Cybersecurity Client Alert

by Hedgeman Law Firm | Apr 12, 2025 | Business

Many nonprofits deal with sensitive data and personally identifiable information, making them targets to cyber-attacks. As a result, it is important that nonprofit organizations protect their systems, networks, and programs from digital attacks through the practice of cybersecurity. This alert contains general recommendations for identifying risks, creating a plan to protect against these risks, identifying and detecting breaches, and recovering after cyber-attacks. However, each organization should consider their unique vulnerabilities, sensitive data, and resources when making their own plan.

The first step in creating a cybersecure organization is to identify risk factors.

Consider what information your organization has access to that may be of value to hackers. This often includes personal identifying information (PII), which consists of names, emails, phone numbers, addresses, and other records that can be used to identify or trace an individual. Nonprofits often keep records of donors or members that are full of personal identifying information. If your organization collaborates with government agencies or other organizations, there may be mutual risk factors when files are shared, especially those which contain confidential or sensitive information pertaining to projects or financial records. This is a non-exhaustive list of examples. Take time to consider what may be at higher risk to your organization specifically.

Next, consider how your organization can protect against these risks.

At a baseline level, this should include training all volunteers and employees who have access to data to be conscious of the websites and links which they access, the way in which they use and store passwords, and the drives on which they store information. This training should also include education on cyberattack schemes including phishing, which exploit human error to hack into systems. The Federal Trade Commission (FTC) provides helpful guidelines regarding best practice for small businesses. These factors include using secured wireless network routers, providing multi-factor authentication for logins, and encrypting media with sensitive information. Additionally, have organizational policies in place regarding the collection, storage, and disposal of sensitive data. While hackers may seek to steal sensitive information, they may also work to deny authorized personnel access to the files and data which they need. The loss or inability to access files can slow organizational operations or result in the costly recovery of important information.

Next, make sure that your organization has systems in place to detect cyber-attacks.

Cybersecurity threats should be raised by security software that the organization has in place. However, members of the organization should also be trained to spot it. In your employee cyber-security training, make sure that members of the organization know signs that they should look out for, such as password resets or unusual login activity, unauthorized access, modifications or loss of data, etc. These suspicions should be communicated with other members of the organization, ideally to some pre-established point-person who handles security within the organization.

Finally, make sure that you have a recovery plan in place in the case of a breach of data.

In addition to investigating the breach, it is important to have steps in place for moving forward. Law enforcement/regulatory agencies should be contacted, as well as security services used by the organization. Consult with your attorney regarding the cybersecurity laws in your state, as it may be required to notify parties whose personal information was involved in the breach. It is important to have timely communication with employees at this time to help mitigate risks. Action will need to be taken depending on the nature of the cyber-attack. Once the breached system is secure against threats, efforts to recover data can begin. It is important to keep back-up files and save to them regularly in order to expedite recovery. Systems and documents that were not backed up will need to be rebuilt, which can be costly and time-consuming. Once the cause of the breach is found, update your organization’s cybersecurity plans as necessary to account for this vulnerability.

As previously stated, these practices will be different for each organization. However, it is important that every organization take the time to form a plan and prepare for these situations. Consult with an expert in cybersecurity and obtain legal advice to ensure that your organization is following best practice in this area.