<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=938154&amp;fmt=gif">
Cybersecurity for Nonprofits: How to Protect Your Data

Cybersecurity for Nonprofits: How to Protect Your Data

Nonprofit organizations have an increased risk for cybersecurity attacks than other types of businesses, due to the sensitive information they possess on volunteers and donors – and a lack of cybersecurity measures in place.

Don’t run the risk of your data falling into the wrong hands! Make sure you know how to protect your valuable information by understanding your current cybersecurity protections as well as your gaps.

Best Practices for Cybersecurity Checklist

According to research, only 25% of nonprofits actively monitor their network environments and even less have a policy in place to address cyberattacks. With limited staffing and resources facing nonprofits, there are a number of basic cybersecurity techniques that will make you and your nonprofit safer.

1. Start with a Baseline

How do you know if you have cybersecurity? How do you know if it's good enough? How do you know where to start? How do you know what to spend your time and energy on? The way to do that is to compare your nonprofit to a baseline (a.k.a. standard). This will allow you to gain an awareness inside of your organization of what's bad, what's good, and what you should be worried about first. There are a few ways to do this:

Regulatory Requirements

When implementing a security program, start by identifying any regulatory requirements that affect your organization. For example, are you in the medical field where HIPAA is a concern? Do you accept credit card payments so you need to be concerned with PCI data security compliance? Are you publicly regulated? Do you have international or governmental clients? Start by looking at the base requirements of doing business and if there's already one for your operations, compare your security to those regulatory obligations.

If none of these apply to your organization, the NIST (National Institute of Standards and Technology) Cybersecurity Framework provides a comprehensive set of security rules to follow. This program covers most of the cyberattacks that can happen at some level and it helps provide an understanding of where resources should be spent.


What are the protocols in your organization? Most security programs start with policies (i.e., the rules of the road for employees). These are documents that state the organization’s requirements so that employees understand what is expected of them when they start the job. This is typically in the form of an employee handbook.

Make sure all cybersecurity components are in those policies and are handled in a way that will keep your organization compliant with regulatory requirements, and secure.

Risk Assessment Process

A risk assessment compares how your organization performs in relation to the requirements of the security framework. The main reason to perform a risk assessment is to identify security gaps.

First, you want to have a good baseline of what your security posture is at today. Then once you identify the security gaps, you can mitigate those gaps by implementing the appropriate controls, creating processes, and documenting policies and procedures. Prioritize the mitigations, evaluate potential security partners, and then establish, maintain, and improve your compliance.

The final step is to accurately forecast your future needs – determine where you are today and what your goals and objectives will be in 6 months, 12 months, 18 months, etc.

2. Protect the Endpoint

Ensure you protect your laptop, mobile phone, computer, and anything you interface with day in and day out. Take care of those devices and make sure they are as secure as they can be to help keep your environment safe.

Regulatory requirements (such as HIPAA) state that if a device is stolen and it contains client data with at least 500 records, you must report it as a violation. However, there is a clause that states it does not need to be reported if the device is encrypted. Therefore, every device should be encrypted so that you don't have reportable events.

Encrypting a device is as simple as turning on the tool that’s built into the operating system which requires a password when signing in. Without that password, no one can access the device. There is no cost other than the time to encrypt the drive.

Other responsible device practices include:

      • Don’t use USBs or external hard drives as these can easily be stolen. If you must use one of these drives, be sure to encrypt it.
      • Physically secure laptops when traveling. Something as simple as a clip on a laptop zipper case will keep people from slipping their hands in and removing the device.
      • Avoid public Wi-Fi because someone else has the ability to see what you’re doing just through your internet connection. Make sure to utilize a VPN (Virtual Private Network) or other way to protect anything you’re doing on Wi-Fi.
      • Be aware of multiple users on home computers. Additional users can inadvertently bring in viruses from outside websites that will affect the performance of your devices.

3. Verify Security Tools Work

There are tools already on your systems that you need to make sure are working and are working properly. Are they configured correctly? If you've identified a gap in your baseline that tells you that you need a tool, what's the area you should look for first?

Virus protection is the number one security tool that everyone should use. It's already built into a device’s operating system – just turn it on and make sure you're using it. In larger or more mature organizations, there will be additional processes to ensure protection such as verifying every device has been updated with the most current version of virus protection software. Even though vendors are proficient at patching their systems, viruses can still sneak through so it’s important to make sure these protections are up to date.

Once virus protection is installed, there's an additional step (which is an extra cost) that allows your computer system to become more adept when something bad happens. For example, if there's a detection that a virus is in your network and it affects all devices that contain a certain product, these software tools can now tell you every computer that has that product so you can fix those first. They're a bit smarter than virus protection and they're able to reach across endpoints and coordinate your response.

As you build your computer network, more things are going on at the same time and it's hard to keep track of them all. There are abilities inside of every software to create logs and alerts to help. Logs are important because if something bad happens, you have the ability to look back in time and see how and when it happened so it can be fixed. Also, pay attention to alerts when they pop up to say something's out of date. They're important and there's a reason they're showing up as they keep your operating system updated.

4. Use Two-Factor Authentication

Two-factor authentication (2FA) improves online security, allowing an extra layer of protection. It’s a straightforward way to make sure that the person logging into a computer is who they say they are. This is where you not only have to enter in a password, but you also must have some other piece of information to make sure it's really you. So then if someone steals your password, they're not able to use it because they don't have that second factor.

There are many types and ways to do two-factor authentication. For instance, there are standalone tokens you can put on your phone. The federal government uses a PIV (personal identity vehicle) card to access devices. Doctors use similar cards to tap the keyboard which proves it’s really them and not just somebody using the password. Also, fingerprint readers are another way to make sure that you are you. Two-factor authentication allows you to secure beyond just the password.

5. Plan to Patch and Update Laptops/Desktops

There’s a vulnerability out there that is affecting a lot of systems. Timely patching and updating your devices with the latest software versions will keep everything up to date and current. Utilize the auto-update feature on all devices. In most operating systems, there's an automatic update available and it will let you schedule the time it performs the update.

The reason to update is all software has problems. There are vulnerabilities in software and these vulnerabilities are discovered as time goes on. They're not known when the product ships, but they are discovered later when someone breaks in. When the vendors discover an issue, they put a fix together and you will want those fixes on your system as soon as possible. Auto-updates are the way to get it done as quickly as possible, and you don't have to worry about forgetting because the computer just does it for you.

6. Provide Awareness Training

Make sure that every employee who uses your organization’s devices and touches your data is trained sufficiently. Providing training to your employees will prepare them if a hacker strikes. The more they learn, the more they're going to know, the more they're going to notice, and the more it's going to help your overall security program.

      • Make sure your employees understand what antivirus protection is. Educate them on what updates are and when they will be installed. Require all employees to use two-factor authentication to protect your organization’s data.
      • Phishing attacks are the number one method that attackers use today. This is where an email has an attachment or a link in it with the hope that you will go to a website and enter your credentials so they can steal your information. Train your employees to spot a phishing email and report it, not click it. Smishing is similar to phishing but it’s via text message and not email. Vishing is a phone call where somebody's trying to get your personal or company information over the phone.
      • To stay current with the latest security news, send security emails to your employees to keep them up to date. Have them read security blogs or listen to podcasts to learn from security professionals. There is also security awareness training, tools, and modules that have security reminders which can be sent monthly or weekly to employees to keep them updated.
      • The National Institute of Standards and Technology (NIST) has stated the longer the password, the better – with the recommendation of at least 15 characters. In order to remember all these long passwords, it’s a good idea to utilize a password manager. It’s a safe encrypted tool to store all account information and passwords securely. Then all you need to remember is just the one password to access the password manager.
      • Shredding documents is as important at home as it is at work. Make sure to destroy any confidential paperwork that contains sensitive information. Nowadays, there is so much focus on electronic information that we sometimes forget about paper documents. To protect your nonprofit, it’s crucial to shred any paperwork that may fall into the wrong hands, at work and at home.

7. Recognize Your Best Defense

A “human firewall” is a well-equipped and trained workforce that is a nonprofit’s best defense against cybersecurity threats. There's a lot that can be caught in advance simply by having your people aware and looking for bad things to happen. They're the last chance you have to catch something as it's coming in or going out the door.

Therefore, training your “human firewall” is of utmost importance. Cybersecurity awareness training should happen often because of the impact of humans and the difference the right human interaction can have on being hacked. The better trained they are, the better off your organization is going to be.


Cybersecurity is crucial for all types of organizations. Don’t fall victim to a cyberattack. Implement a cybersecurity program and train your employees to protect your valuable information.

If you need assistance with creating a cybersecurity program for your nonprofit, contact SVA today. We can help you protect your organization.

Request More Information

© 2022 SVA Certified Public Accountants

Share this post:

Biz Tip Topic Expert: Mark Schafer

Mark Schafer

Mark is the Chief Information Security Officer for SVA Consulting, LLC, a member of the SVA family of companies. Mark is a recognized consultant and leader in security program design and build, ensuring the security strategies he deploys are in alignment with his client’s business objectives.

Awards and Affiliations



Madison, WI
1221 John Q Hammons Dr, Suite 100
Madison, WI 53717
(608) 831-8181

Milwaukee, WI
18650 W. Corporate Drive, Suite 200
Brookfield, WI 53045
(262) 641-6888

Colorado Springs, CO
1880 Office Club Pointe, Suite 128
Colorado Springs, CO 80920
(719) 413-5551

SVA BBB Business Review Man Standing


(888) 574-4782

Are you in the know on the latest business trends, tips, strategies, and tax implications? SVA’s Biz Tips are quick reads on timely information sent to you as soon as they are published.

Connect With Us

Copyright © 2024 SVA Certified Public Accountants | Privacy Policy | Cookie Policy | CCPA