like GDPR, expand their scope to include these) |
Full name (if not common) | First, middle, and last names | Biometrics data: Retinal scans, voice signatures, facial coding, or neuroscience data |
Home address | IP address | Health information: Patient identification number or health records |
Date of birth | Email address or other online identifier | Political opinions |
Social security number | Social media post | Trade union membership |
Banking information | Location data | Sexual orientation and/or gender identity |
Passport number | Photograph | Religious and/or philosophical beliefs |
Etc. | Etc. | Ethnic origin and/or race |
Source: Qostodian Recon, 2021
Data is an invaluable asset – ensure it’s protected
Industry Case Studies
People Inc
Up to 1,000 clients’ data was exposed, with the hacker managing to infiltrate an email account belonging to an employee of the organization due to a weak password. Accounts involved contained personal, sensitive information including names, addresses, social security numbers, financial data, medical information, health insurance details, and government IDs.
ZDNET, 2019.
American Dental Association
Hackers claimed that they had leaked 9 gigabytes of the American Dental Association’s data, with security researchers confirming the breach of tax forms (i.e. W2), financial spreadsheets, and information about private practices. Additionally, the hackers that triggered the malware forced certain critical systems offline, including web-based chat, email, and telephone services.
Forbes, 2022.
ICRC
The ICRC breach was found and disclosed on January 18, 2022, but the actual intrusion took place the previous year, on November 9, 2021. Hackers exploited a vulnerability found in their email platform, Zoho, to bypass authentication, place web shells, and compromise administrator credentials. The details of more than 515,000 people are believed to have been collected, including data such as names, locations, and contact information.
The Record, 2022.
Trust is required from an external perspective
“Without trust, nonprofits lack a key ‘currency’ that allows them to operate smoothly."
– Jeffrey Moore, Chief Strategy Officer at Independent Sector
Source: The Chronicle of Philanthropy, 2022.
Trust is the currency of the industry. High levels of trust allow nonprofits to raise more money for the mission and build strong working relationships with their supporters and the communities they serve.
Security and privacy breed trust. Protecting financial and personal information of those who contribute is critical to the nonprofit organization’s ability to earn and maintain trust and funding. Forward-thinking organizations understand how important security is to fostering trust, and they often prioritize security at the highest leadership levels (executives and the board) to emphasize its importance.
Strengthen your most valuable asset. To build trust, nonprofit organizations need to pay diligent attention to security and privacy fundamentals and foundations. Organizations can still secure the environment while concentrating on mission-based initiatives.
Source: “Trust in Civil Society,” Independent Sector, 2022.
Human and capital resources constraints are obstacles to privacy and security operations
CHALLENGE #1
IT staffing and budget constraints
75% of nonprofit organizations see IT budget as a barrier
82% of nonprofit organizations see staff time as a barrier
Source: nten, 2022.
CHALLENGE #2
Effects of cybersecurity skills gap
Nonprofit organizations are not confident in performing basic cybersecurity tasks.
Source: Ipsos, 2022.
CHALLENGE #3
Lack of security culture within the organization (executives and/or end-users)
59% of nonprofit organizations do not have cybersecurity training for staff.
Source: nten, 2018.
Constraints have impacted security and privacy maturity levels
Do not give into the “low pay, make do, and do without” culture.
60% | 92% | 74% | 64% |
---|---|---|---|
Nonprofits do not have, or know, of policies around cybersecurity, equipment usage, and data privacy. | Nonprofits state they could access organizational email and files using personal devices. | Nonprofits do not have policies that identify personal data among other data that is collected. | Nonprofits do not have policies for educating beneficiaries or donors on how data is used/stored. Source: Microsoft, 2017 |
Human and capital resource budget constraints have impacted the quality of security and privacy operations. Organizations are struggling with cyber and privacy basics, increasing the likelihood of cyber incidents.
Under-funding and under-resourcing can have disastrous effects. A data leak is not just a cyber risk; it’s an operational risk. The organization will feel effects related to finances, reputation, operations, and regulations.
Capacity building is critical to the infrastructure and health of a nonprofit organization. IT staffing, budget, skills, and security culture are forces that have fuelled the nonprofit industry’s underinvestment in security and privacy. However, there is opportunity to achieve effectiveness. Strengthening security and privacy is indeed possible, but organizations still believe in the inaccurate assumption that a lack of capital and human resources is an unsolvable problem.
Cyber insurance should not be a band-aid solution intended to cure all cybersecurity concerns
Insurance companies are increasing premiums to keep up with the increase in cyberattacks. The costs from lawsuits, ransomware payouts, and other remediations have driven this increase. Insurance companies are not willing to lose money on cybersecurity, so policies are getting more expensive.
Companies with poor cyber hygiene will be rejected or quoted a high premium. It’s now harder to qualify for cyber insurance. You will have to attest to the strength of your security controls through a self-assessment.
Cyber insurance is not a mitigation plan. Some companies see cyber insurance as a way to get around improving their IT security. After all, if your losses in the event of an attack are covered, why should you take extra steps to prevent data breaches?
It’s one more tool in the toolkit. On top of your security and privacy program, cyber insurance should be one extra layer to protect your supporters’ data. Best practice is gaining appropriate technologies and tools to satisfy cyber insurance requirements.
74%
Cyber insurance premium increase percentage in 2021
Source: Fitch Ratings, 2022
57%
Increase in claim frequency among nonprofits for first half of 2022
Source: Coalition, 2022
Privacy should not be viewed strictly through a compliance lens
Bring your stakeholders into the picture
By offering stakeholders transparency and control over their personal information, a good privacy program and its policies can shield nonprofit organizations from the financial and reputational harm posed by a data breach, while a flawed policy can exacerbate the problems caused by a breach.
Although regulators focus on the enforcement of these eight areas, understand the impacts on your organization and stakeholders:
Stakeholder Impact | |
---|---|
![]() |
Leverage to identify and mitigate privacy risks that impact your stakeholders. |
![]() |
Promote transparency and give stakeholders more control over the way their data is collected and used. |
![]() |
Avoid the high protection, storage, and retention costs associated with hoarding vast amounts of data. |
![]() |
Build stakeholder trust by capturing less information to begin with. Reduce the information available to steal by only collecting the data you need. |
![]() |
Don’t entrust data protection solely to a vendor. Their poor cybersecurity practices and conduct reflect poorly on you. |
![]() |
Leverage technology that enhances visibility and transparency into the “when” and “how” of payment statuses. |
![]() |
Gives your stakeholders the right to obtain a copy of their personal data that your organization stores. |
![]() |
Efficiently mitigate damages to reduce time taken to rebuild trust and confidence with impacted stakeholders. |
Establish your compliance requirements for alignment
Federal/National Privacy Regulation | Industry Privacy Regulation | Information Security Privacy Framework |
---|---|---|
GDPR CCPA/CPRA PIPEDA/CPPA |
HIPAA PCI |
NIST Privacy Framework 1.0 ISO/IEC 27701 |
Info-Tech Insight
It is recommended that nonprofits follow standards like PIPEDA as best practices even though some best practices like PIPEDA are generally applicable only for “commercial activities.” Keeping your organization and stakeholders protected should be top of mind.
Security and privacy are not the same but are intertwined
A common assumption is that security and privacy are one and the same...
Security’s role is to protect and secure assets, of which confidential data – especially personal data – is a large focus. The consequences of a personal data breach can be severe, including potential regulatory consequences and the loss of customer trust. As a result, we often think of how we use security to protect data. |
Information security common functions include:
|
…but security is not equivalent to privacy.
Privacy must be thought of as a separate function. While privacy will always have ties to security in the ways security protects data, privacy starts and ends with the focus on personal data. Beyond protection, privacy extends to understanding why personal data is being collected, what the lawful uses are, how long it can be retained, and who has access to it. |
Privacy common functions include:
|
Integrate security operations into your privacy operations
Do common things uncommonly well
Even the cybersecurity basics can help nonprofit organizations secure the environment and protect data in the face of cyber risks
Prevent
Create security policies, including bring your own device (BYOD) and device security policies.
Improve endpoint and vulnerability management to manage devices connected to systems of data and assess entry points.
Enable multifactor authentication.
Ensure vendor compliance with requirements necessary for protecting access to personal identifiable information of customers/donors.
Implement a robust data backup process and redundancy policy.
Improve identity management by limiting access to sensitive data and implementing least-privilege access.
Encrypt sensitive and important data to guard against ransomware attacks and recovery strategy.
Implement strong passwords and change passwords often.
Detect
Patch systems to address vulnerabilities that could lead to ransomware attacks.
Conduct phishing tests and use anti-phishing tactics.
Perform regular stress tests of networks and systems.
Audit systems regularly to identify potential risks.
Analyze
Understand the threat’s scale and scope. Contextualize:
- What sort of threat is this? What systems or resources is it targeting? Where did it come from? How many other devices has it been able to infect? Which resources in other areas of my network are vulnerable?
Respond
Define and uphold post-incident record-keeping requirements in the event of a breach.
Every nonprofit organization can strengthen its security and privacy operations
Leverage Info-Tech’s security research library regardless of your maturity level
Starting point: Gauge your current security and privacy posture. |
Build the fundamentals: Establish your security and privacy program. |
Take a risk-based approach: Mature your security and privacy program. |
||
Privacy Operations | Conduct a Privacy Gap Analysis | Build Your Data Privacy Program | Mature Your Privacy Operations | |
Establish Compliance Requirements | Assess and evaluate to understand gaps | Establish your cybersecurity and privacy functions | Place focus on the highest-risk areas | |
Security Operations | Conduct an Information Security Gap Analysis | Build Your Information Security Strategy | Leverage Info-Tech’s Security Research Center | |
Security & Privacy Oversight | Develop Your Security Outsourcing Strategy | Embed Privacy and Security Culture Within Your Organization | Develop a Security Awareness and Training Program That Empowers End Users |
Your data privacy and security journey starts with gap assessments
Assess for three reasons:
1. Make the case to executives for security and privacy investment buy-in.
Justify IT budget changes. Following a systematic investigation of all security functions and understanding of program gaps, security leaders can effectively estimate their necessary security budget or shine a light on areas where intolerable risks will persist without budgetary relief.
2. Develop an actionable security and privacy roadmap.
Highlight functions that were previously overlooked. A systematic approach lays a foundation across all areas of information security to build a complete program on. Instead of pursuing new projects in an ad hoc nature, you can use our systematic methodology to build a comprehensive security program today and enable ongoing management of inevitable changes to the initial program.
3. Improve your cyber hygiene for the sake of cyber insurance.
Lessen premiums and gain approval for cyber insurance by identifying and evaluating your weaknesses. Consider the following:
- Firewalls and antivirus
- User training
- Secure connections
- Technology configurations
- Organizational policies and procedures that aim to prevent breaches and dictate responses to violations
Improve security and privacy oversight
Embed awareness, skills, and resources
Develop Your Security Outsourcing Strategy
Outsource what you can; you can’t do it all by yourself.
Security operations is a 24/7 business. Organizations must devote appropriate resources for oversight and supervision of security and privacy operations, regardless of the cybersecurity skills gap or IT staffing/budget constraint. If hiring an in-house IT team is not possible, outsourcing must be considered.
Embed Privacy and Security Culture Within Your Organization
Effectively communicate the impact and value to the organization.
Executive buy-in enables the IT resources and budget needed to mature your security and privacy operations. To truly take hold, privacy and security engagement must be supported by senior leadership, aligned with business objectives, and embedded within each of the organization’s operating groups and teams.
Develop a Security Awareness and Training Program That Empowers End Users
Your most naive staff member is the weakest link.
Educate and train all staff on security awareness, incident response and handling, and general data security risks. Security education should be at the forefront of users’ minds. Constantly refresh their memories so they are continuously watchful for risks such as phishing emails.
Contributors
Craig Bradley
SVP of IT
YMCA of Greater Toronto
Anonymous
IT
Pew Research Center
Anonymous
IT
Pew Research Center
Alan Tang
Principal Research Director
Info-Tech Research Group
Bob Wilson
Research Director
Info-Tech Research Group
Bibliography
“2022 Nonprofit Cybersecurity Incident Report.” Community IT Innovators, 2022.
“2022 Cyber Claims Report.” Coalition, 2022.
“2023 Nonprofit Trends Report.” Cerini & Associates, 2023.
“4 Key Thoughts on Cyber Insurance for SMEs.” IT Force, n.d.
“Cyber security skills in the UK labour market 2022 Findings report.” Ipsos, 2022.
“Cybersecurity within Nonprofits.” Eide Bailly, n.d.
“Health of the U.S. Nonprofit Sector.” Independent Sector, 2022.
“How Data Breaches Happen.” Kaspersky, n.d.
“Managing Nonprofit Tech Change 2022 Report.” nten, 2022.
“Nonprofit Cybersecurity: Balancing Best Practices, Budget, and Team Productivity.” Build Consulting, 2022.
“Nonprofit Guidelines for Cybersecurity and Privacy.” Microsoft, 2017.
“NPCA Achieves PCI Compliance in the Cloud.” Qostodian Recon, 2021.
“Privacy and Cyber Security Emphasizing privacy protection in cyber security activities.” Office of the Privacy Commissioner of Canada, 2014.
“Privacy vs. Security: Understanding the Difference.” Audit Board, 2022.
“The change role of the board on cybersecurity.” Deloitte, 2021.
“Trust in Civil Society: Understanding the factors driving trust in nonprofits and philanthropy.” Independent Sector, 2022.
“US Cyber Insurance Sees Rapid Premium Growth, Declining Loss Ratios.” Fitch Ratings, 2022.
Chimwanda, Elastos. “Essentials for an Effective Cybesecurity Audit.” ISACA, 2022.
Cimpanu, Catalin. “Red Cross blames hack on Zoho vulnerability, suspects APT attack.” The Record, 2022.
Daniels, Alex. “Trust in Nonprofits and Philanthropy Continues to Be Higher Than in Government and the News Media.” The Chronicle of Philanthropy, 2022.
De Vries, Jennie. “What drives cyber security investment? Organizational factors and perspectives from decision-makers.” Technical University Delft, 2017.
Hill, Michael. “Altruism under attack: why cybersecurity has become essential to humanitarian nonprofits.” CSO, 2022.
Holland, Jake. “Cyber Insurance Policies Grow Pricey Amid Rising Hacks, Lawsuits.” Bloomberg Law, 2022.
Hulshof-Schmidt, Robert. “State of Nonprofit Cybersecurity.” nten, 2018.
Jesenik, Jessica. “Is your nonprofit organization headed for a data breach?” Software One, 2021.
Köller, Joe. “Is Cyber Insurance Worth It? Advantages, Coverage & Requirements Explained.” Tenfold, 2021.
Maddison, John. “Managing Risks with Limited Resources.” CSO, 2019.
Martin, Carolyn. “Protecting Privacy: A Nonprofit’s Guide to Data Privacy Breaches.” Lutzker & Lutzker, 2021.
Martin, Kelly. “Research: A Strong Privacy Policy Can Save Your Company Millions.” Harvard Business Review, 2018.
Mathews, Lee. “Ransomware Criminals Strike American Dental Association.” Forbes, 2022.
Medwick, Jennifer. “Nonprofit Organizations and Data Security Incidents – How to Manage and Respond.” JDSupra, 2022.
Osborne, Charlie. “One of New York’s largest nonprofits suffers data breach.” ZDNET, 2019.
Osmond, Chad. “What’s Changing in the Cybersecurity Insurance Market?” Smarter IT Services, 2023.
Price, Nick. “How the Board Structures of For-Profit and Not-for-Profit Organizations Differ.” Board Effect, 2018.
Raghavan, Kamala. “Cybersecurity in Small Businesses and Nonprofit Organizations.” Today’s CPA, 2016.
Shainblum, Esther. “Online Privacy and Cybersecurity Issues for Charities and NFPs.” Carters, 2022.
Townley, Pam. “Cyber-Liability Insurance 101 for Nonprofits.” Associations Now, 2017.