When the pandemic first began, nonprofits switched to virtual strategies, hosting entirely online events and pursuing digital fundraising techniques. As things started winding down, it became clear that hybrid opportunities will be the future of nonprofit fundraising. 

This means that virtual activities aren’t going anywhere! 

Unfortunately, this new emphasis on virtual and online interactions has led to an increase in cybercrime as well. Studies show that cybercrime increased by 63% from the start of the COVID-19 lockdown. At a time like this, your organization must prioritize cybersecurity. 

In this guide, we’ll dive into three main steps that you can take to conduct a cybersecurity checkup for your organization. We’ll cover the following steps: 

• Start With Education

• Create Cybersecurity Policies for Your Nonprofit

• Frequently Check in on Security

Breaches in data can result in your supporters losing trust in your organization, not to mention expensive fixes to address the immediate leak of important information. This guide is not the end-all-be-all for cybersecurity—simply some checkup steps. Be sure to discuss your options with a tech security professional for a more comprehensive cybersecurity check. 

Let’s get started with these steps to improve your organization’s cybersecurity. 

1. Start With Education.

When it comes to cybersecurity, education is the first step. You need some foundational knowledge about the importance of cybersecurity and best practices before you’re able to implement some of those best practices for your organization and start practicing safer online habits. 

According to Bloomerang’s cybersecurity guide, 38% of nonprofits don’t have a policy on how to handle cybersecurity risk, equipment usage, and data privacy. But how can you develop those policies and encourage your staff members to follow them if no one is aware of their importance? 

Because it’s impossible to become an expert in cybersecurity overnight, you’ll likely want to leverage existing resources to implement educational content for your nonprofit. For instance, you might choose to: 

• Invest in cybersecurity courses. Online courses make great resources for nonprofits because the educational materials are already put together and ready to go. This means the organization will put in minimal effort to get these courses going. Plus, they’re accessible for your staff whether they’re working in an office or at home. 

• Ask a cybersecurity expert to speak. Nonprofit leaders have a lot of skills, but very few are cybersecurity experts. Because this is such an important topic, your organization might decide it’s worth it to bring in an expert. Record the conversation led by this expert so that you can include the information in your staff onboarding process and ensure everyone is on the same page at your organization. 

Many organizations believe that education is the end-all-be-all to security. After all, if we know the dangers of cyber attacks and understand how to prevent them, we’d all do our best to stay safe, right? Actually, this isn’t necessarily true. Do you remember everything you learned in school? Some things probably slipped through the cracks. 

Training and education come first, but don’t stop after you’ve implemented training procedures! Maintain regular training activities in your organization’s schedule and implement policies to take action on what you’ve learned. 

2. Create Cybersecurity Policies for Your Nonprofit.

As we mentioned, education is a great start, but you’ll need to take it a step further to see effective cybersecurity policies implemented. 

You might even decide to share with your supporters your new initiative to protect data. Obviously, don’t go into detail about the policies you’re setting, but telling supporters that you are taking action will increase their sense of trust in your organization. This trust is vital to make sure supporters feel comfortable giving to your organization.

Create policies around password expectations.  

People are notoriously bad at setting passwords, making this an incredibly vulnerable aspect of nonprofit security. Often, people use the same passwords across all of their accounts, use significant dates or spouse names in the passwords, or leverage keyboard patterns like “qwerty” for their passwords.

Chances are, you flushed slightly reading the above list of common mistakes, having committed some of them yourself. All of these practices are easily predictable, and those passwords can be broken with a little research on individuals at the organization.

Therefore, make sure to set up password protocols for the accounts your staff members set up as a part of your organization. You may ask them to take the following steps: 

• Use randomized characters, numbers, and symbols for passwords
• Make sure all passwords are at least eight characters long
• Leverage different passwords for every account
• Avoid using personal information in your passwords
• Don’t use patterns or formulas when creating passwords
• Make sure you don’t use dictionary words in passwords

We know it’s hard to keep track of all of these passwords, especially when they’re all entirely different and almost impossible to memorize. Therefore, you might consider using a password manager to keep track of your passwords and ensure none of them is lost. 

Create policies for software updates. 

Often, when people receive the notification that their phone has a software update available, they just snooze it and ignore the update. This may go on for days or even weeks! Don’t take this same mentality when it comes to your nonprofit software updates. 

Software updates often contain bug fixes and security patches. The longer you ignore them, the longer these vulnerabilities remain in your system, creating additional weak points. 

When you build out your organization’s digital strategy, as explained by Kanopi’s guide for nonprofits, align your message and content across all platforms. In this strategy, you should also include a plan for updating your software. Be sure to clearly define: 

• Who is in charge of updating the software 
• How others will notify them when updates are available
• How much time they have to make those updates

For instance, you might say that Sally is responsible for keeping the software up to date. People can notify her about opportunities to make updates via email. Then, she’s expected to update the software by the end of the day. 

You may even advise Sally to send an email to the rest of the team about what time the update takes place so that everyone is aware that the system might be down for a little while. 

Set standards for new software purchases.

Nonprofits rely heavily on software to accomplish various tasks. These software solutions house a lot of your sensitive data—especially your CRM, which houses donor contact information, interests, and more. 

When you buy new fundraising software for your nonprofit, be sure you have set security standards so that you don’t get distracted by the fancy bells and whistles, ensuring cybersecurity is your top priority. 

Before you make your next software purchase, be sure to: 

• Look for a software changelog to see what updates have covered in the past
• Ensure the software is PCI-compliant
• Ask about additional tokenization or encryption to keep data secure

By asking the right questions or knowing what to ask about during software demos, you’ll be a step ahead of the crowd. This will prevent you from purchasing software that is not up to scratch when it comes to cybersecurity. 

Set up user accounts for platforms. 

Setting different user accounts for different software solutions allows different members of your team access to only the information they need to complete their specific tasks and jobs. While many feel this is an untrusting mentality, setting up different user accounts doesn't mean that you have any less faith in your staff members. 

It’s simply a security standard that helps keep everyone safe from outside threats. Imagine, for instance, that one of your staff members was a little careless with their password for their access to your CRM, setting it as “qwerty,” one of the most commonly used passwords in the world. His account is hacked and the outsider gains access to everything he can see in your CRM. 

If that staff member has access to your entire CRM, the hacker could gain immediate access to your donors’ contact, payment, and address information. However, if that staff member is restricted, the hacker is slowed down immensely. 

User accounts are not about a lack of trust in your staff members, but an acknowledgment that everyone is human. Leverage these restrictions to help secure your system and explain the decision to staff members to ensure they’re not left with a poor impression. 

3. Frequently Check in on Security.

Ensuring adequate cybersecurity is an ongoing process—it’s never one and done. For one, as technology continues to develop, hackers and cybercriminals with malicious intent will also continue advancing in their skills. You need to stay on top of the latest cybersecurity news to keep your system updated. 

Second, it’s easy to get into a routine and forget about the importance of security. Checking in on best practices is the best way to keep it top of mind. 

We recommend taking the following steps to continuously check in on your nonprofit’s cybersecurity steps and initiatives: 

• Send fake phishing emails. These emails keep employees on their toes and show where people might be susceptible to attack. If someone clicks on this fake email, be sure to review with the team how to identify these threats and encourage them to report the email next time around. 

• Review policies regularly. Add a note to your strategic plan reminding your leadership to review the policies you’ve put in place to ensure cybersecurity. Check to make sure they’re in line with the latest security standards and make updates as necessary. 

• Continue educating staff members. Review cybersecurity protocols with your staff members frequently, including when policies are updated, new individuals are hired, and when fake phishing emails are clicked on. 

Cybersecurity checkups should happen at least once per year—sometimes more often depending on the circumstances of your organization. Be sure you’re caught up on the latest in security to keep your nonprofit safe from attack. 

Cybersecurity has become more important than ever with our increasing reliance on technology. Unfortunately, nonprofits are often behind the times when it comes to security and technology, making them easy targets for hackers and malicious infiltration. And when nonprofits experience a breach of security, the trust their supporters have in the organization can easily be broken and may never be rebuilt. 

By taking a few steps to check in on your organization’s cybersecurity standards, you can prevent this type of breach from occurring. Get started with the steps in this guide, but don’t limit yourself to them! More security is always better than less.