How to Right-Size Cybersecurity to Fit the Small Nonprofit

Organizations rely on technology for communicating, managing our work, assisting us in making accurate and timely decisions, assisting customers, and staying in the know wherever we go. But along with this comes a mounting risk of data breach. Particularly susceptible are small nonprofit organizations with fewer technical safeguards, outdated security protocols, and modest IT budgets.

Understand your risk.

Cyber threats have become increasingly sophisticated. Compounding this is a recent surge in remote work, Bring Your Own Device (BYOD) flexibility, and online transaction processing, all of which collide to create a broadened threat landscape. Organizations that store electronic patient data, personally identifiable information, and banking and credit card records stand to face even greater upheaval should they fall prey to ransomware, viruses, social engineering attack, third-party or employee data breach. The smaller an organization is, the greater the impact due to lack of resources.

Let’s consider the risk.

Financial and Reputation Loss. Small nonprofit organizations store sensitive information about donors, clients, and employees. But cybercriminals are intent on stealing that data to conduct phishing scams, launch extortion or ransomware attacks, and open credit. Should confidential data be compromised, it could damage your ability to fundraise. It could also trigger costly litigation.

Insurance Terms. Insurance companies often require that baseline security standards be in place to uphold cybersecurity coverage. Yet many nonprofit organizations lack the in-house expertise needed to properly evaluate policy language and terms. This could result in a coverage lapse should a breach occur. There are cases where an organization thought they were covered but the coverage was denied because the policy required adequate IT controls.

Regulatory Compliance. Some small nonprofit organizations are subject to cybersecurity laws and regulations such as HIPAA and the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply with those could result in costly fines and litigation.

Constituent Trust. When constituent data is compromised or when essential services are lost, this can cause permanent damage to that relationship.

Take preventive measures.

Even the smallest investment in time, training, and vigilance can make a big impact in bolstering your cybersecurity profile.

AAFCPAs advises small nonprofit clients to start by conducting an IT general controls assessment to pinpoint areas of risk along with opportunities for improvement. In doing so, consider the types of data exposures you face including specific threats within your industry, such as those related to fundraising platforms or volunteer workforces.

We recommend organizations designate one individual within the organization to act as security manager responsible for planning, software upgrade, backup, patching, and incident response. Then document procedures, plans, and policies to clearly define acceptable use and response protocols. Consider remote work and BYOD exposures when drafting policies. Define authentication and access control including how and when access will be revoked once it is no longer needed. Should access and privileges be limited to a need-to-know basis? What are password protocols? How is sensitive data handled? What is mandated from a compliance standpoint? Then revisit, assess, revise, disseminate, and train all employees and volunteers to ensure ongoing awareness.

Constituent trust is critical. If resource enhancements are needed, AAFCPAs provides a right-sized approach to security. We help small nonprofit organizations under heightened risk conduct IT security assessments to better understand their strengths and vulnerabilities.

If you have questions, please contact James Jumes, MBA, M.Ed., Partner, Business Process & IT Consulting at 774.512.4062 or—or your AAFCPAs Partner.

About the Authors

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.
Mr Anderson - Ethical Security Hacker
Mr. Anderson is a “white hat” ethical security hacker and business continuity advisor with extensive experience in the development & implementation of security-focused audit and control programs.   He is highly sought-after for his expertise in: security architecture reviews; penetration/vulnerability testing; business resiliency, disaster recovery and other remediation strategies; hardware system selection and configuration; cloud application security reviews; and wireless security assessments. Mr. Anderson has a deep understanding of industry standards and extensive experience with internal controls evaluation, COSO, COBIT, ITIL, ITGCC, GLBA audits, and ISO, SOX 404 compliance requirements, including all phases of planning, evaluation, documentation, testing and remediation.