overhead view of a desktop with a plant, notebook, coffee cup, frame, glasses and tablet with a padlock symbol

A Comprehensive Approach to Cybersecurity at Your Nonprofit

We live in a world with constantly increasing cybersecurity risks. IT systems can no longer be protected by a firewall at the edge of a network as the boundaries of the organization's IT systems continue to expand with the adoption of cloud solutions. At the same time, the tools available to cybercriminals have grown in sophistication and decreased in cost.

The new cybersecurity perimeter is now represented by each individual's online identities and devices. In fact, any website with a public login is a target for hackers. (You can even see if your account has been compromised on www.haveibeenpwned.com.) Devices can be attacked by hackers exploiting unpatched systems with malware or sending a specially crafted text.

It's time to get — and stay — safe online. Let's take a look at a comprehensive approach to cybersecurity at your nonprofit.


drawing of a computer on a table inside the outline of a padlock, all surrounded by bugs trying to get in

Nonprofits Are Not Immune to Cyberattacks

While some nonprofits, including refugee organizations and health services organizations, may understand the value and sensitivity of their data, others may not. But in today's world, all data is valuable in that the loss of it in a ransomware attack or otherwise can spell disaster for any organization. Attacks have become automated, and hacking software is now cheap and readily available, making every computer and device a potential target. In addition, the trusted identity of a nonprofit can be used to pivot and target other organizations or board members.

A recent security report by Kaspersky Labs shows that the cost of responding to a data breach for a small to medium business in North America is $120,000, which is up from $88,000 in 2017. These are actual costs that organizations like yours would face, including direct remediation services, outside legal fees, and public relations work. Also, this only represents the direct financial cost and doesn't count the loss of public trust and decreased staff productivity.

Security threats are now being leveraged by sophisticated and profit-driven criminal enterprises with significant resources. Understanding the new and persistent threats that exist is a good first step to adopting a meaningful approach to security at your organization.

Tried and True Security Measures

In looking at what's new in the world of cybersecurity, it's helpful to look at what hasn't changed. Community IT's cybersecurity playbook for 2019 (PDF) includes many of the same controls we would have had in place on our networks back at the turn of the century.

Data Backups

Follow the 3-2-1 rule: Keep three independent copies of data, on two different types of media, and have one backup copy offsite.



Install software that looks for a malicious file signature to block harmful activity on your system.

Firewall Protection

Protect yourself from external hackers by hiding your computer systems behind a firewall.

The Evolving Security Landscape

While the above controls are all still important, the evolution of the cloud and the expanding boundaries of the workplace mean that additional people, processes, and technology tools are required. Building on the recommendations mentioned above I also recommend the following additional cybersecurity controls.

IT Acceptable Use Policy

Create an official written document outlining the way staff are expected to treat technology, and define the technical controls that are in place to support this policy.

Multifactor Authentication (MFA)

Protect your online identify by requiring both a password, which is something you know, and an authentication token, which is something you have (think: a text verification code).

Business Email Compromise Protection

Protect yourself and your organization from sophisticated email attacks that spoof trusted people in your organization with the goal of gaining more access into your network.


If you're just getting started with improving the cybersecurity at your organization, making sure that these six items are in place is a good place to begin. But there is a lot more that can be done to improve the cybersecurity of your organization and protect the data of your members, clients, and stakeholders.

We'll go into more detail of what's new in the world of cybersecurity during our upcoming live event on TechSoup Courses, Cybersecurity 201: How to Make Your Organization Safe, taking place October 17. We'll delve into topics such as single sign-on, encryption, endpoint detection and response, and how to encourage organizational leadership to prioritize implementing these solutions.


Additional Resources