11 Cybersecurity Tips For Nonprofits

11 Cybersecurity Tips For Nonprofits

Access to your nonprofit organization’s data is one of the best tools you can provide your employees with to further your mission, provided that you’re not giving away your valuable data to unauthorized users. To further this effort, an IT environment that’s monitored and managed by IT professionals promotes the security you need. A knowledgeable IT provider will prevent cybersecurity vulnerabilities and keep your technology up and running. They will ensure that your members’ and donors’ confidential information remains private.

But there are also things that you can do to help. We’ve provided eleven tips for you to follow that will promote cybersecurity for your nonprofit organization.

  1. Appoint A Cybersecurity Chief. Tap a trusted member of your staff to liaison with your IT service company to ensure that your employees and volunteers strictly adhere to your cybersecurity plan. Along with your IT professionals, this person will be your point-of-contact to ensure your nonprofit adheres to IT security compliance regulations and standards so you can stay in good standing with governments and donors.
  1. Develop An IT Security Plan & Policy. Consult with your IT provider and put a plan in place to ensure that your data is protected both in storage and in transit. Hackers are looking to capitalize on your members’ confidential data, and you can’t afford a data breach. If this information is exposed, you may end up in expensive litigation, not to mention a reputation that’s ruined — If this happens, no one will want to fund your projects.

There are a range of flexible and affordable options for this that your IT professionals can implement for you. You needn’t be worried as long as they implement enterprise-based cybersecurity solutions and a layered defense that can automatically block and eliminate the latest threats. The idea of layering security is simple: You shouldn’t rely on one security mechanism such as an antivirus to protect your confidential information. If that security mechanism fails, you have nothing left to protect you.

You should also develop a Security Policy. This Policy should begin with a simple statement describing the information you collect about your members and donors and what you do with it. It should identify and address the use of any Personally Identifiable Information (PII) and how to keep it private.

  1. Plan For Data Loss Or Theft. It’s essential that you determine exactly what data or security breach regulations affect your nonprofit. You need to know how to respond to data loss. All employees and contractors should be educated on how to report any loss or theft of data, and who to report to. Data loss can expose you to costly state and federal regulations and litigation. You must be able to launch a rapid and coordinated response to a data breach to protect the reputation of your nonprofit organization.

Your plan should include input from all departments that could be affected by a cybersecurity incident. This is a critical component of emergency preparedness and resilience. It should also include instructions for reacting to destructive malware. Additionally, departments should be prepared to isolate their networks to protect them if necessary.

  1. Implement A Disaster Recovery & Business Continuity Plan. You must have a backup copy of your data if it’s stolen or accidentally deleted. Develop a policy that specifies what data is backed up, how often it’s backed up, where it’s stored, and who has access to the backups. Backup to both an external drive in your office and a remote, secure, online data center. Set backups to occur automatically, and make sure your backup systems are encrypted.

Knowing that you can restore your saved data from a recent point in time and access it from a remote source if you must leave your work premises is crucial in the event of any incident that threatens your physical office location. The key is to backup frequently and ensure redundancy. More than one backup in different locations is required, and you won’t only need this if a storm were to hit. Because ransomware can lock up or crash your IT system, you’ll need a restorable backup to keep working if this occurs.

  1. Arrange For Security Awareness Training. Your staff can have a significant effect on your cybersecurity – either they know enough to keep your assets secure, or they don’t, and thus present a serious threat to your security. So, which is it? Do your employees and volunteers have the knowledge they need to spot cybercrime scams, avoid common pitfalls, and keep your nonprofit’s data secure?

Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites. They learn how to handle security incidents when they occur. If your employees and volunteers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.

The human factor is still the biggest risk factor in most equations. Your staff can be your greatest asset or your weakest link. It depends on whether you take data security seriously enough to make sure that they are trained several times a year. People need to be reminded often about cyber threats. Plus, there are always new threats coming along, so it’s essential to stay up to date. Ongoing training and testing reduce the instance of human error that increases cybersecurity risks.

  1. Make Password Privacy A Priority. Passwords remain a go-to tool for protecting your nonprofit’s data, applications, and workstations. They also remain a common cybersecurity weakness because of the careless way employees go about trying to remember their login information. Weak passwords are easy to compromise, and if that’s all that stands between your data in the Cloud and in applications, your nonprofit organization could be at serious risk for a catastrophic breach.

There’s a better way than scribbling passwords on sticky notes. But what is that better way exactly? You must protect your data with hard-to-guess passwords and encryption that scrambles data unless the user has access to a decryption key. Encryption is an effective way to protect your data and emails from intruders. It uses an algorithm to encode information. Cloud storage encryption ensures that documents are safely stored so that only authorized users can decrypt files. Even if your data is intercepted by cyber thieves, they won’t be able to read it. By practicing secure encryption key management, your IT service company can ensure that only authorized users will have access to your sensitive data.

Another good choice is a password management solution designed to help you step up your security without making things harder for your employees and volunteers. A password manager generates, keeps track of, and retrieves complex and long passwords for you to protect your vital online information. It also remembers your PINS, credit card numbers, and three-digit CVV codes if you choose this option. Plus, it provides answers to security questions for you. All of this is done with strong encryption that makes it difficult for hackers to decipher.

Your team should also be using Multi-Factor Authentication (MFA). It protects against phishing, social engineering, and password brute-force attacks. It secures your logins from attackers who work to exploit your weak credentials. And, you must be able to generate the MFA for your employees and volunteers wherever they are. These tools can also generate time-based, one-time passcodes (TOTP). Your users simply key in the login prompt they receive to complete their multi-factor authentication.

  1. Keep Software & Operating Systems Up To Date. Software developers are diligent about releasing patches for new security threats. Make sure you install them as soon as they’re released. If you don’t, your IT system will be vulnerable to cyber attacks. If possible, set your systems to update automatically. Auto-updates will prevent you from missing critical updates. This is one of the most effective things you can do. It prevents security gaps and will limit system vulnerabilities that hackers find and exploit. Outdated software and operating systems that don’t receive security patches or support leave you exposed.

Replace all outdated software before the developers end support. For example, Microsoft announced they are stopping mainstream support for Windows 7. This is a popular operating system, so this creates concern for many. All support for Windows 7 will end on January 14, 2020.

This means that you won’t get bug fixes or security updates from Microsoft. Over time, the declining security and reliability of Windows 7 will make your computers vulnerable:

  • Your computers could be infected by malware;
  • Your antivirus won’t be updated;
  • Your online banking transaction protection may expire; and
  • Your financial data could be exposed to theft.


  1. Conduct Regular IT Inventory Assessments. Determine how your data is handled and protected. Also, define who has access to your data and under what circumstances. Create a list of the employees, volunteers, donors, or contractors who have access to specific data, under what circumstances, and how those access privileges will be managed and tracked. You must know precisely what data you have, where it’s kept, and who has rights to access it.
  2. Protect Data Collected On The Internet. If you collect information on your website, this must be protected. If a third party collects this data for you, they should fully protect it for you. You must ensure that any data you collect is secure.
  3. Enforce Access Policies on Mobile Devices. With BYOD (Bring Your Own Device) use, mobile devices like smartphones, tablets, and laptops present significant security challenges. They can be exposed to external threats, infections, and hackers; and when they’re connected to your network, can compromise your IT security. Establish security policies for the use of mobile devices on your network. They should be password-protected so only authorized users can use them. Instruct your employees to only use devices that belong to them and have been protected by your security policies. Ask your IT provider about Mobile Device Management that will wipe data from a device if it’s lost or stolen.
  4. Ask Your IT Service Provider To Do The Following:

Implement Layers of Security: You shouldn’t rely on just one security mechanism to protect sensitive data. If it fails, you have nothing left to protect you.

Segment Your Networks With Firewalls: Network segmentation categorizes IT assets and dataand restricts access to them. Reduce the number of pathways into and within your networks and implement security protocols on these pathways. Do this to keep hackers from gaining access to all areas of your network.

Use Measures To Detect Compromises: Use measures like Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), and anti-virus software to help you detect IT security events in their early stages. This provides 24/7 detection and response to security threats.

Secure Remote Access With A VPN: A Virtual Private Network (VPN) encrypts data channels so your users can securely access your IT infrastructure via the Internet. It provides secure remote access for things like files, databases, printers, and IT assets that are connected to your network.

Employ Role-Based Access Controls With Secure Logins: Limiting your employees’ authorization with role-based access controls prevents network intrusions and suspicious activities. Define user permissions based on the access needed for their particular job. For example, your receptionist might not need access to your financial data.

Install All Of Your Security Patches and Updates: Software developers are diligent about releasing patches for new security threats. Ask your IT provider to install them as soon as they’re released. If you don’t, your IT system will be vulnerable to cyber attacks. They can set your systems to update automatically. Auto-updates will prevent you from missing critical updates.

Secure and Encrypt Your Wireless Connections: Be sure your company Wi-Fi is separate from guest Wi-Fi or public networks. Your internal wireless network should be restricted to specific users who are provided with unique credentials for access. These credentials should be preset with expiration dates, with new ones provided periodically. Your company’s internal wireless should also be protected with WPA2 encryption.

Back Up Your Data For You: As we mentioned, you must have a backup copy of your data if it’s stolen or accidentally deleted. Develop a policy that specifies what data is backed up, how often it’s backed up, where it’s stored, and who has access to the backups. Backup to both an external drive in your office and a remote, secure, online data center. Set backups to occur automatically. And make sure your backup systems are encrypted.

You help others, so let us help you by protecting your nonprofit from IT security threats and instances. For more information, contact the Cybersecurity Experts at mProactive. We specialize in serving nonprofits. 

Did you find this article helpful? Check out the others on our Blog.  

How do I protect myself from Ransomware?

Preventing Ransomware


There’s a real possibility that your computer can get infected with ransomware. Ransomware is the most frequently used form of malware today. You’ve probably heard about it in the news. But, do you know how to protect yourself from ransomware? We’ll tell you here. 

How Do I Protect Myself From Ransomware? 

You must take ransomware seriously, and educate yourself about all the ways your computers could get infected, and the steps you should take to prevent it from landing on your computers in the first place.  You can do this with security tools provided by your IT company and by practicing safe internet browsing and email use.

What Happens If I Get Ransomware?

Ransomware denies you access to your computer system or data until you pay a ransom. You can get ransomware from phishing emails or by going to an infected website. When you get ransomware, malicious software will lock down your computer’s files unless you agree to pay around $300 in bitcoin.

If your network and computers get infected with ransomware, recovery can be difficult. It typically requires the services of a data recovery specialist to remove the ransomware virus. Ransomware attacks can be devastating to both individuals and companies. 

How Can Ransomware Get Into My Computer?

If you visit an infected website, you could unknowingly download a ransomware virus to your computer.  Or a phishing email might trick you into clicking on a malicious link or attachment that downloads a ransomware virus into your computer.

Phishing emails are designed to appear as though they’ve been sent from a person you know. They will try to entice you into clicking on a link or opening an attachment containing malicious code. After the code is run, your computer is infected with malware.

Are There Different Kinds Of Ransomware? 

There’s more than one kind of ransomware. Viruses like CryptoLocker, CryptoWall, Locky, WannaCry, Petya, NotPetya, Crypto, Bad Rabbit, Eternal Blue, and more are designed to deny access to your data or network until you pay a ransom.

The WannaCry and Petya ransomware viruses spread via a vulnerability in Microsoft’s Server Message Block (SMB) network file-sharing protocol that’s widely used. It helps your computers connect to other computers and devices like printers.

Ransomware falls into three categories: Encrypting Ransomware, Scareware, and Screen Lockers.

  1. Encrypting Ransomware

This is a virus that locks down your files by encrypting them. There’s no software available that can unlock your files when this happens. The criminals who send the encrypting ransomware will demand a ransom to decrypt your files. Even if you pay the ransom, you still might not get your files back.

  1. Scareware

Scareware uses rogue security software and tech support scams to entice you. When this happens, you’ll get a pop-up message on your computer claiming that it’s infected with malware. But you should ignore this because your files are just fine. However, if you do ignore it, you’ll continue to get this pop-up message.

  1. Screen Lockers

If you get this type of ransomware, you’ll be locked out of your computer. You’ll see a message posing as the FBI or Department of Justice saying that you must pay a fine because illegal activity was detected on your computer. Don’t pay this “fine.” The FBI or DOJ would never freeze your computer or demand payment. So, don’t take the bait.

Can Ransomware Infect My Mobile Devices? 

It wasn’t until 2014 and the height of the infamous CryptoLocker that ransomware started showing up on mobile devices. Mobile ransomware typically displays a message saying your device has been locked because of illegal activity, and you must pay a fee to unlock your device.

You can get mobile ransomware when you download malicious applications. To remove it you should start your mobile device in safe mode. Then you must find the malicious app and delete it.

How Can I Protect Myself From Ransomware?   

The best way to protect your computers from ransomware is to prevent it from landing on them in the first place. Here are some ways that you can protect yourself from getting ransomware:

  • Update your software and operating systems with the latest patches. Outdated applications and systems are the targets of most attacks.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. Configure your firewall to block access to known malicious IP addresses.
  • Be suspicious of unsolicited email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Don’t provide personal information or information about your organization unless you are confident of a person’s authority to have the information.
  • Never click on links or open attachments in unsolicited emails. Exercise caution when opening email attachments. Be particularly wary of compressed or ZIP file attachments.
  • Follow safe practices when browsing the Internet. Be careful when clicking directly on links in emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact your organization’s helpdesk or search the Internet for the main website of the organization or topic mentioned in the email).
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Look for https in the URL which indicates the site is secure.
  • Perform frequent backups of system and important files and verify those backups regularly. If ransomware affects your computer, you can restore your system to its previous state with any files unaffected by ransomware. And store backups on a separate device that can’t be accessed from a network or offline in a secure cloud solution.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Don’t use the contact information provided on a website or email connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from anti-phishing groups.
  • If other people or employees use your network, restrict their permissions to install and run software applications. Apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
  • Use application whitelisting to allow only approved programs to run on your network.
  • Enable strong spam filters to prevent phishing emails from reaching you and authenticate inbound emails to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching your computer.

How Can A Firewall Block Ransomware? 

Today’s modern firewalls are built to defend against ransomware. The right firewall and Intrusion Prevention System (IPS) helps to prevent viruses from getting into your computers.

Your IT company should implement a next-generation firewall with an Intrusion Prevention Systems (IPS). These can keep ransomware threats from getting into your network, and stop them from self-propagating and infecting other computers and systems.

An IPS collects the malicious traffic coming into your network and only lets the clean traffic through. It also performs what’s called deep packet inspection of your network traffic to detect exploits and stop them before they reach any of your computers. The IPS monitors for and identifies suspicious activity, logs the data, attempts to block it, and reports it to your IT services company.

This right IPS uses a tactic called sandboxing. It puts malicious programs in a separate place, so they can’t spread throughout your network. Ransomware like WannaCry and Petya spread like worms; they can lurk in files like Microsoft Office documents, a pdf, or updates for applications. Hackers can make these files appear valid and hide the malware. This is why sandboxing is essential for any IPS.

Ask your IT Services Company to:

  • Use a modern, high-performing next-generation firewall, IPS, and sandboxing solutions.
  • Perform network assessments to detect all security gaps in your network.
  • Set up a Virtual Private Network (VPN) to detect any IT assets that are vulnerable.
  • Establish IPS policies to prevent malware from spreading to other LANs.
  • Ensure that any infected network is automatically isolated until they can eradicate the infection.
  • Segment LANs, using VLANs (Virtual Local Area Networks) and connect them all to your next-generation firewall.

Using VLANs allows your computer to communicate through a virtual environment to protect them from any ransomware or other viruses that may be circulating in your network. Extending VLANs or zones into your firewall takes security to the next level.

What are the newest phishing attacks?

What Are The Newest Phishing Attacks?

Phishing is a term adapted from the word “fishing.” When we go fishing, we put a line in the water with bait on it, and we sit back and wait for the fish to come along and take the bait. Maybe the fish was hungry. Perhaps it just wasn’t paying attention. At any rate, eventually a fish will bite, and you’ll have something delicious for dinner.

How Does Phishing Work?

This is essentially how cyber phishing works: Cybercriminals create an interesting email, maybe saying that you’ve won a $100 gift certificate from Amazon. Sound too good to be true? Find out! All you have to do is click the link and take a short survey. Easy enough, right?

Once you click the link, guess what happens? A virus is downloaded onto your system. Sometimes it’s malware, and sometimes it’s ransomware. Malware includes Trojans, worms, spyware, adware, and rootkits. These malicious programs each have different goals, but all are destructive and aimed at harming your computers.

Ransomware encrypts all your files until you pay a ransom, but even then, there’s no guarantee you’ll get your database restored. Malware is all about stealing credentials, passwords, and other valuable information from your company. Sometimes it’s just about destroying your data.

As cyber thieves continue to steal from people all over the world, they create new ways to do this. After all, many people have become familiar with some phishing scams so they may not work as well. The solution is to come up with new scams that are enticing—things that users may not have heard about before. The more convincing hackers can make their scams, the more successful they will be.

How Has Phishing Changed?

The entire landscape of cybercrime is changing. It used to be mostly young guys sitting in their parent’s basement, trying to find clever ways to pass the time. Unfortunately, this crime has become so successful that the governments of countries are now involved. A vast majority of ransomware schemes originate in Russia. The government employs hundreds of hackers, and have teams of IT experts who work around the clock to create new and more effective hacking scams.

When hackers are backed by a government like China, they have practically unlimited resources. This makes them even harder to stop. If they were merely individuals committing crimes for personal gain, the authorities could track them down and put them in jail. But today’s cybercriminals are well-organized agencies that are part of a large foreign government, so stopping them is almost impossible.

What Are Some Of The New Types Of Phishing Scams?

Below, we discuss some of the most notorious cybercrimes and some new ones that are making the rounds:

Sextortion: Have you ever sent nude photos to someone? Are there any lewd or compromising photos of you floating around? Sextortion is all about locating embarrassing photos of you. If you own a business, then this can be a crime that pays well for thieves. They send the business owner a little sample of the erotic photos, then demand money or else they’ll publish them on the Internet. The problem with this crime is that there’s no guarantee you’ll get all copies of the photos back. You may pay the criminals and still not be sure.

Gift Cards: This scam is highly successful because typically the thieves don’t ask for very much money. Many victims will go ahead and pay even if they suspect that it’s a trick, just because there are only a few hundred dollars at stake. You may get a phone call from someone saying they’re from a creditor or the IRS. They will speak in hostile threatening tones. They’ll claim that if you don’t pay up immediately, terrible things will happen—maybe your car will be repossessed. Next, they instruct you to go to a local store like Walmart and buy gift cards in the amount you owe. Once you buy them, you call the thief back and give them the numbers found on the back of the cards. Once they have these, they can use them online to make purchases.

Phishing/Ransomware: Phishing crimes have become so successful that now there are variants like spear-phishing, vishing, and smishing. These are all forms of the same ruse. A hacker will send you a very convincing email. It may say something like, “Congratulations! You’ve just won $100 from Amazon. Click on the link below to claim your prize.”

You click on the link and guess what? A malware or ransomware virus is downloaded onto your computer. If you’re a business owner, this virus can spread quickly to other computers on your network. In many cases, all your computers are locked, and you’ll get an ugly message saying that if you want your files restored, you must pay a ransom. Sometimes business owners follow the instructions on the screen, and they get their files back… but, sometimes not. There’s no guarantee. Ransoms are always demanded using cryptocurrency because this form of payment is untraceable.

Wire Fraud Scam: Hackers are targeting the human resource functions of businesses of all types with phishing. They’re convincing employees to swap out direct deposit banking information to offshore accounts. A nonprofit in Kansas City (KVC Health Systems)said that there were numerous attempts each month involving scammers who were trying to convince their payroll personnel to change information about where to send employee pay. The IRS recently released a warning about an uptick in a wide range of fraud attempts involving payroll information. 

What Can We Do To Stop Phishing?

You may have spent years trying to build up your company. You have a huge amount of time and money invested, and yet one cyber attack could bring your company to its knees.

The first thing you need is knowledge. Knowledge is still power in our world. You need to know how cyber attacks occur. What are the latest phishing scams? How does ransomware work?

You also need to train your employees so they’ll know as well. Just one careless employee can open the door to thieves and cost you thousands of dollars. It’s much cheaper invest in training your employees. Make sure your employees get regular training to remind them how to recognize a phishing email or malicious website.

Unfortunately, cybercrimes won’t stop anytime soon. They’ve been too successful, and there’s almost no chance of getting caught. What you have to do is protect yourself and your data with the best security software. If you’re not sure whether your cybersecurity program is strong enough, hire a managed IT provider. They can perform penetration testing to assess your level of security.

A great managed IT service provider will do a full assessment of all your security protocols and let you know whether you need to add layers of protection. When you have the best cybersecurity platform in place, you can sleep better at night.