Insights

We are proud to be named a West Coast Regional Leader for 2024

The importance of cybersecurity resiliency for nonprofit organizations

ARTICLE | December 10, 2024

Authored by RSM US LLP


No organization is immune from cyberattacks. For nonprofits, cybersecurity resiliency revolves around the ability to detect, respond and recover from incidents quickly while minimizing the impact on operations. In the event of a cyberattack, can the organization continue to deliver vital services to its stakeholders?

Nonprofits often hold sensitive donor information, volunteer details and constituent data, in addition to managing critical community services. An organization that has strong cybersecurity resiliency protects its sensitive data and ensures that it can fulfill its mission without interruption. Organizations that seek to bolster their cybersecurity resiliency can take steps to enhance this vital function.

Furthermore, donors and grantors are requiring nonprofits to have stronger cybersecurity controls as part of their risk management processes. As the cybersecurity landscape evolves, nonprofits will need to stay informed about the latest threats and available solutions.

Unique challenges

Nonprofit organizations often face different cybersecurity issues than for-profit enterprises. One key difference is their reliance on external parties, such as volunteers or contractors, who have access to internal systems. This can create complications in ensuring that only the right people have access to the right information.

In addition, many nonprofits have limited budgets for technology investments and cybersecurity measures. These constraints can result in accumulated technology debt, where organizations continue to use outdated or vulnerable systems because upgrading requires valuable resources or significant investments.

Like many businesses, nonprofits assume that because they use third-party vendors or cloud services, their data is safe. However, while the cloud often does provide more native cybersecurity controls, this assumption can lead to vulnerabilities. Nonprofits must actively manage their security program and related risks, even when using external providers.

Strengthening resiliency

Despite these challenges, there are several strategies nonprofits can use to improve their cybersecurity posture:

1. Mission alignment

Leadership must emphasize the importance of cybersecurity. If cybersecurity is championed from the top, including the board, it becomes easier for employees and volunteers to prioritize security in their daily operations.

2. Asset protection

Some data is more crucial or vulnerable than other data. Nonprofits should understand the data types they have and then focus on the most critical areas, define their security requirements and work to implement technical controls that can safeguard their riskiest data sets first.

3. Security awareness training

Cybersecurity training for nonprofit staff and volunteers is vital. Ideally, the program can be implemented through a formal learning management system, but it can be as simple as an annual town hall meeting. Regardless of the format, the goal is to make stakeholders aware of phishing attacks, social engineering scams and other common threats. It is also beneficial to create specialized training for leadership teams and staff with elevated privileges such as IT administrators or finance professionals, so they know how to handle incidents and coordinate responses.

4. Incident response and business continuity plans:

Nonprofits need well-defined incident response and business continuity plans to ensure they can act swiftly during a security breach and other business interruptions. The organization should run tabletop exercises to test these plans and ensure that leadership is prepared to handle communications during an incident and disruptions.

5. Free and low-cost resources

Nonprofits with limited budgets may feel that strong cybersecurity is out of reach. However, free resources—like those offered by the National Institute of Standards and Technology and the Standards Council of Canada—can provide guidance and best practices. These resources can help organizations implement incident response scenarios and develop cybersecurity plans. In addition, some technology vendors offer discounted cybersecurity tools for nonprofits, which can be helpful for organizations with tight budgets.

6. Partnerships and outsourcing

For many nonprofits, hiring in-house cybersecurity professionals is financially unfeasible. Organizations may want to work with a third-party vendor that can offer expertise that might otherwise be out of reach while keeping costs manageable. A managed security service provider can handle cybersecurity more effectively than nonprofit professionals who do not focus on technology.

Going forward

The question is not whether nonprofits will face cyberthreats but how prepared they will be when those threats arise. Financial auditors are increasingly including cybersecurity risk in their internal control reviews, and this will pressure nonprofits to improve their practices.

Ensuring cybersecurity resiliency—the ability to protect against, respond to and recover from cyber threats—is not just a technical requirement but a mission-critical function. By embracing key strategies and best practices, nonprofit organizations can protect their operations and ensure the continued trust of their donors, volunteers and communities.

Let’s Talk!

You can call us at +1 213.873.1700, email us at solutions@vasquezcpa.com or fill out the form below and we’ll contact you to discuss your specific situation.

Required fields are marked with an asterisk (*)

Service(s) of interest*

Audit

Tax

Accounting

Bookkeeping

Business Consulting

Other

  • Should be Empty:
  • This article was written by Patricio Cadena, Gianna Kubiak and originally appeared on 2024-12-10. Reprinted with permission from RSM US LLP.
    © 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/industries/nonprofit/cybersecurity-resiliency-for-nonprofit-organizations.html

    RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.

    ​Vasquez + Company LLP has over 50 years of experience in performing audit, tax, accounting, and consulting services for all types of nonprofit organizations, governmental entities, and private companies. We are the largest minority-controlled accounting firm in the United States and the only one to have global operations and certified as MBE with the Supplier Clearinghouse for the Utility Supplier Diversity Program of the California Public Utilities Commission.

    For more information on how Vasquez can assist you, please email solutions@vasquezcpa.com or call +1.213.873.1700.

    Subscribe to receive important updates from our Insights and Resources.

    • Should be Empty: