Strengthen Your Nonprofit’s Privacy and Security Operations

Protect the information of your members, donors, and users.

Analyst Perspective

Security and privacy are part of the mission

Don’t neglect data security and privacy in favor of mission-focused tasks. It’s crucial to remember that if privacy and security fall short, it may become impossible to carry out tasks and initiatives that fulfill your mission. The stakes for nonprofits are much higher than for for-profit businesses. Data breaches can put your members, donors, and users at risk, disrupt nonprofit operations, expose liability, and ruin the reputation (and revenue) nonprofits have built.

We can see nonprofits are starting to pay attention, yet they are loath to make these changes due to capital and human resources, which remain major obstacles to the path of maturity and consistency.

This report is designed to encourage nonprofits in starting or continuing a security- and privacy-focused path by identifying key data protection challenges and outlining steps nonprofits can take to strengthen their operations, provide consistent protection, and overcome capital and human resource constraints.

Monica Pagtalunan
Research Analyst, Industry Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight
A nonprofit organization’s fiduciary obligation and mission promise to prioritize the interests of the stakeholders it serves must be interpreted to include its obligation to protect IT assets that hold personal data through privacy and cybersecurity protocols.

Every nonprofit is different but similar

Cyber risk is heightened

Physical asset security is still valid for some nonprofit organizations, especially where paper-based manual processes are prominent. This component includes ensuring that physical devices cannot be easily carried away from the office, locking wall-to-wall filing cabinets, installing physical alarm systems, and storing external hard-drive backups in secure locations.

Data, security, and privacy are the foundations of digital transformation. For the most part, nonprofit organizations are shifting toward digital, with tools such as public-facing websites, social media, online donation forms, and cloud-based platforms.

Members, donors, and users are increasingly using smart devices to access information, engage with the organization, and make donations. Social media remains an important connection tool to promote events, share information, and build a community.

This change means the cybersecurity risks are heightened. Protecting cybersecurity includes enabling automatic software updates, enabling firewalls, setting complicated passwords that are regularly changed, and installing individualized screen locks on digital devices.

Cyber incidents are on the rise

Note: Community IT Innovators exclusively serve nonprofit IT teams from around the world. This report encompasses cyber incidents that have occurred among their clients alone. Therefore, these numbers are not representative of the entire nonprofit industry.

Source: Community IT Innovators, 2022.

The most concerning exposure for nonprofits is the leak of information

It’s not just an IT problem; the organization will be impacted.

Nonprofits are attractive as “low-hanging fruit”

"You don't want to become the headline. Our organization relies on people's generosity. If there's a massive breach, people will not donate. With that type of reputational damage, the organization's future would be in jeopardy."
– Ramadji Doumnande, Director of IT Operations and Security at National Parks Conservation Association

Cybercriminals want what nonprofits have – data. The most concerning data breach is the leak of sensitive donor/member information. Donors/members are important external stakeholders that nonprofits heavily rely on for their support, and the exposure of donor/member data can impact their trust and confidence in your organization. Consider the following pieces of personal data that your organization collects:

Source: Qostodian Recon, 2021

Data is an invaluable asset – ensure it’s protected

Industry Case Studies

People Inc

Up to 1,000 clients’ data was exposed, with the hacker managing to infiltrate an email account belonging to an employee of the organization due to a weak password. Accounts involved contained personal, sensitive information including names, addresses, social security numbers, financial data, medical information, health insurance details, and government IDs.
ZDNET, 2019.

American Dental Association

Hackers claimed that they had leaked 9 gigabytes of the American Dental Association’s data, with security researchers confirming the breach of tax forms (i.e. W2), financial spreadsheets, and information about private practices. Additionally, the hackers that triggered the malware forced certain critical systems offline, including web-based chat, email, and telephone services.
Forbes, 2022.

ICRC

The ICRC breach was found and disclosed on January 18, 2022, but the actual intrusion took place the previous year, on November 9, 2021. Hackers exploited a vulnerability found in their email platform, Zoho, to bypass authentication, place web shells, and compromise administrator credentials. The details of more than 515,000 people are believed to have been collected, including data such as names, locations, and contact information.
The Record, 2022.

Trust is required from an external perspective

“Without trust, nonprofits lack a key ‘currency’ that allows them to operate smoothly."
– Jeffrey Moore, Chief Strategy Officer at Independent Sector

Source: The Chronicle of Philanthropy, 2022.

Trust is the currency of the industry. High levels of trust allow nonprofits to raise more money for the mission and build strong working relationships with their supporters and the communities they serve.

Security and privacy breed trust. Protecting financial and personal information of those who contribute is critical to the nonprofit organization’s ability to earn and maintain trust and funding. Forward-thinking organizations understand how important security is to fostering trust, and they often prioritize security at the highest leadership levels (executives and the board) to emphasize its importance.

Strengthen your most valuable asset. To build trust, nonprofit organizations need to pay diligent attention to security and privacy fundamentals and foundations. Organizations can still secure the environment while concentrating on mission-based initiatives.

Source: “Trust in Civil Society,” Independent Sector, 2022.

Human and capital resources constraints are obstacles to privacy and security operations

CHALLENGE #1

IT staffing and budget constraints

75% of nonprofit organizations see IT budget as a barrier

82% of nonprofit organizations see staff time as a barrier

Source: nten, 2022.

CHALLENGE #2

Effects of cybersecurity skills gap

Nonprofit organizations are not confident in performing basic cybersecurity tasks.

Source: Ipsos, 2022.

CHALLENGE #3

Lack of security culture within the organization (executives and/or end-users)

59% of nonprofit organizations do not have cybersecurity training for staff.

Source: nten, 2018.

Constraints have impacted security and privacy maturity levels

Do not give into the “low pay, make do, and do without” culture.

Human and capital resource budget constraints have impacted the quality of security and privacy operations. Organizations are struggling with cyber and privacy basics, increasing the likelihood of cyber incidents.

Under-funding and under-resourcing can have disastrous effects. A data leak is not just a cyber risk; it’s an operational risk. The organization will feel effects related to finances, reputation, operations, and regulations.

Capacity building is critical to the infrastructure and health of a nonprofit organization. IT staffing, budget, skills, and security culture are forces that have fuelled the nonprofit industry’s underinvestment in security and privacy. However, there is opportunity to achieve effectiveness. Strengthening security and privacy is indeed possible, but organizations still believe in the inaccurate assumption that a lack of capital and human resources is an unsolvable problem.

Cyber insurance should not be a band-aid solution intended to cure all cybersecurity concerns

Insurance companies are increasing premiums to keep up with the increase in cyberattacks. The costs from lawsuits, ransomware payouts, and other remediations have driven this increase. Insurance companies are not willing to lose money on cybersecurity, so policies are getting more expensive.

Companies with poor cyber hygiene will be rejected or quoted a high premium. It’s now harder to qualify for cyber insurance. You will have to attest to the strength of your security controls through a self-assessment.

Cyber insurance is not a mitigation plan. Some companies see cyber insurance as a way to get around improving their IT security. After all, if your losses in the event of an attack are covered, why should you take extra steps to prevent data breaches?

It’s one more tool in the toolkit. On top of your security and privacy program, cyber insurance should be one extra layer to protect your supporters’ data. Best practice is gaining appropriate technologies and tools to satisfy cyber insurance requirements.

74%
Cyber insurance premium increase percentage in 2021
Source: Fitch Ratings, 2022

57%
Increase in claim frequency among nonprofits for first half of 2022
Source: Coalition, 2022

Privacy should not be viewed strictly through a compliance lens

Bring your stakeholders into the picture

By offering stakeholders transparency and control over their personal information, a good privacy program and its policies can shield nonprofit organizations from the financial and reputational harm posed by a data breach, while a flawed policy can exacerbate the problems caused by a breach.

Although regulators focus on the enforcement of these eight areas, understand the impacts on your organization and stakeholders:

	Stakeholder Impact
	Leverage to identify and mitigate privacy risks that impact your stakeholders.
	Promote transparency and give stakeholders more control over the way their data is collected and used.
	Avoid the high protection, storage, and retention costs associated with hoarding vast amounts of data.
	Build stakeholder trust by capturing less information to begin with. Reduce the information available to steal by only collecting the data you need.
	Don’t entrust data protection solely to a vendor. Their poor cybersecurity practices and conduct reflect poorly on you.
	Leverage technology that enhances visibility and transparency into the “when” and “how” of payment statuses.
	Gives your stakeholders the right to obtain a copy of their personal data that your organization stores.
	Efficiently mitigate damages to reduce time taken to rebuild trust and confidence with impacted stakeholders.

Establish your compliance requirements for alignment

Info-Tech Insight
It is recommended that nonprofits follow standards like PIPEDA as best practices even though some best practices like PIPEDA are generally applicable only for “commercial activities.” Keeping your organization and stakeholders protected should be top of mind.

Security and privacy are not the same but are intertwined

A common assumption is that security and privacy are one and the same...

…but security is not equivalent to privacy.

Integrate security operations into your privacy operations

Do common things uncommonly well

Even the cybersecurity basics can help nonprofit organizations secure the environment and protect data in the face of cyber risks

Prevent

Create security policies, including bring your own device (BYOD) and device security policies.

Improve endpoint and vulnerability management to manage devices connected to systems of data and assess entry points.

Enable multifactor authentication.

Ensure vendor compliance with requirements necessary for protecting access to personal identifiable information of customers/donors.

Implement a robust data backup process and redundancy policy.

Improve identity management by limiting access to sensitive data and implementing least-privilege access.

Encrypt sensitive and important data to guard against ransomware attacks and recovery strategy.

Implement strong passwords and change passwords often.

Detect

Patch systems to address vulnerabilities that could lead to ransomware attacks.

Conduct phishing tests and use anti-phishing tactics.

Perform regular stress tests of networks and systems.

Audit systems regularly to identify potential risks.

Analyze

Understand the threat’s scale and scope. Contextualize:

• What sort of threat is this? What systems or resources is it targeting? Where did it come from? How many other devices has it been able to infect? Which resources in other areas of my network are vulnerable?

Respond

Define and uphold post-incident record-keeping requirements in the event of a breach.

Visit Info-Tech’s Security Research Center

Every nonprofit organization can strengthen its security and privacy operations

Leverage Info-Tech’s security research library regardless of your maturity level

Your data privacy and security journey starts with gap assessments

Assess for three reasons:

1. Make the case to executives for security and privacy investment buy-in.

Justify IT budget changes. Following a systematic investigation of all security functions and understanding of program gaps, security leaders can effectively estimate their necessary security budget or shine a light on areas where intolerable risks will persist without budgetary relief.

2. Develop an actionable security and privacy roadmap.

Highlight functions that were previously overlooked. A systematic approach lays a foundation across all areas of information security to build a complete program on. Instead of pursuing new projects in an ad hoc nature, you can use our systematic methodology to build a comprehensive security program today and enable ongoing management of inevitable changes to the initial program.

3. Improve your cyber hygiene for the sake of cyber insurance.

Lessen premiums and gain approval for cyber insurance by identifying and evaluating your weaknesses. Consider the following:

• Firewalls and antivirus
• User training
• Secure connections
• Technology configurations
• Organizational policies and procedures that aim to prevent breaches and dictate responses to violations

Improve security and privacy oversight

Embed awareness, skills, and resources

Develop Your Security Outsourcing Strategy
Outsource what you can; you can’t do it all by yourself.
Security operations is a 24/7 business. Organizations must devote appropriate resources for oversight and supervision of security and privacy operations, regardless of the cybersecurity skills gap or IT staffing/budget constraint. If hiring an in-house IT team is not possible, outsourcing must be considered.

Embed Privacy and Security Culture Within Your Organization
Effectively communicate the impact and value to the organization.
Executive buy-in enables the IT resources and budget needed to mature your security and privacy operations. To truly take hold, privacy and security engagement must be supported by senior leadership, aligned with business objectives, and embedded within each of the organization’s operating groups and teams.

Develop a Security Awareness and Training Program That Empowers End Users
Your most naive staff member is the weakest link.
Educate and train all staff on security awareness, incident response and handling, and general data security risks. Security education should be at the forefront of users’ minds. Constantly refresh their memories so they are continuously watchful for risks such as phishing emails.

Contributors

Craig Bradley
SVP of IT
YMCA of Greater Toronto

Anonymous
IT
Pew Research Center

Anonymous
IT
Pew Research Center

Alan Tang
Principal Research Director
Info-Tech Research Group

Bob Wilson
Research Director
Info-Tech Research Group

Bibliography

“2022 Nonprofit Cybersecurity Incident Report.” Community IT Innovators, 2022.

“2022 Cyber Claims Report.” Coalition, 2022.

“2023 Nonprofit Trends Report.” Cerini & Associates, 2023.

“4 Key Thoughts on Cyber Insurance for SMEs.” IT Force, n.d.

“Cyber security skills in the UK labour market 2022 Findings report.” Ipsos, 2022.

“Cybersecurity within Nonprofits.” Eide Bailly, n.d.

“Health of the U.S. Nonprofit Sector.” Independent Sector, 2022.

“How Data Breaches Happen.” Kaspersky, n.d.

“Managing Nonprofit Tech Change 2022 Report.” nten, 2022.

“Nonprofit Cybersecurity: Balancing Best Practices, Budget, and Team Productivity.” Build Consulting, 2022.

“Nonprofit Guidelines for Cybersecurity and Privacy.” Microsoft, 2017.

“NPCA Achieves PCI Compliance in the Cloud.” Qostodian Recon, 2021.

“Privacy and Cyber Security Emphasizing privacy protection in cyber security activities.” Office of the Privacy Commissioner of Canada, 2014.

“Privacy vs. Security: Understanding the Difference.” Audit Board, 2022.

“The change role of the board on cybersecurity.” Deloitte, 2021.

“Trust in Civil Society: Understanding the factors driving trust in nonprofits and philanthropy.” Independent Sector, 2022.

“US Cyber Insurance Sees Rapid Premium Growth, Declining Loss Ratios.” Fitch Ratings, 2022.

Chimwanda, Elastos. “Essentials for an Effective Cybesecurity Audit.” ISACA, 2022.

Cimpanu, Catalin. “Red Cross blames hack on Zoho vulnerability, suspects APT attack.” The Record, 2022.

Daniels, Alex. “Trust in Nonprofits and Philanthropy Continues to Be Higher Than in Government and the News Media.” The Chronicle of Philanthropy, 2022.

De Vries, Jennie. “What drives cyber security investment? Organizational factors and perspectives from decision-makers.” Technical University Delft, 2017.

Hill, Michael. “Altruism under attack: why cybersecurity has become essential to humanitarian nonprofits.” CSO, 2022.

Holland, Jake. “Cyber Insurance Policies Grow Pricey Amid Rising Hacks, Lawsuits.” Bloomberg Law, 2022.

Hulshof-Schmidt, Robert. “State of Nonprofit Cybersecurity.” nten, 2018.

Jesenik, Jessica. “Is your nonprofit organization headed for a data breach?” Software One, 2021.

Köller, Joe. “Is Cyber Insurance Worth It? Advantages, Coverage & Requirements Explained.” Tenfold, 2021.

Maddison, John. “Managing Risks with Limited Resources.” CSO, 2019.

Martin, Carolyn. “Protecting Privacy: A Nonprofit’s Guide to Data Privacy Breaches.” Lutzker & Lutzker, 2021.

Martin, Kelly. “Research: A Strong Privacy Policy Can Save Your Company Millions.” Harvard Business Review, 2018.

Mathews, Lee. “Ransomware Criminals Strike American Dental Association.” Forbes, 2022.

Medwick, Jennifer. “Nonprofit Organizations and Data Security Incidents – How to Manage and Respond.” JDSupra, 2022.

Osborne, Charlie. “One of New York’s largest nonprofits suffers data breach.” ZDNET, 2019.

Osmond, Chad. “What’s Changing in the Cybersecurity Insurance Market?” Smarter IT Services, 2023.

Price, Nick. “How the Board Structures of For-Profit and Not-for-Profit Organizations Differ.” Board Effect, 2018.

Raghavan, Kamala. “Cybersecurity in Small Businesses and Nonprofit Organizations.” Today’s CPA, 2016.

Shainblum, Esther. “Online Privacy and Cybersecurity Issues for Charities and NFPs.” Carters, 2022.

Townley, Pam. “Cyber-Liability Insurance 101 for Nonprofits.” Associations Now, 2017.