numbers and letters floating in cyberspace

How Nonprofits Can Protect Themselves From Hackers and Cyber Attacks

Nonprofits aim to create the most change at local, state, and national levels. In order to do so, they rely on their donors, employees, volunteers, and the communities they work in to support their work. They are also the gatekeepers to important information which, if left unprotected, can result in hackers targeting their organizations. For this reason, nonprofit organizations are at a high risk of cybersecurity attacks. Read more about cybersecurity attacks and how to prevent them at STRATA9

Personal Identifiable Information (PII)

Personal Identifiable Information, or PII, is any information that is considered to be non-public information and can identify an individual directly and/or indirectly. The main form of PII that most people are aware of is a social security number, but other forms include date of birth, driver's license number, addresses, emails, and phone numbers. This information can be used in several malicious ways if acquired by hackers. Obtaining a social security number can be used to apply for credit cards and gaining access to banks, emails, and other accounts that can further legitimize phishing attacks. These instances can put an organization, its mission, employees, benefactors, and beneficiaries at risk. 

Nonprofit organizations collect PII from the people who dedicate their time and money as well as the communities they serve. Nonprofit organizations, on average, operate less than one hundred thousand dollars a year, so cybersecurity may not always be the most forefront of their concerns, especially when trying to maximize community impact. This puts them at higher risk for cyber attacks. Aside from the legal implications of having this information stolen, the lasting effects of an attack can further disadvantage communities and prevent nonprofits from doing their necessary work. 

Cybersecurity Risk Assessments  

Cyber Risk Assessments are a way to assess and identify risks and threats for the organization, which allows nonprofits to prioritize the gaps that need to be filled based on a cost-benefit analysis. Cyber Risk Assessments should be conducted, at minimum, once per year. This frequency increases multiple times per year as the turnover of the organization grows or new systems and processes are implemented. After the initial risk assessment is conducted, recommendations are brought to the table. If warranted, a follow-on step in this process could be a penetration test or “pen test.” in which the organization partners run a simulated cyberattack that checks the organization's safeguards and cyber defenses. This is to see what information could be taken and what actual damage could be done if it was a real attack. From there, remedial steps can be taken. 


Some initial thoughts and safeguards nonprofits can implement:

  • Check the set compliance regulations and define how Personal Identifiable Information is used and stored. 
  • Provide employees and volunteers with training on general security practices.
  • Conduct annual risk assessments.  
  • Set aside budget funds specifically dedicated to cybersecurity. 

“It’s not if but when. Identify and prioritize security efforts early and embed security into the company culture effectively.”- Rosye Cloud, President, STRATA9 

At STRATA9, above all, we prioritize client confidentiality. Your mission is important, and we are dedicated to your success. To learn more about our services please visit our website or contact us here.