Forensics, Investigation, Litigation

Nonprofit organizations have been at the forefront of the COVID-19 response, assisting with education, healthcare, and other important activities to help individuals and communities. 

Like most other industries, the nonprofit sector has made significant changes to its programs and services to comply with government requirements and restrictions. Online and virtual programs have replaced on-site and face-to-face interactions with clients, and a significant number of nonprofit employees are now working from home. 

The transition to virtual platforms has brought benefits, allowing some organizations to broaden their footprint into new regions and reach more people than before. The transition also has created potential liabilities, with increased opportunities for data breaches and cybercrimes.

Small and midsize nonprofits may be at a greater risk, as many operate on outdated computer systems, have limited budgets, and lack proper protocols to protect them from malicious attacks and activities. Without these protections, organizations are vulnerable.

Even before the pandemic, cybersecurity was an increasing concern for organizations. But the global crisis brought about a surge in cybercrimes, according to a report by the FBI

An article in Cybercrime Magazine says industry experts are predicting that the damage costs of cybercrimes could double as a result of the global pandemic unless organizations take immediate action. 

Common Cybercrimes

There are many different methods of attacking an organization. Criminals commonly rely on these three approaches:

Data Breach 

Unauthorized access to your data occurs through various activities such as collecting credit card information and storing client, employee, and donor information. These may come from third-party attacks, negligence, or malicious insiders.


Malicious software, called malware, is designed to harm or exploit your network or service. One of the most common types of malware is ransomware. Hackers shut down access to your organization’s systems and information until some type of payment is made.


Phishing involves emails that masquerade as reputable and legitimate, encouraging recipients to take some type of action. These messages include malicious links and often trick victims into providing passwords and other valuable information or downloading malicious programs.

Where to Start

1. Get Outside Help

Have an IT specialist perform a professional assessment of your data risks. This will include a look at your equipment, procedures for storing data, password protection and access, and storage and retention.

2. Train Your Staff

Human error is often the cause of data breaches. Training your team on safety protocols is critical, yet a recent report revealed more than half of nonprofits don’t provide any training for their staff.

Brian Hunter, BKD’s information security officer, emphasizes the importance of staff training: 

“While there are a multitude of technical controls one can implement to help secure their environment, by far the most effective and successful way is to have a security-aware and conscious staff. No technical control can stop everything, so you have to rely on your staff to make intelligent decisions around security. This makes security awareness training a key control in protecting your environment and data.”

3. Develop & Document Policies & Procedures

Policies and procedures are a form of risk management; they provide internal direction and demonstrate externally that your leaders have given time and thought to important issues. Remarkably, most organizations (nearly 70 percent) have never established cyber policies or procedures according to a survey by NTEN.

Policies for data management and cybersecurity should describe how the organization’s technologies can be used (downloads, personal versus work, etc.) and include an incident response plan that outlines how to effectively respond to cybersecurity incidents. This document should describe where information is stored and who has access to it. 

All users should be required to read and agree to follow the policies.

4. Establish Multifactor Authentication (MFA) 

Passwords are simply not enough. MFA adds extra layers of protection by requiring users to approve sign-ins from a mobile app before gaining access to a VPN or online account. This extra step can greatly reduce the likelihood of cybercrimes. 

5. Review Regulations

State laws dictate how nonprofits handle confidentiality and data to protect individuals’ information. The National Conference of State Legislatures says that all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

In addition, some states have laws requiring organizations to report how they collect and store data. These may include guidelines on providing individuals with the right to opt out and a clear plan for data deletion or sharing.

In the midst of a crisis, these actions may seem daunting and low on the list of priorities. But the best time to respond is now, before your nonprofit is targeted. A proactive approach will allow you time to plan and prepare. 

An investment of time and resources now can help mitigate the damage if you’re attacked and help protect your reputation and build donors’ trust in your organization. For more information, reach out to your BKD Trusted Advisor™ or submit the Contact Us form below.

Related FORsights

Let's Connect

Subscribe to our content or get in touch with us today

Subscribe Contact Us