This is the second of five articles covering 23 essential steps that you can take immediately to reduce the risk of cyber-attacks on your organization. Check out the first article, Cybersecurity Essentials for Nonprofits: Identity and Access Management.

A Mail Analogy

In the nonprofit sector, relationships and trust are essential. Donors, beneficiaries, and volunteers trust your organization with their personal information. But just as physical letters must be delivered safely, so must digital data. In this article, we will walk you through an analogy that brings data privacy and cybersecurity to life: The concept of your nonprofit’s virtual mailbox.

By thinking about your organization’s data as mail that needs to be protected at every step of the way, you’ll be better equipped to handle sensitive information securely. We'll break down complex terms like “privacy,” “data privacy,” and “data governance,” offer actionable strategies for your organization, and explain why failing to protect data can incur escalating costs.

The Letter: Personal data

Imagine the data your nonprofit collects as a letter. It contains personal details, financial information, and sensitive records about your donors, clients, and volunteers. According to NIST (National Institute of Standards and Technology), “privacy” is "the right of individuals to control what happens to their personal information." When we talk about “data privacy," it refers to protecting that right when information is collected, stored, and shared digitally.

For nonprofits, protecting this "letter" is crucial. Whether it’s a donor’s credit card information or a client’s confidential details, mishandling such information could lead to lost trust or worse, a data breach.

The Envelope: Encrypting data for protection

To keep your letter safe, it needs to be sealed in an envelope. Virtually, this means encrypting data. “Encryption” is a method of converting information into a code to prevent unauthorized access. When sensitive data is stored or transmitted online, encryption acts as your envelope, ensuring that no one can intercept the information.

Actionable Tip: Use encryption for both storage and transmission of data to keep your nonprofit’s sensitive information secure.

The Mailbox: Secure data storage

Once your mail is ready, it needs to be safely delivered to a secure mailbox. In a virtual environment, this means using secure servers or cloud storage solutions. Nonprofits need a reliable system to store information with strong access control measures. An example of this would be a nonprofits’ finance team can only access donor records, while program managers can access participant data. This approach is known as Role Based Access Control (RBAC) assigns access to sensitive data based on job functions.

A second example could be employees of a nonprofit are required to use Multi-Factor Authentication (MFA) for accessing internet accounts, combining password with a second verification (e.g. mobile code) to enhance security. Additionally, only managed devices are permitted on the network, and strong password policies are enforced.

Data governance ensures that the information stored in your “mailbox" is properly managed. In simple terms, data governance is a framework that helps organizations handle data securely. It includes policies and procedures to ensure that personally identifiable information (PII) is stored and handled safely.

Actionable Tip: Adopt strong data governance policies, including limiting data access to only those who need it.

The Mail Carrier: Safe data transfer

Think of the process of transferring data like hiring a trustworthy mail carrier. For nonprofits, it’s critical to ensure data is safely transferred between stakeholders, whether it’s between departments, partners, or donors.

Use VPNs (Virtual Private Networks) and secure email systems to ensure sensitive data is transferred securely, just as you would expect your mail carrier to ensure the letter reaches its destination without being tampered with.

The Locked Gate: Firewalls and cybersecurity measures

A locked gate protects your mailbox from intruders. Firewalls act as a barrier between trusted internal networks and untrusted external networks like the internet.

Actionable Tip: Install firewalls, antivirus software, and intrusion detection systems to keep your "digital gate" secure. Regularly update these tools to maintain their effectiveness.

The Junk Mail Filter: Managing threats

Just as a junk mail filter keeps unnecessary and harmful mail from clogging up your mailbox, nonprofits need strong protections against phishing emails, malware, and cyberattacks. Phishing emails are particularly dangerous because they look like legitimate communication but contain malicious links.

Actionable Tip: Educate your staff and volunteers on recognizing phishing attempts and set up filters to automatically block suspicious emails.

The Cost of Lost Mail: Financial impact of a data breach

What happens when a letter is lost or stolen? The financial impact on a nonprofit can be huge. Data breaches can cost organizations in terms of lost trust, regulatory fines, legal fees, and the expensive process of recovery.

Failing to protect data incurs escalating costs, much like losing valuable mail. The average cost of a data breach was reported by the International Association of Privacy Professionals (IAPP) to be around $4.45 million, according to a 2023 study by IBM. For nonprofits, even a fraction of that cost can be catastrophic.

BYOD and Work from Home: Navigating new risks

With the rise of remote work and Bring Your Own Device (BYOD) policies, new privacy concerns are emerging. Personal devices might not have the same level of protection as your organization’s equipment, making them an easy target for cyberattacks. In assessing BYOD, organizations must weigh the risks and benefits. Some ban it, while others seek a balance. A professional evaluation can help identify the best security approach.

Actionable Tip: Develop a clear BYOD policy that outlines security requirements for any personal devices accessing nonprofit data. Ensure that devices have up-to-date antivirus software, encryption, and multi-factor authentication (MFA).

New Privacy Concerns: The internet and emerging technologies

As technology continues to evolve, nonprofits face new privacy challenges. Social media platforms, cloud services, and internet connected appliances (known as Internet of Things or IoT) such as security cameras, door locks, and smart speakers collect massive amounts of data. Before adding new devices or software to your network or cloud environment, understand what data is being collected, where it is stored, and who will have access to it.

Ensuring data privacy and cybersecurity requires many small efforts. By thinking of your nonprofit’s data as a letter that needs to be protected, it becomes easier to understand how each step contributes to security, from encryption and firewalls to training your team to recognize a phishing email, every step matters.

What You Can Do Now

Start today by auditing your current data practices, educating your staff, and setting up strong privacy policies. After all, just like a trusted mail service, your nonprofit should deliver on its promise to protect the personal information entrusted to it.

Inventory and classify your data

Know what types of data you are storing. Not all data needs the same level of protection. Classify it based on privacy level (e.g., Restricted, Confidential, Internal, Public) and apply the strongest protections to your most sensitive data.