Nonprofits’ Critical Cyber Threat

Nonprofit leaders, please beware!  The greatest threat to your Cyber Security may be lurking around your office at this very moment!  What is that pervasive cyber threat?  It’s you and your staff, so to protect your organization, you better do something about them!

EY produces an annual survey on cyber threats and vulnerabilities and the number one vulnerability continues to be careless or unaware employees.  Check out more of the 2017-18 Survey

Learning About Cyber Threats

Several years ago, as a NFP CFO, I dreaded the annual discussion at budget time about cyber security for two reasons.  First, the discussion always came with a large price tag and second, because regardless of the investment, the risk was never reduced to zero.  I quickly realized that I needed to understand cyber security better, so I started to do some research.  I searched the internet, talked to IT staff, met with consultants and read blog posts and white papers. More than anything, I learned that the most vulnerable parts of the cyber security environment were the staff members, including myself.

When people are excluded from the cyber equation, such as when you have computers interacting with computers, you can put in all types of fancy controls to keep them from doing anything bad.  Unfortunately, when you introduce people into the mix, it becomes nearly impossible to keep bad things from happening.  In addition, the bad things seem to be getting worse.  Exposed personal data, fraudulent funds transfers, lost data and damage to your customers, staff and donors are just a few of the consequences of nefarious cyber activities.

A Quick Cyber Threat Test

Let’s have a show of hands…

  • Have you ever clicked on a link in an email from someone you didn’t know?
  • Opened a PDF document?
  • If you received an email seemed to be addressed from someone in your HR department or by the CEO, would you be able to spot if it was a scam?
  • How many of you use the same password for multiple websites?
  • And how many of you haven’t changed your password in more than three months?  Six months?  A year?
  • How many don’t know how to change your password?
  • Does your organization have cyber policies and training?
  • Is your leadership team as worried about cyber threats as you should be by now?

What To Do To Address Cyber Threats

Hopefully, by now, I have made the case for you to raise your level of concern about cyber threats.  As NFP leaders, you need to protect your organization and since your organization needs people, you must take steps to protect your organization from your people.  You have a few options;

  • Invest huge amounts of money in equipment and software to secure your network.
  • Spend huge amounts of money on procuring insurance for everything that could be impacted by a major cyber event.
  • Invest in reasonable system controls, sensible policies and training for your entire team (including yourself). And get some insurance since nothing is perfect.

The first two options are probably not the answer for the typical NFP organization. Let’s be honest, unless you are a mega-NFP, you don’t have huge amounts of money to invest. If you do, consider the successes at Equifax, Target and the US Government.  In addition, all the insurance you can afford won’t help if a breach damages your organization’s reputation.  Insurance likely won’t help recreate your information and get your organization functioning again

Tools, Policies and Practices

There are plenty of reasonably cost-effective tools to protect your computer systems. From multi-authenticated log-ins to biometrics.  In addition, good IT policies and practices, such as auto-expiring passwords, backups and disaster recovery plans can provide a framework to help protect your data and systems.  However, no matter how good the system protections are, you remain at the mercy of your largest cyber threat, your people.


Training is simply critical to protecting your systems.  People need to be aware of your organization’s policies and need to understand the threats.  There are many providers of cyber training and numerous federal and state level agencies that provide guidance and resources to help raise awareness and preparedness.

Keep in mind that criminals understand people.  They are master manipulators, know the power of motivation and are working hard to devise new ways to attack your organization and are getting more creative every day.  They see your people as the easy target in the cyber security equation.


Cyber security training is not a “one and done” requirement. Awareness is the goal, as well as adherence to policies, but since the cyber threat is constantly evolving, your training must follow suit.  Create a training plan that includes regular reminders and updates.  Make sure that cyber training is recognized as mandatory for all staff.  Test compliance and communicate successes and failures.  Follow through on multiple offenders by establishing consequences and enacting them.

Get outside help to assess your training and cyber plan. Keep your Board involved and updated, as well.


Bottom Line

There are probably several million blogs about cyber security.  It is an incredibly important topic for NFP leaders content with and there is no silver bullet to protect your organization.  You have limited resources to address the issue, so spend your money wisely.  Invest in good systems, policies and practices.  Above all, prepare your people. Train them well and provide them the tools necessary to protect your organization.  Don’t let them remain the largest threat to your cyber security.


To learn more about NFP Risks and Opportunities, check out the following articles;  Major Types of Risk That NFP Leaders Need to be Thinking About and Huge Opportunities for Not for Profits

Please share your comments via LinkedIn or directly on the Not for Profit Leadership Blog:  Not for Profit Beyond the Numbers

Contact me at

For more about the author, click here