Source: RSM US LLP.   

ARTICLE

No organization is immune from cyberattacks. For nonprofits, cybersecurity resiliency revolves around the ability to detect, respond and recover from incidents quickly while minimizing the impact on operations. In the event of a cyberattack, can the organization continue to deliver vital services to its stakeholders?

Nonprofits often hold sensitive donor information, volunteer details and constituent data, in addition to managing critical community services. An organization that has strong cybersecurity resiliency protects its sensitive data and ensures that it can fulfill its mission without interruption. Organizations that seek to bolster their cybersecurity resiliency can take steps to enhance this vital function.

Furthermore, donors and grantors are requiring nonprofits to have stronger cybersecurity controls as part of their risk management processes. As the cybersecurity landscape evolves, nonprofits will need to stay informed about the latest threats and available solutions.

Unique challenges

Nonprofit organizations often face different cybersecurity issues than for-profit enterprises. One key difference is their reliance on external parties, such as volunteers or contractors, who have access to internal systems. This can create complications in ensuring that only the right people have access to the right information.

In addition, many nonprofits have limited budgets for technology investments and cybersecurity measures. These constraints can result in accumulated technology debt, where organizations continue to use outdated or vulnerable systems because upgrading requires valuable resources or significant investments.

Like many businesses, nonprofits assume that because they use third-party vendors or cloud services, their data is safe. However, while the cloud often does provide more native cybersecurity controls, this assumption can lead to vulnerabilities. Nonprofits must actively manage their security program and related risks, even when using external providers.

Strengthening resiliency

Despite these challenges, there are several strategies nonprofits can use to improve their cybersecurity posture:

1. Mission alignment

Leadership must emphasize the importance of cybersecurity. If cybersecurity is championed from the top, including the board, it becomes easier for employees and volunteers to prioritize security in their daily operations.

2. Asset protection

Some data is more crucial or vulnerable than other data. Nonprofits should understand the data types they have and then focus on the most critical areas, define their security requirements and work to implement technical controls that can safeguard their riskiest data sets first.

3. Security awareness training

Cybersecurity training for nonprofit staff and volunteers is vital. Ideally, the program can be implemented through a formal learning management system, but it can be as simple as an annual town hall meeting. Regardless of the format, the goal is to make stakeholders aware of phishing attacks, social engineering scams and other common threats. It is also beneficial to create specialized training for leadership teams and staff with elevated privileges such as IT administrators or finance professionals, so they know how to handle incidents and coordinate responses.

4. Incident response and business continuity plans:

Nonprofits need well-defined incident response and business continuity plans to ensure they can act swiftly during a security breach and other business interruptions. The organization should run tabletop exercises to test these plans and ensure that leadership is prepared to handle communications during an incident and disruptions.

5. Free and low-cost resources

Nonprofits with limited budgets may feel that strong cybersecurity is out of reach. However, free resources—like those offered by the National Institute of Standards and Technology and the Standards Council of Canada—can provide guidance and best practices. These resources can help organizations implement incident response scenarios and develop cybersecurity plans. In addition, some technology vendors offer discounted cybersecurity tools for nonprofits, which can be helpful for organizations with tight budgets.

6. Partnerships and outsourcing

For many nonprofits, hiring in-house cybersecurity professionals is financially unfeasible. Organizations may want to work with a third-party vendor that can offer expertise that might otherwise be out of reach while keeping costs manageable. A managed security service provider can handle cybersecurity more effectively than nonprofit professionals who do not focus on technology.

Going forward

The question is not whether nonprofits will face cyberthreats but how prepared they will be when those threats arise. Financial auditors are increasingly including cybersecurity risk in their internal control reviews, and this will pressure nonprofits to improve their practices.

Ensuring cybersecurity resiliency—the ability to protect against, respond to and recover from cyber threats—is not just a technical requirement but a mission-critical function. By embracing key strategies and best practices, nonprofit organizations can protect their operations and ensure the continued trust of their donors, volunteers and communities.


This article was written by Patricio Cadena, Gianna Kubiak and originally appeared on 2024-12-10. Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/industries/nonprofit/cybersecurity-resiliency-for-nonprofit-organizations.html

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.