Building a Cyber Security Strategy on a Nonprofit Budget: Prioritising Security Measures and Resources

Introduction 

As technology becomes indispensable in the daily functions of nonprofit organisations, spanning from small volunteer-run operations to massive global entities like the Red Cross and Oxfam, the importance of nonprofit cyber security is paramount. From fundraising to communication with donors and volunteers, technology has significantly enhanced the efficiency and effectiveness of these tasks. Yet, as reliance on technology grows, so does the risk of cyber threats. According to the UK Government Cyber Security Breaches Survey 2024, 32% of charities reported experiencing a cyber security breach or attack in the last 12 months, with high-income charities bearing an even greater burden at 66%. 

Protecting sensitive information is paramount for nonprofits operating within tight budgets and facing unique operational challenges. However, effective cyber security doesn’t have to break the bank. In this article, we will explore key cyber security strategies tailored to the needs of nonprofit organisations, offering practical solutions to mitigate risks and protect valuable data. We’ll examine notable cyberattacks as cautionary tales along the way and provide insights into building a robust defence against evolving threats. 

Understanding the Cyber Security Landscape for Nonprofits 

Nonprofits face many of the same cyber security challenges as their for-profit counterparts, such as data breaches, ransomware attacks, and phishing scams. However, there are unique aspects of the nonprofit sector that significantly impact their cyber security posture. For instance, the lack of proper security protocols or up-to-date defence measures leaves many organisations vulnerable to cyber threats. 

The 2023 Nonprofit Tech for Good Report sheds light on these vulnerabilities: 

• 68% of nonprofits lack documented policies and procedures for handling cyberattacks 
• Less than 50% have internal procedures or policies to regulate data sharing with external agencies 
• Shockingly, 71% allow staff to use unsecured personal devices for accessing organisational emails and business files 

These findings underscore the pressing need for nonprofits to prioritise cyber security measures to mitigate risks effectively. 

Unique Challenges Faced by Nonprofits 

As mentioned, nonprofits often handle sensitive information like donor and beneficiary details and may manage substantial funds, becoming prime targets for cybercriminals. Operating with smaller teams and limited budgets compounds these challenges, leaving many nonprofits ill-equipped to tackle cyber threats effectively. 

Unfortunately, this lack of preparedness can lead to devastating consequences: 

• Financial Loss: A successful cyberattack can result in direct financial losses, including stolen funds or ransomware payments. For smaller nonprofits with limited resources or inadequate cyber insurance coverage, these losses can be particularly crippling. 
• Reputational Damage: The loss of sensitive data, especially donor and beneficiary information, can erode trust and confidence in the organisation. This loss of faith may translate into a decline in supporters and volunteers, hindering the nonprofit’s ability to fulfil its mission. 
• Legal & Compliance Consequences: Nonprofits are subject to the same legal and compliance standards as for-profit organisations regarding data protection. Failure to comply can lead to legal ramifications, financial penalties, and further damage to the organisation’s reputation. 

By understanding and addressing these unique challenges, nonprofits can better safeguard their operations, protect sensitive data, and maintain the trust of their stakeholders. 

Real-Life Examples of Nonprofit Data Breaches 

Nonprofit cyber security is paramount in safeguarding sensitive data and maintaining trust within the sector. Here are two real-life examples highlighting the critical importance of robust cyber security protocols for nonprofit organisations: 

International Committee of the Red Cross (ICRC) 2022 

In January 2022, the ICRC encountered a data breach due to an unaddressed critical vulnerability within Zoho’s Single Sign-In tool. Exploiting this security flaw, cybercriminals infiltrated ICRC’s contact database, compromising the personal information of over 515,000 individuals worldwide. These attackers employed sophisticated offensive security tools commonly linked to Advanced Persistent Threat (APT) groups, indicating a potentially State Sponsored attack.  

The breach remained undetected for 70 days until ICRC’s third-party cyber security service identified the intrusion, prompting immediate measures to secure affected servers and prevent further harm. This incident underscores the importance of regular software updates and patching to swiftly address vulnerabilities and thwart malicious cyber activities. 

Save the Children Federation 2018 

In 2018, the Save the Children Federation, a prominent nonprofit organisation, became ensnared in a sophisticated email scam, resulting in the fraudulent transfer of $1 million to an entity in Japan. Perpetrators, masquerading as legitimate employees, compromised an email account and fabricated documents for funding solar panels for health centres in Pakistan.  

The scam’s credibility was bolstered by Save the Children’s longstanding presence in Pakistan. Despite the significant financial loss, the organisation’s insurance coverage mitigated some of the damage, excluding $112,000. This incident underscores the critical need for stringent cyber security protocols, particularly in verifying the authenticity of communications and transactions. 

Cost-Effective Cyber Strategies for NonProfits 

Amidst the challenges posed by budget limitations and evolving cyber threats, nonprofits have access to several low-cost cyber security strategies to fortify their defences. 

Employee Training and Awareness 

Investing in employee training and awareness programmes stands out as one of the most cost-effective methods to bolster nonprofit cyber security. By educating staff and volunteers on common cyber threats and best practices for safeguarding sensitive information, nonprofits can significantly reduce the risk of human error leading to security breaches. 

Strong Password Policies 

Enforcing robust password policies represents another straightforward yet impactful approach to enhancing cyber security. Nonprofits should mandate the use of complex passwords and implement multi-factor authentication whenever feasible to add an additional layer of protection. 

Regular Software Updates and Patch Management 

Maintaining up-to-date software and systems is imperative for thwarting vulnerabilities exploited by cybercriminals. Establishing a routine schedule for applying software updates and patches is crucial for minimising the risk of security breaches. 

Cloud-Based Security Solutions 

Leveraging cloud-based security solutions offers a cost-effective avenue for nonprofits to bolster their cyber security defences. Cloud providers often offer comprehensive security features, including encryption, threat detection, and access controls, at a fraction of the cost of traditional on-premises solutions. 

Selecting the Right Technology Partners 

Choosing technology partners who grasp the unique security challenges faced by nonprofits is paramount. These partners should offer solutions that not only provide technical support but also align with the nonprofit’s mission and budgetary constraints. 

Vendor Donations and Discounted Software 

Nonprofits can capitalise on vendor donation programmes to acquire various technology solutions, at reduced prices or for free. Many technology companies offer programmes tailored specifically for nonprofits, providing discounted or donated products and services. 

For instance, Microsoft extends up to five free licenses of Microsoft 365 Business to qualifying nonprofit organisations in the UK. Additional user licenses can also be purchased at the discounted rate of £19.50 per user/month. This initiative aids nonprofit cyber security by incorporating advanced features not available in other plans, ensuring that nonprofits do not miss out on crucial security and data protection benefits due to budget constraints. 

Conclusion 

When it comes to cyber security, nonprofits face unique challenges, yet there are numerous low-cost strategies available to fortify their defences. Practical approaches include providing regular cyber security training to staff and volunteers, leveraging discounted technology offerings from vendors, selecting IT partners well-versed in the nonprofit sector, and prioritising fundamental security measures such as regular data backups and robust password policies. 

Cyber security for nonprofits demands ongoing commitment and adaptation—it’s a continuous process. By implementing these essential strategies, nonprofits can shield themselves from cyber threats and sustain safe and efficient operations. Moreover, investing in cyber security isn’t solely about safeguarding organisational assets; it’s about preserving the trust and confidence of donors, partners, and communities served. 

Through proactive risk mitigation, nonprofits can confidently pursue their missions in an increasingly digital landscape. OneCollab specialises in serving nonprofit organisations, offering cost-effective solutions that align with their missions and values. For a consultation with a nonprofit cyber security expert, reach out to us today.