Armanino Blog

Cybersecurity: 9 Steps to Mitigate Your Nonprofit’s Digital Risks

by Renee Ordeneaux
October 14, 2015

“Who would want to hack our nonprofit?”

In the minds of many nonprofit leaders, data breaches are the plague of Fortune 500 companies—or at least the Fortune 500s of the nonprofit world.

Some national and large local nonprofits have suffered well-publicized hacks. In 2014, an estimated 868,000 credit and debit cards were compromised at Goodwill stores across the country. The culprit: malware embedded in the systems of an outside payment-processing vendor. Closer to home, Cedars-Sinai Health System in Los Angeles has been the victim of significant attacks—more than 30,000 patients were victim to a data breach sourced to an unencrypted laptop at an employee's home.

Yet size is no predictor.

Just ask the Red Barn, a small Alabama nonprofit that offers horsemanship education and equine-related therapeutic activities. In early 2015, the organization found its website defaced with an image of a gunman declaring his sympathy for the Islamic State. According to cybersecurity experts, the hacker wasn't specifically targeting the Red Barn's website but was, instead, seizing unsecured websites and using them to spread propaganda.

Like Bees to Honey
It should come as no surprise that nonprofits are a prime target. After all, they frequently have information that hackers find irresistible—from credit card information collected on their websites to personally identifiable information about their donors and supporters to private information of patients and clients accessing services. 

Worse, nonprofits’ defenses—like those of most business—are typically weak and full of gaping security flaws. Here’s where—and how—hackers typically get in:

Your e-mail. With access to just one e-mail inbox, hackers can gain broad access to your systems, opening the door to launch phishing attacks that look like they’re coming from you. Weak passwords are often the culprit, but phishing schemes are even easier to execute. By now, almost everyone has encountered the Nigerian investor scam and few would fall for it. But the same concepts are used by thieves targeting data, rather than direct cash transfers. Train employees to confirm requests for sensitive information, either with someone else in the organization, or directly with the client if needed. Employee awareness of risks is the first line of defense in preserving confidential data.

Your website. Hackers target outdated website software, plugins, and themes—a problem compounded by the fact that nonprofit websites are often built by volunteers and hosted on cut-rate ISPs to keep costs down.

Your social media. In conjunction with an attack on users’ e-mail accounts, hackers typically also target social media accounts—exposing your followers to further attacks.

Your databases. Personal data is the holy grail of hackerdom. Once inside your relationship management software, hackers can help themselves to troves of personally identifiable information on your prospects and donors. Even more devastating is an event in which hackers gain access to a patient or client database containing information classified as private. In those instances, the nonprofit organization may have a legal, as well as ethical, obligation to notify individuals whose data is at risk. Furthermore, you may be required to provide monitoring services.

Nine Simple Steps to Manage Your Digital Risks
Outsource wisely. As counterintuitive as it may seem, moving your data to external service providers may actually provide more security than hosting it in-house. Yes, you are going “public” with external website hosting, cloud storage, and the like. But these service providers are incredibly motivated to secure your assets. If you were to move your self-hosted or service-provider-hosted e-mail to Google Apps for Nonprofits, for example, you would benefit from the major, ongoing investment that Google makes in protecting its Gmail infrastructure.

Outside service providers are not all created equal, however. When considering moving services to an outside provider, consider whether the provider has had an outside evaluation of its security. The standards that currently provide the most credibility are SOC 2 and SOC 3 reports, as well as compliance with ISO 27001. In evaluating the outsourcing of any service—particularly one that involves confidential data-an organization should consider what third-party certifications the service provider has invested in.

Empower and train staff. Staff should be adequately trained and informed about potential threats. Equip them to recognize, assess and take action in a potential security breach—and make it part of new-hire (and volunteer!) training. Consider sources such as the SANS Institute (, which offers in-person and online courses on a variety of information security topics. Another option to consider when private data is at stake is a service that sends fake phishing emails to employees to see who responds. This provides an opportunity to personalize training, since some employees may be more trusting or less familiar with cyber scams.

Spring-clean your data. Most modern credit card processing services don’t save numbers, but some older databases installed on organization servers may contain all kinds of unneeded and risky information-from credit cards to social security numbers. If you don’t need it, don’t keep it. Retaining this data does nothing more than increase your risk.

Patch things up. Installing upgrades when prompted, employing corrective patches, and utilizing solid antivirus protection are the lowest of the low-cost fixes—and eliminate many hacker attack routes. Pay special attention to controls over laptops. If not managed properly, these can contain sensitive data stored by employees or provide access to the organization network. Unfortunately, laptops are lost and stolen on a daily basis.

Beef up passwords. Here’s a great example of a super-strong yet easily remembered password: Tp4tci2s4U2g! (The password for (4) this computer is too (2) strong for you to (4U2) guess!) This password gets its strength from its length plus random punctuation, varied capitalization, and simple substitutions. Consider using sites such as Strong Password Generator ( to generate truly random passwords. Another best practice is to use different passwords for each account.

Develop strong internal controls. Start by establishing a Bring Your Own Device (BYOD) policy for staff and volunteers. A solid BYOD policy sets limits on the types of data that may be accessed on personal devices and establishes cyber-secure procedures, such as accessing data only through a secure network, using encryption for storing and transmitting data and allowing an employer to wipe a device in the event of loss. Encryption isn’t just for data accessed through mobile devices. The infamous Sony hack last year would likely have been a lot less damaging if sensitive files had been encrypted and therefore inaccessible to the hackers.

Secure your social media accounts. Make sure you understand the default privacy settings offered by each social networking site—and how to change them. And consider using multi-factor authentication along with verification login, which sends a code via SMS (text message) if login is attempted from an unfamiliar IP address.    

Bone up on credit card regulations. If your organization handles credit cards, make sure you enact the information security best practices mandated by the PCI Data Security Standard, maintained by the PCI Security Standards Council (

Maintain appropriate insurance.  While insurance can’t cure all the side effects of a breach, the funds can help offset any out-of-pocket costs that an organization must incur as a result of a breach, such as the costs of notification and credit-monitoring. In the event of a breach, an immediate and sufficient response is critical to restoring trust.

Stay Adaptable
Today, there are more ways than ever for hackers, competitors and other potential criminals to access sensitive data. By creating strong internal controls, maintaining open communication across departments and following our suggestions above, your nonprofit will be well-positioned to adapt to new threats and reduce their company’s digital risk on an ongoing basis. And if you need help along the way, don’t hesitate to reach out to our nonprofit experts.

October 14, 2015

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
Sage Transform VIP Experience
Live Event
VIP luncheon for top finance executives attending Sage Intacct 2022.

October 12, 2022 | 09:30 AM - 10:45 AM PT
Women in Life Sciences: Women’s Health & Wellness
Spill the Tea With Delphine O’Rourke on the State of Women’s Health

October 11, 2022 | 02:00 PM - 03:30 PM PT
ASC 842: Lessons Learned From Early Adopters
Get the scoop from early adopters who have implemented ASC 842.

October 6, 2022 | 09:00 AM - 10:00 AM PT