• Only 20% have specific policies for cyberattacks
  • 59.2% don’t offer any regular cybersecurity training.
  • 71% let staff use personal devices for organizational access
  • 30% don’t monitor their IT environment at all

You will find dozens of articles telling nonprofits what to do for greater cybersecurity. Few posts suggest how to think about the issue.

This article will offer five principles that can help any nonprofit develop the right mindset for effective cyber-defenses.

Principle 1. Your organization is a target

A common myth frames cybercriminals as uninterested in nonprofits. Hackers aim at real banks, not food banks.

This couldn’t be farther from the truth.

Every organization is a tempting target for someone. Whether for W2 forms or donor credit cards, cybercriminals have a reason to breach your nonprofit.

In the past five years, an alarming variety of nonprofits have suffered breaches, ranging from cancer services provider Little Red Door to global aid network Save the Children.

Recent data indicate that 63% of nonprofits have suffered some kind of data breach.

Principle 2: When, not If

A common saying observes “two types of companies: those that have been hacked and those that will be.” Read ‘nonprofits’ in place of ‘companies,’ and the proverb rings just as true.

While hoping for the best, nonprofits must prepare as though the worst is inevitable.

Principle 3: Breaches take many forms

Some may object that the NTEN survey skews toward small organizations. Larger nonprofits, they might add, have their cybersecurity under control.

But many organizations that spend and plan appropriately still fall into a common error: They fund cybersecurity while regarding it as something that IT does.

In this mistaken view, the rest of the organization treats IT like a perpetual audit. They nod during cy-sec training, skim emails, and install required updates. Yet they do it all with reluctance, with grumbles and grousing.

This IT-driven approach could work—provided your organization only faced external threats.

Alas. Breaches can take a dizzying variety of forms: internal or external, intentional or accidental, malicious or negligent, via people or devices. Last year, 21% of breaches were caused by internal errors. 34% involved internal actors. In 56% of cases, a breach took months or years to discover.

“A response plan solely focused on and run by IT is destined to fail,” remark the authors of an EY report. “An effective response involves all aspects of the organization”.

Nonprofits must broaden their understanding of cyber risk to include every employee, database, and internet-connected device.

Principle 4: Your plan needs rehearsal

Search anything related to ‘cybersecurity,’ and you’ll run into a set of ‘stock recommendations’: Train your employees. Monitor your IT environment. Keep networks secure. Restrict data access by role. Create a breach response plan and team.

Now suppose that you’ve followed these recommendations. You have an incident response plan, a team, monitoring tools, a secure network, regular staff training, and so on.

How do you know if any of it will work? How can you tell whether or not your plan would survive an actual breach?

The answer is simple: rehearsal. You simulate breach scenarios and drill your team’s response to as many as possible.

You can make a breach simulation as formal as you want. You can hire a consultancy like EY, prepare for weeks, and spend big on a grand scenario.

But you don’t have to. You can run scenarios at any scale—on a team, department, entity, or enterprise level. You can run them at any level of formality. And you can run them with or without paid advisors.

Try it. Find a list of the most common ways breaches happen (I would recommend Verizon’s annual security report). Engage your imagination. How would you react if ransomware locked down your network? What would you tell your donors if a staff member accidentally leaked their payment details?

Principle 5: The right software matters

Last year, the US Department of Homeland Security issued a formal alert warning of an increase in successful cyberattacks on finance management systems.

The systems in question included Oracle and SAP products. As one study reported, many breaches occured due to “unpatched” software and “insecure” customizations. Vendor employees also shared log-in credentials in unsecured internet forums.

Fully 89% of security experts say they expect an increase in future cyberattacks on finance management systems.

Nonprofits need software providers they can trust with their data.

But what should you look for?

The most secure finance solutions remain unified applications delivered through the public cloud. The true cloud enables a provider like Xledger to deliver seamless upgrades and to patch once for all clients. Meanwhile, Xledger’s multi-tenancy and configuration approach keep all customers on a single standardized version of the software.


Please contact us for more information about Xledger, the market’s most automated and unified finance solution.