Donor data drives your nonprofit’s fundraising efforts. When you (as we recommend) focus on donor retention, your donor data helps you build relationships with your current supporters. If you’re comfortable with your retention strategies and have moved on to expanding your network with acquisition strategies, you can also use donor data to reach new individuals and build those relationships.
No matter how you look at it, data is key to unlocking healthy relationships with your supporters. However, storing this data can come with inherent risks. If your supporters’ personal information like email addresses and financial data were to somehow leak, you could lose those valuable connections you’ve worked so hard to develop with your supporters. It’s very difficult to rebuild that trust with your supporters.
Due to the inherent risk that comes with collecting and storing donor data, your nonprofit needs to take action to ensure the security of the information you store in your database.
As experts in donor retention, we at Bloomerang have compiled this guide to help nonprofits like yourself to maintain nonprofit cybersecurity best practices at your organization. All of this starts with assessing your nonprofit’s cybersecurity risk.
Assess Your Nonprofit’s Cybersecurity Risk
The first step to ensuring cybersecurity for your nonprofit is to analyze the risk that your nonprofit already takes on based on your own policies and procedures. Many nonprofits today have unknowingly left themselves vulnerable to risk, so it’s crucial to assess your own cybersecurity system.
Consider the following vulnerabilities that many nonprofits have unknowingly undertaken:
- 38% of nonprofits don’t have a policy on how the organization handles cybersecurity risk, equipment usage, and data privacy [source]
- 68% of nonprofits don’t have documented policies to implement in case of cyber attack [source]
- 56% of nonprofits don’t employ multi-factor authorization to access key data [source]
Unfortunately, it’s easy to become vulnerable when it comes to online information and storing donor data. Many companies have felt the strain of cybersecurity. For example, consider these attacks listed by NonProfit Pro:
- Save the Children. In 2017, a hacker posed as a staff member and scammed the organization with fake emails. $997,400 was lost to a fraudulent business.
- Utah Food Bank. In 2015, the organization’s website was hacked. During this hack, 10,000 visitors who donated online had their personal information stolen.
- Red Barn. Also in 2015, this organization’s website was hacked in the midst of a fundraising event. The damage to the site was irreparable, so they had to remove it, purchase a new domain, and rebuild their digital presence.
The damage caused by these types of attacks is generally highly publicized and very difficult for nonprofits to recover from. That’s why it’s so important to implement nonprofit cybersecurity measures now to help you prevent an attack and keep your donor data safe.
7 Cybersecurity Tips for Nonprofits
- Invest in Secure Software
- Review Password Protocols
- Update Software ASAP
- Get Your SSL Certificate
- Manage User Accounts
- Incorporate Additional Security Measures
- Educate Your Staff
Ready to learn more about keeping your donor data safe from hackers? Let’s dive in.
Keeping your donor data safe requires that the tools your organization invests in have ample security measures in place that will help keep information safe. This means that when you use your donor database, fundraising software, matching gift software, or other solutions, your donor information is protected every step of the way.
Donor data travels between systems frequently. You use your fundraising software to collect information about your supporters, including their names, contact information, and payment information. Then, this information is stored in your donor database. When you employ your marketing solution, this information passes from your donor database to your marketing software so that you can use it to reach the donor more effectively.
With so many systems touching your donor data, the first measure you should take to strengthen your nonprofit cybersecurity is double-checking that all of your solutions employ safety protocols to keep all of this data secure.
There are several things you can look for to make sure that your software follows effective nonprofit cybersecurity practices, such as:
- Software changelog. A changelog is a publicly accessible tracker that keeps up with all of the updates, bug fixes, and more within a software solution. These updates are important for keeping the information safe and secure within the software itself. When you invest in software, make sure you can find a complete changelog and check when the last update was.
- PCI-compliance. When you collect, store, or otherwise handle payment information, you need to make sure that the system you use is PCI-compliant or PCI-certified. This means that the software has fulfilled a series of necessary security requirements that will keep data safe.
- Encryption or tokenization. Ask about additional measures that enable encryption or tokenization of data. This means that the data is transformed into a different format that requires either a key or a token for the data to be read.
Look for these types of cybersecurity measures when you invest in software for your nonprofit. Or, if you’re reevaluating your digital strategy, prioritize cybersecurity. Once you’ve chosen the best software, you need to continue ensuring cybersecurity by enforcing specific password protocols.
One notoriously weak aspect of cybersecurity for nonprofits is password security. In fact, 90% of passwords are considered weak and vulnerable to hacking. Luckily, this aspect of cybersecurity is easily remedied by implementing some password safety protocols at your nonprofit.
According to the password security experts at Swoop, here are some of the “do’s” and “don’ts” of password creation:
When you craft a password, you should be sure to:
- Use at least 8 characters that are randomized and do not use dictionary words.
- Create a password with a mix of uppercase and lowercase letters, numbers, and symbols. This shouldn’t use any of your personal information.
- Use a different password for every one of your accounts and change each one frequently without recycling them.
- Make your password random without following patterns or common formulas.
Make sure everyone on your team knows about these password cybersecurity protocols. Incorporate them into your official handbook and other documentation.
If you’re worried that you won’t be able to remember all of these passwords, do not write them down or save them to a document on your computer. Instead, use a secure password management system (and don’t forget to double-check the software using the strategies from the last section to be sure it’s secure).
When your smartphone comes out with the newest update, are you guilty of leaving the notification hanging for multiple days on end? Many of us are. We’ll wait for days or even weeks to update our personal technology. In fact, about 42% of people in the United States don’t update their software when they know they should. Many are afraid that the update will be bundled with other crapware they don’t need or that the updates will do very little for them.
However, when it comes to your nonprofit cybersecurity, you should make sure to update your software solutions as soon as one becomes available. These updates fix many of the bugs and create a stronger system against any hackers or other malicious intentions.
This is another great opportunity to explore a changelog for the software solutions you choose. You’ll be able to see exactly what has occurred in past updates and you can get a feel for how helpful they will be to make the technology run more smoothly.
One of the many fears surrounding updating software is that updates can create challenges with your other solutions or come with features that cause you to lose valuable information. While you’ll rarely lose information when updating your solution, it’s still good practice to create a new backup before you run the update.
This is not the only time you should create backups. You should do this on a regular basis. However, it can give you peace of mind as you run the update that you won’t lose anything.
As the gateway to engaging with your nonprofit, your website is a naturally vulnerable location for nonprofit cybersecurity. One of the simplest measures you can take to protect donor data as valued supporters input their information into your website is to get your SSL certificate.
SSL stands for Secure Sockets Layer. It offers additional security and privacy to the online interactions between your supporters and your nonprofit website. When you have an SSL certificate, you’ll have an HTTPS in your site’s URL and a small lock on your screen by the URL of your website. It will look something like this:
But what does this little symbol actually do? According to EC-Council, the SSL certificate has been available for about two decades and its purpose is twofold:
- It encrypts all information passed between your nonprofit’s website and your site visitors.
- It verifies the validity of your website both to your visitors and to search engines.
Would you input your information into a website that your browser warns you is not secure? Probably not. Your donors are the same way. When you invest in a SSL certificate, you’re not only strengthening your nonprofit cybersecurity measures but also creating more trust between your organization and your supporters.
Plus, search engines view SSL certified websites as valuable resources and rank them higher. That’s why it’s now a crucial part of SEO (search engine optimization) guidelines. If you don’t have your SSL certificate, it’s unlikely that you’ll be able to rank well for your nonprofit’s most valuable keywords.
Generally, these encryptors are not expensive, can be purchased quickly, and are applied easily. If you ever switch websites, create a new site, or update your current site, make sure that you keep (or purchase) your SSL certificate.
Within your software and technology itself, your organization has a variety of accounts that you use for each of your staff members. This enables your entire development team to have access to the valuable information in your CRM, your finance team to access budget data, and your executives to assign tasks that must be completed to individual team members.
Having an account for each of your nonprofit’s team members provides them with the information they need to conduct their job well. Plus, it makes it easy to make sure that everyone is getting their information from the same place and to track what is being accomplished for your mission. This is why it’s so important to invest in a solution with unlimited users so that everyone can access what they need when they need it!
However, keep in mind that the more individuals who have access to your information, the less safe that information becomes. Managing the permissions on user accounts ensures that people have access to only what they need without compromising donor data security.
Managing user accounts at your nonprofit isn’t about not trusting the individuals on your team, but about limiting access to sensitive information. Consider the following situations:
- Your team member is in a rush to complete a task in your CRM for the major gifts specialist. They’re typing quickly and accidentally hit a key that would update the name of the major prospect to “Susan Andersfw.” However, the system pushes back because that member doesn’t have permission to update accounts.
- (Worst case scenario) One team member’s password is hacked and the infiltrator gains access to your CRM. However, that member didn’t have access to the payment information of your various supporters, limiting the data accessible to the hacker.
Human error is only natural and understandable. When you have the ability to limit that human error, you should take it, especially when it comes to nonprofit cybersecurity.
If you hire a new staff member, make sure to get them set up with their own user account and limit their permissions to what they need to do their job well. You should also set up a policy around how your organization handles it when a team member asks to have their permissions changed.
As you conduct additional research into nonprofit cybersecurity measures, you’ll come across some technical terms that are used to ensure the security of information online. Learning what these terms mean will help you to avoid getting bogged down in jargon and allow you to really understand what’s going on in the cybersecurity world.
Some of the additional security measures that you should fully understand and be familiar with include:
- Encryption: Encryption is the process by which plain text (that is the type of text you’re currently reading) is coded using an algorithm known as a cipher. One variable of this cipher is the key that can be used to unlock the information. This means that when a hacker encounters encrypted data, they have to guess which cipher is used and what the key is to unlock the information before they can read it (a very challenging and almost impossible process).
- Tokenization: Tokenization is the process of replacing a string of sensitive information with a string of numbers that have been algorithmically chosen. This information can then be sent securely through online servers to make purchases, donations, and other information transactions. It’s most commonly used to protect payment information.
- VPN: VPN stands for “virtual private network.” It provides additional safety and security to your own online activities by creating a data tunnel in which your IP address is hidden. Not only that, but it further encrypts your data and connections, making it even more difficult to hack your system.
- Firewalls: Firewalls are a part of either your software or hardware (or both) security measures. It’s a network security measure that monitors the incoming and outgoing traffic, blocking certain data packets based on the preset security rules and protocols. This security measure creates a barrier between your data and hackers or viruses.
All of these are additional security measures that can (and should) be taken to ensure donor data security at your organization. But the first step to any good organizational policy is understanding it.
It is incredibly difficult to implement cybersecurity protocols if you or your staff don’t understand how security measures work or why they’re so important. Implementing nonprofit cybersecurity training at your organization will inform your team about what part they can play in the security of your donor information.
A whopping 60% of nonprofit organizations don’t have training programs to inform their team members about how to be safe online and handle sensitive information. Don’t be a part of this vulnerable majority!
We recommend incorporating cybersecurity training into the regular activities at your nonprofit. For example, you might decide to:
- Add an element of cybersecurity knowledge in the onboarding process for new team members to learn.
- Adding cybersecurity measures into the official organization documentation and policy handbooks.
- Asking your IT team member (or finding an expert) to discuss nonprofit cybersecurity measures with your team.
- Attend online training or conferences about nonprofit cybersecurity to learn and pass on valuable information to your team.
Education about nonprofit cybersecurity is the best way to make sure you maintain safe and secure donor data at your nonprofit. Everyone needs to play their part to uphold the integrity and security of the information entrusted to your organization.
Your nonprofit has been entrusted with important information. It’s your duty and your responsibility to protect that donor information by implementing safeguards at your organization. Plus, nonprofit cybersecurity only becomes more challenging as technology advances.
Keep up with the latest research and cybersecurity trends to make sure your organization will protect the data entrusted to you.
To continue your research on cybersecurity and technology, we recommend starting with the following resources: