According to a 2023 cybersecurity report, nonprofit organizations have seen a rise in cybersecurity risk in the last year. Despite the dangers, many nonprofit organizations still operate without cyber insurance because of limited resources and board support.

Most nonprofits feel their cybersecurity practices seek more funding to help cover new solutions and managed services. Okta, an independent identity partner for nonprofit organizations, highlighted the increasing challenge of cyberattacks for nonprofits this year, with potential risks to the organizations and the individuals they serve.

This article discussed the critical state nonprofits are in regarding cybersecurity attacks, funding challenges, and access to expertise in incident response.  Nonprofits are facing attacks against the donor and grant systems. To offset their lack of cybersecurity expertise, these organizations continue developing relationships with managed security service providers (MSSPs) like Hypershift.

Does Your Nonprofit Need Cybersecurity Protection Layers?

Like their for-profit enterprise counterparts, nonprofits hold sensitive data within their systems. This valuable data includes employment personal information, donor information, and sensitive details about the various grant funding sources.

Hackers troll nonprofits because most lack the funding and expertise in cyberattack incident response, threat modeling, and remediation. Investing in additional security measures, including artificial intelligence (AI) and machine learning (ML) defensive tools, is challenging because of the cost and operations overhead.

Cybersecurity threats within the nonprofit community continue to grow as more organizations turn to the state and federal government for funding. Email phishing scams, including hackers posing as volunteer grant writers and impersonating a federal government employee, are widespread.

One of the first steps nonprofits must take is to protect their revenue information collection sources. These revenue collection resources include a newsletter seeking donations, an e-commerce site processing donations, and a grant management platform containing information about grant awards, the source of the grant, and the expected dollar amount.

How Should Nonprofits Protect Their E-Commerce Site?

Nonprofits rely on donations to fund their various programs. Nonprofits will invest in an e-commerce site to simplify the donation collection process. These organizations have several options when setting up a nonprofit website to receive donations.

• Hosting providers like GoDaddy.com assist nonprofits in setting up a domain, an e-commerce presence, and the ability to accept credit cards and bank transfers. GoDaddy.com also provides a PCI-DSS-compliant infrastructure to process credit card information, encryption services to help protect donors' information, and integrated security to help protect their website in case of a denial-of-service attack.

• GlobalGiving is a platform nonprofits can access that offers tools, resources, and security to help organizations collect donation information from across the globe. "GlobalGiving is a nonprofit that supports other nonprofits by connecting them to donors and companies. Since 2002, we've helped trusted, community-led organizations from Afghanistan to Zimbabwe (and hundreds of places in between) access the tools, training, and support they need to improve our world."

Even after leveraging these website providers for secure donation processing and collection, nonprofits still need to implement other controls to ensure the security of their information.

The following security best practices nonprofits should enable to help provide additional protection for their e-commerce activities:

• Enable multi-factor authentication (MFA) to help protect their e-commerce from hackers using stolen credentials to access donor information.

• Restrict access to the e-commerce administration page for individuals who need access to the site for business purposes.

• Ensure they back up the data collected on their e-commerce website and store it in another cloud-based depository if the provider's site becomes compromised.

• Enable advanced AI email security solutions to help stop email phishing attacks.

Note: Regardless of which hosting provider nonprofits access, the organization is 100% responsible for protecting their data.

What Are Some Best Practices Regarding Protecting Data Transmitted to the Cloud?

Data management is a critical part of the e-commerce experience for nonprofits. Even with secured offerings from GoDaddy and GlobalGiving.org, organizations must protect all data transmitted to their cloud.

Here is a checklist organizations need to enable regarding protecting their data:

• Inventory and classify all data sources relevant to the organization.

• Document the location of the data, including donor system, e-commerce, email list, and newsletter subscription list.

• Ensure no other applications hosted or on-premise have unapproved access to their donor collection systems.

• Any data backup is documented and stored in a cloud-based depository with restricted access.

• Ensure that data-at-risk and data-in-transmit are enabled for the organization's employees, donors, and financial systems.

How Should NonProfits Protect Their Grant Management System?

Second only to e-commerce, grant awards are a considerable source of funding for nonprofits. Nonprofit organizations will leverage grant management software packages, including Boomerang, to help manage the entire workflow. Boomerang is a software-cloud-based grant management system that provides all the tools for nonprofits to apply for grants, receive funds, and give reports on funds' accountability.

The data stored in these systems is not immune to cyber threats, which are a growing concern in today's digital landscape. Hackers, who frequently target such systems, can gain unauthorized access through various means, including email phishing attacks against nonprofit employees.

This system stores valuable information, including:

• Which organization provides the grant funding to the organization? (Social engineering attack)

• Who is the primary point of contact for grant administration? (Impersonation attack)

• How much was the donation? (Business email compromise)

• Does the grant have an automation renewal? If so, when? (Financial fraud).

• Nonprofits using Boomerang and other grant management tools must enable additional layers of security protection.

Protecting against cybersecurity risks is a shared responsibility. By enabling MFA, restricting access to the grant management SaaS application, and ensuring backup data is securely stored in a cloud depository, nonprofits can significantly enhance their security posture and mitigate potential threats.

How Should Organizations Securely Merge Their Data Sources?

Nonprofits using disparate systems for donor funding collection must develop a secure process to merge the information into a single source of truth. Currently, nonprofits have several systems that include donor information, including:

• E-Commerce Site hosted by a third-party provider.

• Grant management system.

• Newsletter subscription program.

• Individual event data collection spreadsheets.

Trying to protect donor information across different platforms can lead to a data breach. Here are some best practices nonprofits can follow to help consolidate their platforms and safeguard the single source of truth.

• Within the grant management systems, use as many features available under your subscription licensing, such as managing mail lists and subscriber lists for newsletters and collecting donor information and dollar amounts for individual charity events and campaigns.

• Phase out any standalone donor programs or collection systems.

• Encrypt everything and every source of data.

• Only attempt to merge the e-commerce donor information and the grant management data files if a proven and secure API exists between the platforms.

Note: GlobalGiving.org's platform offers an API to help merge donation information.

"GlobalGiving's API offers you the vetted global nonprofits and secure donation platform you need. Integrate GlobalGiving's free API to access our portfolio of 6,000+ charitable projects in 175+ countries, including the US and UK, and put your choice in your users' hands."

What Areas Where Nonprofits Are Most Susceptible to Cyberattacks?

Nonprofits are susceptible to several cyberattacks. These cyberattacks challenge nonprofits' protection capabilities, including their incident response plan and response, MFA, and attacks against their password manager and endpoint devices.

Here is a list of common cyberattacks used against nonprofit organizations:

• Business email compromise (BEC) attacks are common against nonprofits. Hackers will pose as company CEOs wanting to donate to the respective nonprofit. This impersonation attack is conducted over the email channel. The BEC attack includes requesting the nonprofit to provide their banking information so the donor can deposit funds directly into the account. In reality, once the hacker has access to the bank account information, they will gain access and secretly withdraw the funds.

• Ransomware attacks are widespread. Hackers, again using the email channel, send well-crafted email messages attempting to lure the victim to download the malware. Once the malware is downloaded, the hackers encrypt the files and make financial demands.

• Another common threat to nonprofits is social engineering attacks. Hackers use social engineering to connect with employees working for the nonprofit to gain access to the donor or grant system, along with attempting to access employee information. Social engineering attacks leverage the LinkedIn profiles of the employees to establish rapport.

• Hackers have become brilliant by impersonating nonprofit organizations and creating lookalike domains to send fraudulent donation requests. Hackers create domains like "unitedWYA.com or the AmericnaRdecorss.com." These fraudulent domains resemble known nonprofit organizations. The hackers will embed false donation forms inside their suspicious emails, including AI-generated photos, to lure people to donate.

What Does an MSSP/MSP Play in Supporting Nonprofits' Cybersecurity Strategy?

Nonprofits historically need help with cybersecurity funding. Faced with countless cybersecurity attacks, nonprofits either receive donations to help fund their security strategy or close their doors. Even if nonprofits receive donations from Microsoft, Cisco, Oracle, IBM, and other technology giants, they still need experienced engineers to maintain these solutions.

Hypershift, an MSSP/MSP, understands the challenges nonprofits face. The company continues creating cost-effective managed services with robust cybersecurity measures to assist nonprofits. These offers include:

• 24x7x365 incident response, threat modeling, and remediation.

• Hypershift assists nonprofits with implementing MFA, data encryption, and secure backup solutions to ensure the security of their donation, grant, and e-commerce programs.

• Hypershift also provides security awareness training for nonprofit employees to help them know what to do before, during, and after a cybersecurity event.

• Help enable advanced email security with encryption, anti-phishing and anti-malware, and data loss prevention capabilities.

Despite a limited budget, nonprofits need cybersecurity protective layers against threat actors attacking their sensitive donor information.

Schedule a discussion today with the experts at Hypershift to better understand the value of their MSSP offers and their various cost-sensitive plans.