The cybersecurity threats to nonprofits have never been higher. In its 2022 Digital Defense Report, Microsoft identified nonprofits and Think Tanks as the second most targeted sector globally. We know too there has been direct targeting of humanitarian organizations in 2021/22 including breaches of ICRC and USAID systems used to target other nonprofits.

Today’s cybercriminals are taking advantage of organizations who had to move hastily to remote work and digital services during the pandemic, whose staff aren’t always as well trained as those in corporations, and who simply haven’t had dedicated funds to stand up good technology programs.

It’s no longer enough to do the basics around security. Nonprofits must have a robust strategy  that’s embedded in the entire beneficiary, employee and volunteer lifecycle to build resilience and protect trust.

But where to start? Although it’s a complex task, we believe these considerations will help nonprofits frame their discussions and get them asking the right questions.

Risk assessments
For today’s cybercriminals, it’s not just about intercepting donations anymore but going after the most important data they can steal for a lucrative marketplace. With ever more complex IT environments, there’s a larger landscape to attack; therefore, regular risk assessments are imperative to understand constantly evolving vulnerabilities and stay ahead of the biggest threats. The more detailed an approach taken by a nonprofit, the more they can minimize the chance of an attack. A good cybersecurity policy should include a buy-in clause, acceptable use standards, essential data management practices and the right account and identity practices.

Employee training and awareness
Improving education to foster a strong cybersecurity culture must be priority #1 for organizations, because nothing else will move forward without that baseline. Yet, traditional security awareness programs aren’t hitting the mark to reduce unsecure employee behavior. At Avanade, we’ve found that bite-sized content is more relatable and easier for people to apply. We also try to make the learning process fun through gamification of faux phishing emails. But be mindful that multiple generations in the workforce may necessitate a variety of educational methods to meet the different ways they consume knowledge. Next, don’t underestimate the ability of simple acts such as good password hygiene and software updates to have powerful impacts. Finally, remember to include vendors in education and awareness programs.

Third-party vendor management
Speaking of vendors, the point of vulnerability of most organizations are these third parties. There always seems to be one little (but fully exploitable) gap between a nonprofit and one of their service providers. Examine what type of service they’re providing and whether it’s mission critical. Are they maintaining your heating, ventilation and air conditioning system...or your cloud platform? Different vendors will need different levels of access to ensure that they’re restricted precisely to their role. And make sure you have a good identity governance and administration process in place to remove vendors when they’re no longer doing work for the organization.

The right partner
The right partner, whether a technology service provider or a nonprofit consortium such as NetHope can help with disaster response and recovery plans (table stakes, by the way, in any cybersecurity approach), penetration testing, threat exposure management and managed detection response. They can also determine if your organization is a good candidate for platform consolidation. Any given organization could be using up to 100 products and reducing that landscape will cut licensing and training costs. They may also recommend a move to a best of breed platform such as Microsoft Cloud for Nonprofit.

The right security talent
Some nonprofits will address their talent needs through a managed services agreement, giving them access to the latest solution upgrades and efficiencies. Some will want their own staff, but with an ever-shrinking pool of security professionals across all industries, they’ll need to get creative. Consider increasing the talent pool and promoting inclusion and diversity efforts by hiring from underrepresented groups such as women, people of color and those with informal educations. Look for key traits (curiosity, problem-solving, critical thinking) rather than technical skill, which can be taught. We’re not alone in this challenge at Avanade, so we’ve created cyber-academies to train characteristically attractive candidates in important technical capabilities. Generative AI will also play an increasingly important role in security strategy, allowing security teams to understand and manage security in ways they haven’t been able to before.

Board support
Now that you’ve had the right discussions, identified your gaps, and determined the best strategy to protect the important work of your organization, care must be given to Board buy-in. Today’s nonprofit Boards seem to be more aware of threats, but the questions they ask indicate that they don’t fully comprehend the impact of cyber risk on overall enterprise risk. Nonprofit leadership must take responsibility to educate them on the financial, operational and reputational impacts of security threats and not just the technical aspects. Link risk mitigation to the organization’s objectives and help the Board become a supporter of rather than a hinderance to attaining the necessary funds for a successful cybersecurity program.

Developing a modern and resilient cybersecurity strategy is imperative if nonprofits want to continue delivering on their missions through this era of more frequent and sophisticated criminal attacks.

If you’d like to learn more about where to start, click here. Or listen to our Tech for Social Good Podcast for more cybersecurity insights.