News and Information about the nonprofit sector in Massachusetts. Check back frequently to keep informed.
January 18, 2021
Nonprofit Cybersecurity Begins by Adopting Easy-to-Use Practices
By Margaret Chock

Margaret Chock
Margaret Chock

All organizations function—and succeed—based on their data, which means its loss or theft can pose an existential threat, but fortunately for nonprofits, instituting a number of low- or no-cost procedures can go a long way to ensuring data security.

According to a 2019 report by the National Cyber Security Alliance, after a data theft, 25% of small and medium-size businesses had to file for bankruptcy, with 10% closing permanently. At risk is not just your own data, but also very sensitive information about your donors’ financials and personal client information which could be very damaging to them, such as medical records, drug tests or financial problems, depending on the services you provide.

So, back up your computer in the cloud, not just nearby. Local backup can be useful to speed things up, but ultimately, it’s best to preserve your files in the digital cloud in the rare case that your office building burns down, gets flooded out, or collapses in an earthquake (depending on what part of the country you live in). Even data that’s stored in the cloud should be backed up elsewhere in the cloud to make sure it doesn’t exist in just one location.

Once your data is safely copied, consider other threats beyond losing it altogether. For example:

  • If your security isn’t adequate or up-to-date, hackers might steal, vandalize, confiscate, or start misusing your information at greater and greater expense to you.
  • Computer viruses and worms can pick up credit card numbers or social security numbers— yours, or worse, your clients’.
  • People can eavesdrop on your wireless network.
  • The wrong parties can read your unencrypted email.

It’s a good practice to get a security audit to figure out what you really need to protect yourself, and what policies, procedures, or systems are needed. Since cybercrime is constantly evolving, you should seek a cybersecurity consultant whose certification is current to keep your business protected. You shouldn’t need much of their time, but better have them repeat the audit at least annually.

While you’re waiting for your first appointment, here are a few basic steps to take to protect yourself:

  • Invest in an antivirus program: There are a number of good options, even if they aren’t perfect; get at least one, and let it update automatically to provide an inexpensive, mostly unobtrusive line of defense.

  • Keep your software up-to-date. Updates may be a nuisance, but they usually include defenses against newly-recognized security threats.

  • Look for security on websites you access: Your browser software may have built-in security checks, or look for “https:” rather than just “http:” in the website address. Check the rest of the address carefully to make sure you’re on the site you intended.

  • Don’t let your staff use public wi-fi on their work laptops in coffee shops or airports—it isn’t secure. If they really need on-the-go access, give them a mobile hotspot that has adequate security.

  • Test emails: If the message from someone you know doesn’t make complete sense, ask the sender whether it’s legit (NOT by return email, unless you know the address).

  • Check links in emails by hovering over them before clicking: Make sure they lead to legitimate websites, the ones they claim to be, with an address structure that makes sense to you.

  • Consider two-factor authentication. This includes biometric tests like fingerprint readers in addition to your strong passwords, and encrypting your most critical files.

  • Seek out protections for hardware as well: This includes devices for locking PCs and laptops to furniture, tracking services like LoJack (though valuable data will probably be stolen from your hard drive before they can retrieve the device), and remote zapping apps to erase all your data from a stolen smartphone.

Most breaches are enabled by mistakes made inside your organization. These could be made by your organization’s staff, or sometimes others with direct access to your systems, like hardware vendors or people in your supply chain. So, ensure that everyone is thoroughly trained and these lessons are drilled in. And back up your data – way offsite!

Margaret Chock, PhD, CMC, a certified management consultant who helps small and large organizations manage and safely maintain technology, is the author of IT Management for Little Companies. Learn more at

November 2020

SUBSCRIBE FREE – Keep current with the Wednesday Report emailed to you free each week. Click here.
Got news, advice, resources? Send it to