When running a nonprofit, there’s a good chance that cybersecurity is the last thing on someone’s mind. When the purpose isn’t based on making money and the budget isn’t exactly expansive, it can be strange to imagine that there are people out there looking to profit from an organization. Unfortunately, that’s exactly what’s happening.

Smaller organizations are more likely to be the victims of cyberattacks because they’re less likely to spend their limited resources on shoring up their security. This is especially the case when it comes to nonprofits. That isn’t even factoring in some hackers' political motivations against certain nonprofit organizations.

But even if security leaders recognize cybersecurity as a pressing issue, they might wonder how to protect their organizations without the money or time that major corporations do. It sounds like a big ask. The good news is that there are quite a few steps to take that don’t require allocating a huge amount of resources to security. They just require the cooperation of an organization’s teams and some extra oversight from IT.

Here are the eight steps security leaders should take today to secure their nonprofit:

1. Stay current with security best practices

If running out-of-date software, an organization opening up a back door for hackers to stroll through. Don’t be one of those organizations that still rely on Internet Explorer. Update all software and operating systems to ensure known security breaches are patched as soon as possible. Keeping everything up-to-date will also help security leaders get optimal performance out of their hardware.

2. Strengthen passwords

Everyone in an organization should use complex, randomly generated passwords that are difficult to crack and virtually impossible to guess. A team should not use these passwords for other sites and should change them regularly (security leaders can set it up so passwords must be changed in a specific timeframe). 

Have everyone use a password manager rather than storing passwords directly on their computers. This will also make it easier for employees to remember the complex passwords they create.

3. Implement two-factor authentication (2FA)

A password should only be one part of the login equation, however. Security leaders should also implement 2FA across an organization. This acts as another line of defense when a password is stolen. Users must verify that they are who they say they are by approving a login through a second device (usually their phone). Ideally, this authentication should be done through an app. While better than nothing, SMS is more easily hijacked than dedicated authenticator apps.

4. Prioritize regular data backups

While backing up important data won’t keep an organization from being the victim of a cyberattack, it will put them in a much better position if it happens. Ransomware attacks, for example, lose their teeth if the data they’re threatening to delete is safely backed up elsewhere. Backups are also indispensable in hardware theft, loss or failure.

Backups should be kept in a secure location off-site. This will ensure that any disasters affecting primary storage won’t impact fail-safes.

5. Remain alert for potential threats

Keep a steady eye on online presence to spot and handle any suspicious activity before it becomes problematic. That means monitoring networks, servers, website and social media presence. It also means looking for any vulnerabilities or breaches that impact an organization's platforms. This way, even if caught up in someone else’s breach, security leaders can quickly catch it and mitigate the damage.

6. Encrypt sensitive information

The unfortunate fact of cybersecurity is that, even with all the right protections in place, breaches can still happen, which is why it’s so important that all personal and private data is heavily encrypted. That way, even if someone can steal sensitive files and documents, they won’t be able to read them.

Encryption doesn’t just apply to data at rest, either. Security leaders should do so through encrypted channels if they send or receive private information. If relying on emails, use PGP or other encryption options. Better yet, use a platform that offers encryption by default for sending and receiving information.

7. Limit access permissions

While providing open access to an organization’s data to all team members might be easier, it’s also a massive vulnerability. The default behavior should be to deny access to information unless an employee needs to see it. Ensure to remove permissions when an employee leaves the company or no longer needs access. This a policy that should go all the way to the top.

8. Document procedures and train the team

The research found that 26% of charities had a cyberattack in 2021. This means that a wide swathe of nonprofit organizations are sitting ducks for any bad actors that come along.

Cybersecurity best practices only work if everyone is practicing them. Codify best practices and educate the team about them. Don’t assume someone knows to do things like avoid public WiFi or keep everything updated. Make security training a regular thing. As practices are updated, the team should be too.

It can be tempting to think that just because a nonprofit is small, they’re under the radar of any cybercriminals looking to make a buck. But the truth is that these qualities make them the exact target they’re looking for. Don’t wait until after a data disaster to invest in security. The sooner data is kept safe, the better off a nonprofit will be.