Nonprofits, like any organization, rely on technology and data in order to operate. When you receive donations, you are required to collect and protect certain data elements in order to make the process function.

But, collecting and using data comes with baggage. You’re responsible for properly securing that data, even to the point of criminal liability.

At CoreTech, we work closely with nonprofit organizations to help them secure systems and simplify compliance. This guide will break down core regulations, provide guidance on securing sensitive data, and outline a strategic approach to help you minimize risk.

Understanding Risks for Nonprofits

What’s at stake? Why would a nonprofit be targeted? What’s the goal of the cyberattack, and what does the attack look like? 

These are reasonable questions, and their answers can inform your approach to cybersecurity.

Why Are Nonprofits Targeted?

In most cases, nonprofits are targeted for the same reason as any other organization — they have data that is seen as valuable. Or, a ransomware attack hopes to extract money by compromising your systems and threatening the release of information.

In particular, nonprofits tend to be targeted because they are seen as softer targets. Many nonprofits work with a small number of staff and less robust security measures, leading to security gaps that are easier to exploit.

There is an additional ideological component. Whether fair or not, nonprofits might work in spaces that are seen as politicized (or otherwise controversial), and they may be attacked simply because the attacker dislikes the organization’s goals.

What’s at Risk?

Considering the motivations, there are a handful of targets that tend to rise to the top with nonprofits:

• Donor databases
• Funding information
• Volunteer & employee records
• Additional personal or financial data
• Large-scale systems (like networks or servers) that can bring operations to a halt

What Are the Most Common Attacks?

Any cybersecurity strategy needs to account for the most common attack vectors. These top the list:

• Ransomware: where malicious software is used to lock data or systems until a ransom is paid to the attacker.
• Phishing: where attackers try to steal login credentials from users.
• DDoS: where systems are repeatedly solicited by computers until they are overloaded, creating large-scale crashes.
• Malware: where any type of malicious software is used to cause harm to the organization.
• Data Breach: where a number of different methods are used to steal data.

Keep in mind that this list is not comprehensive, and your cybersecurity team should account for as many possible types of attacks as they reasonably can.

Start from a Secure Foundation

Cybersecurity requires constant effort and adaptation. That said, you’re not a cybersecurity expert, and the good news is that you don’t have to be. You can offload the bulk of that work to your cybersecurity team.

What you really need are tools to vet security experts and ensure that you’re getting adequate protection. To start you down the road, remember the five essential services in cybersecurity:

• Staff training
• Security audits
• Secure platforms
• Data encryption and network segmentation
• Backup and recovery plans

Your cybersecurity partners should be able to outline thorough plans that cover all of these points and more. That makes the heart of your data protection.

Practical Strategies to Protect Donor Data

While you lean on your technical support team for the digital aspects of cybersecurity, there are concepts you can consider as an organization that will help you protect data. These ideas apply to any organization that collects a small or large amount of data, and they will help you regardless of your IT strategy.

1. Limit Data Collection

You are never liable for data you do not collect. It is that simple. If you don’t need a donor’s date of birth, don’t ask for it. Collecting less data lowers your risk and simplifies your cybersecurity strategy.

It’s often tempting to ask for more data, but always weigh the benefits of expanded information against the very real liabilities that come from collecting more data.

2. Avoid Shared Lists

An entire industry strives to aggregate information that can help you find valuable donors. It’s tempting to tap into that industry, and it may even prove rewarding. Remember, though, that these lists come with a catch.

Shared donor lists are, well, shared. If you add to the lists from data you collected, you increase your risk if such lists are ever compromised. Additionally, data you take from any lists comes under your control, and you are now liable for protecting it.

Even beyond the basic risks, if your donors suddenly receive spam messages from other nonprofits, they might not appreciate it. Limit your use of such lists. If you need to share data, always warn donors how and what data you share before you collect it.

3. Create Clear, Transparent Data Policies

In fact, transparency should be one of your guiding principles when crafting data policies. You have to collect data to function, and to at least some extent, you will have to share that data with other entities.

The most important thing is to completely, comprehensively map how your organization uses data. Use that map to craft your policies, and then make it as clear and easy-to-understand for employees as possible.

If you do share data (whether for analytics, marketing, or any other purpose), disclose all of it up front. If necessary, use popups to make your terms impossible to miss.

Of course, you can also try to never share data and even make it a point of pride in your policy.

4. Informed Consent and Expiration Dates

Informed consent and data policies go hand-in-hand. Informed consent requires more than a checked box. Your donors should understand at least the following:

• What data you collect
• Why you collect it
• How long you keep it
• What their rights are
• How you intend to share it
  
  

Beyond these basics, consider building expiration dates into your consent process. As an example, you might keep data for a full year. Once that year passes, you can ask for renewed consent. This increases transparency and improves satisfaction.

Along these lines, make consent revocation accessible. If you’re using a donor story in a newsletter, for instance, have clear steps they can follow to withdraw extended use. Most importantly, make sure your team has prompt access to comply with revoked consent.

5. Distinguishing Anonymous and Personally Identifiable Data

You can break your data into two categories: anonymous and personally identifiable information (PII). Anonymous data faces far less scrutiny and fewer regulations compared to PII. Names, addresses, credit card numbers, and other information that can be tied to an individual face the more stringent rules found in regulatory documentation.

When you categorize and isolate the different data types, you can focus your security efforts where they matter most. Simultaneously, this allows you to demonstrate to your donors that you take privacy seriously.

6. User-Based Access Controls

To some extent, roles-based access will fall under the purview of your IT support, but understanding roles empowers you to build better security into your data management from the top down.

Simply put, an event volunteer does not need access to your full list of donor names.

Access controls apply to three separate aspects of how you run your business: physical access, digital access, and vendor access.

Physical access sets the groundwork. It is up to you to ensure that only authorized persons can access computers or equipment where donor data is stored. No digital security effort can protect data if any stranger can walk off the street and remove information from a desk or access your systems. Physical barriers and locks are essential cybersecurity measures. It’s easy to overlook.
 
Digital access is best managed from a perspective of roles. Fundraising personnel might need contact information, but they don’t need financial records. Accountants don’t need access to CRM notes. Even your IT team should have limited access based on their functions. They don’t need full visibility into your donor database. When you think about roles and access, you empower your IT team to create accounts and tag them correctly. They can then efficiently set access controls, ensuring that even compromised accounts cannot compromise the entire system.

Vendor access is also easily overlooked. While you may need to share data with vendors, their security is ultimately your responsibility. If they leak information obtained from you, that’s still your problem. Work only with vetted, trusted providers. Additionally, limit their access according to discrete vendor roles.

Partner with CoreTech to Keep Data Secure and Protect What Matters

Your nonprofit faces unique cybersecurity and data protection challenges. At CoreTech, we help you face and overcome those challenges. Contact us today to discuss your options and start building a data security plan that protects your nonprofit organization, its donors, and the people you serve.