How to Right-Size Cybersecurity to Fit the Small Nonprofit

Posted on October 17, 2023January 26, 2024

Organizations rely on technology for communicating, managing our work, assisting us in making accurate and timely decisions, assisting customers, and staying in the know wherever we go. But along with this comes a mounting risk of data breach. Particularly susceptible are small nonprofit organizations with fewer technical safeguards, outdated security protocols, and modest IT budgets.

Understand your risk.

Cyber threats have become increasingly sophisticated. Compounding this is a recent surge in remote work, Bring Your Own Device (BYOD) flexibility, and online transaction processing, all of which collide to create a broadened threat landscape. Organizations that store electronic patient data, personally identifiable information, and banking and credit card records stand to face even greater upheaval should they fall prey to ransomware, viruses, social engineering attack, third-party or employee data breach. The smaller an organization is, the greater the impact due to lack of resources.

Let’s consider the risk.

Financial and Reputation Loss. Small nonprofit organizations store sensitive information about donors, clients, and employees. But cybercriminals are intent on stealing that data to conduct phishing scams, launch extortion or ransomware attacks, and open credit. Should confidential data be compromised, it could damage your ability to fundraise. It could also trigger costly litigation.

Insurance Terms. Insurance companies often require that baseline security standards be in place to uphold cybersecurity coverage. Yet many nonprofit organizations lack the in-house expertise needed to properly evaluate policy language and terms. This could result in a coverage lapse should a breach occur. There are cases where an organization thought they were covered but the coverage was denied because the policy required adequate IT controls.

IT & Cybersecurity Health CheckList

AAFCPAs designed this comprehensive IT & Cybersecurity HealthCheck to assist clients in surfacing, understanding, and managing priority IT risks that may be mitigated to better secure your organization’s Personally Identifiable Information (PII), client records, proprietary information, and/or other sensitive data.

Access Checklist

Regulatory Compliance. Some small nonprofit organizations are subject to cybersecurity laws and regulations such as HIPAA and the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply with those could result in costly fines and litigation.

Constituent Trust. When constituent data is compromised or when essential services are lost, this can cause permanent damage to that relationship.

Take preventive measures.

Even the smallest investment in time, training, and vigilance can make a big impact in bolstering your cybersecurity profile.

AAFCPAs advises small nonprofit clients to start by conducting an IT general controls assessment to pinpoint areas of risk along with opportunities for improvement. In doing so, consider the types of data exposures you face including specific threats within your industry, such as those related to fundraising platforms or volunteer workforces.

We recommend organizations designate one individual within the organization to act as security manager responsible for planning, software upgrade, backup, patching, and incident response. Then document procedures, plans, and policies to clearly define acceptable use and response protocols. Consider remote work and BYOD exposures when drafting policies. Define authentication and access control including how and when access will be revoked once it is no longer needed. Should access and privileges be limited to a need-to-know basis? What are password protocols? How is sensitive data handled? What is mandated from a compliance standpoint? Then revisit, assess, revise, disseminate, and train all employees and volunteers to ensure ongoing awareness.

Constituent trust is critical. If resource enhancements are needed, AAFCPAs provides a right-sized approach to security. We help small nonprofit organizations under heightened risk conduct IT security assessments to better understand their strengths and vulnerabilities.

If you have questions, please contact James Jumes, MBA, M.Ed., Partner, Business Process & IT Consulting at 774.512.4062 or jjumes@nullaafcpa.com—or your AAFCPAs Partner.

About the Author

James Jumes, MBA, M.Ed.

James joined AAFCPAs in 2013 to lead the firm’s Business Process & IT Consulting practice. He leads a team of senior technologist in the delivery of solutions related to business intelligence & productivity, information risk management and cybersecurity, and special IT attestations, compliance, and certifications. His goal is to strengthen the links between people, process, and technology, which increases productivity and drives business growth. James has more than 30 years of experience working with information technology …

Related Insights

Safeguarding Against Holiday Season Phishing and Cyber Threats

AAFCPAs would like to remind clients that the period between Thanksgiving and New Year’s is a prime time for phishing and other malicious cyberattacks. Cybercriminals take advantage of increased internet shopping, debit/credit card use, and the influx of holiday offers to deceive individuals into disclosing sensitive information. Now more than ever, vigilance is required in […]

October is Cybersecurity Awareness Month. Are You Prepared?

Cybersecurity Awareness Month is observed in October in the United States to raise awareness about the importance of protecting digital systems and data from cyber threats. As of the third quarter of 2024, there were over 2,000 reported data breaches affecting an estimated 1.3 billion individuals globally with major breaches affecting companies like UnitedHealth, Snowflake, […]

Fidelity E-Delivery Initiative Spurs a Surge of Phishing Scams

Last week, AAF Wealth Management informed clients about an upcoming outreach effort by Fidelity Investments and cautioned them of an increase in phishing scams as a result. During the week of September 16, Fidelity begins an email campaign to encourage clients to switch from paper copies to electronic delivery of all documents. This affects investors […]