Nonprofits are under attack.
If you've never lived through a ransomware attack, allow me to paint you a picture: The day begins no different than any other. You open your laptop, join your morning team check-in, and prioritize your day. However, as soon as you begin working, you notice an issue. "Is anyone else having issues with the shared drive?" It soon becomes apparent that everyone is having the same issue. Resources available just a few minutes ago are gone, files are renamed and converted into strange formats, databases are locked, network printers are inaccessible. Your stomach turns.
Ransomware blocks access to an organization's data and systems until the organization pays the attackers' ransom, costing precious time and money. Hackers execute these attacks through malicious email attachments that look innocuous by design.
Increasingly, nonprofits of all sizes are the targets of cyber-attacks, including but not limited to ransomware. Nonprofits often possess valuable data about donors, clients, and employees but may be less likely to have modern cybersecurity programs in place than for-profit organizations. In addition, the proliferation of cloud-based technologies coupled with the move to remote work during the pandemic has dramatically increased the attack surface for cybercriminals. All of these factors combine to create a perfect storm for nonprofits trying to keep up.
Most nonprofits have not conducted comprehensive security risk assessments, so they do not truly understand the actual risks. For example, only 20% of nonprofits claim to have documented policies that address cyber attacks. Additionally, 56% of nonprofits state that they do not use multi-factor authentication (MFA) on their online systems.
Good cybersecurity programs are hard to create and maintain even without the resource constraints that most nonprofits face, which is why nonprofit funders must support cybersecurity initiatives. This support includes investing in ongoing training and education for nonprofit staff as well as appropriate technology tools.
Implementation of a cybersecurity program is a continuous journey towards more robust cybersecurity. The journey begins with assessing each organization's baseline security posture to understand the next steps. The assessment phase should conclude with sound recommendations and remediation steps for the organization's systems and digital spaces. The second phase of the journey involves designing frameworks, policies, and implementation plans based on the results from the first phase. The third phase is execution:
- Rolling out policies and procedures
- Implementing cybersecurity tools and services
- Incorporating cybersecurity training into daily operations
Grantees and funders must work together to prioritize cybersecurity across all platforms and processes. Here are three specific ways funders can help nonprofits avoid falling prey to cyber-attacks.
1. Continue funding technology projects and emphasize the need for security
When funding technology projects, require and include funding for security controls. Ask questions in the application process that center around the organization's ideas for securing the new platform or application during and after implementation. Funders should know the design phase mentioned earlier in the article. To be clear: funders need to invest in security technology by increasing, not shifting, funding.
Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox
2. Provide your grantees with security services
Some foundations already do this, but more funders must provide security services through a technology service provider. Providing cybersecurity assessment services to grantees is a great way to get them started on the first phase of the cybersecurity journey.
3. Help reduce the cost barrier
One of the most significant barriers to implementing and adopting new technology, in this case, cybersecurity technology, is cost. Investing in the implementation and ongoing maintenance phase of the cybersecurity program will ensure that nonprofits not only secure themselves now but take steps to ensure security in the future. The design phase will help inform the cost discussion, but nonprofits can use several tools and training resources to create a "standard" that organizations can provide for funding opportunities.
Cyber-attacks become more relentless, ruthless, and complex, so the nonprofit sector needs to strengthen its cybersecurity posture proportionately. Keeping your organization's data safe should be a top priority not just for organizations but for the funders that support their work. What's more, cybersecurity investment needs to be ongoing rather than one-and-done—nothing less than the very existence of nonprofits and their impactful programs is at stake.
So how can you take the first step to secure your data from the inside out? Solutions like Gravyty Guard are included free with the entire suite of Gravyty tools, powered by AI. Guard helps protect your employees and donor data with an intimate understanding of fundraisers' behavior, allowing it to stop data breaches before they happen. See a personalized Gravyty demo today and learn how you can keep your organization's data safe while enabling fundraisers to do the best work of their lives: