Cyberattack risks for nonprofits are on the rise. Historically passed over by malicious actors in favor of private enterprises with larger potential payoffs, nonprofits are now targeted by groups looking to disrupt operations or hold data hostage.

Consider the recent attack on the International Committee of the Red Cross (ICRC), which saw the confidential information of more than 500,000 highly vulnerable people—including those displaced from their homes due to conflict and disaster—compromised by attackers. There was no publicly-stated motive behind the attack, and the ICRC still isn’t sure who’s responsible. But, no matter the origin and intent, the outcome of the attack remains the same: critical data was compromised, and people were put at risk.

Noble causes aren’t enough to mitigate the short- and long-term effects of evolving cyberattacks. Nonprofit cybersecurity must be a priority for organizations, no matter their mission, budget, or current IT infrastructure.

Nonprofit organizations find themselves in a challenging position when it comes to cybersecurity. While many of their cyber concerns overlap with private enterprise, the public nature of their work creates an additional set of issues. Nonprofits face common cybersecurity challenges such as:

• Insider threats: Most are accidental, and some are malicious, but the outcome is the same: Insider threats put data at risk. And according to recent research, insider threats have risen 44% over the past two years.
• Increasing complexity: The last two years have seen organizations worldwide adopt cloud and mobile technologies at an unprecedented pace. But this uptake also creates complexity as companies look to pinpoint who’s accessing what, when, and why. It also creates an opportunity for attackers to compromise critical systems without being detected
• Highly public data: To retain their nonprofit status and ensure donor confidence, nonprofits must provide greater data transparency than other organizations. The public nature puts data at risk of attack and subjects nonprofits to greater scrutiny under regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
• Cause-driven attacks: Nonprofits may also experience additional threats tied to their cause. No matter its beneficial intent, some malicious attackers may take issue with the organization’s mission and purposefully seek to cause harm.

When it comes to improved information security for nonprofits, the key to success is a multi-pronged approach. While individual tools and technologies can help pinpoint specific attack vectors or mitigate the damage, this insulated approach isn’t enough to defend against evolving attacks.

Instead, hackers may leverage user accounts to gain access, move laterally through systems, or lie in wait, collecting sensitive data until attackers decide to strike. To effectively adopt a multi-pronged security framework, nonprofits benefit from three best practices:

• Give cybersecurity a seat at the table: Cybersecurity can’t be an afterthought—nonprofits need to give information security experts a seat at the C-suite table. By ensuring that cybersecurity is an essential part of the decision-making process, organizations can reduce their total risk.
• Understand the difference between due care (DC) and due diligence (DD): Nonprofits are obligated to demonstrate both due care and due diligence in cybersecurity, but it’s important to understand the difference. While DC refers to guidance and direction around creating cybersecurity frameworks, DD is the act of following this guidance to implement effective policies.
• Create consistent policies: Cybersecurity policies only work if they apply to everyone in the organization. This includes front-line staff connecting with donors and taking donations, and it applies to C-suite executives in charge of long-term strategy and planning. Without consistency, policies won’t have the intended impact.

Reducing risk starts with information. The National Council of Nonprofits recommends resources such as those from the US Department of Homeland Security to help organizations understand the threat landscape they face, and how it can impact operations. Additionally, conducting an audit with the help of a trusted third-party provider is a recommended step, as these industry experts pinpoint cybersecurity issues that may not be readily apparent but could put nonprofits at risk.

Consider eCommerce storefronts: Many nonprofit organizations now use digital sales channels to drive donations and increase social awareness. However, if donors’ financial and personal data isn’t adequately encrypted, stored, and monitored, this revenue-generating initiative could put nonprofits at risk for regulatory non-compliance with regulations like PCI-DSS, GDPR, or the CCPA.

Finally, nonprofits must build a comprehensive security program designed to address the interconnected nature of risk. This type of holistic approach helps organizations identify and remediate the root cause of common security issues rather than addressing the symptom, leading to a more robust security posture.

A good cause won’t mitigate the impacts of cybersecurity threats for nonprofits. To address existing weak points and address emerging issues, nonprofits need a holistic security approach capable of detecting, identifying, and mitigating threats across the organization.