Nonprofit organizations face the same cyber security threats as for-profit businesses.
They operate websites, accept online donations, and utilize social media, email, web conferencing, and business software. Nonprofits support employees working and using mobile devices.
All of these factors can expose nonprofit cyber security vulnerabilities.
In this article, we discuss why it’s important to focus on cyber security training and human vulnerability. We identify nine best practices organizations can use to secure financial and operational data.
Finally, we examine the benefits of cloud financial management solutions in terms of cyber security and share a checklist to help you determine if your SaaS providers have strong security practices.
Here’s what we cover:
- Cyber security challenges for nonprofits
- The weakest link in cyber security is human error
- 9 cyber security best practices for nonprofit organizations
- Are SaaS nonprofit accounting solutions safer than on-premises software?
- How to gauge a SaaS provider’s strength of security
- Good cyber security is a shared responsibility
- Final thoughts
Cyber security challenges for nonprofits
Unfortunately, most nonprofits can’
not match the resources and dedicated IT personnel deployed by big businesses to counteract cyberattacks.
For insight into the state of nonprofit cyber security, consider NetHope’s 2023 State of Humanitarian and Development Cybersecurity Report.
Its members collectively account for about 60% of all non-governmental humanitarian and development spending, serving people in 215 nations.
Nevertheless, its IT cyber security leaders revealed:
- 59% believe their cyber security and information security practices are underfunded
- 65% say cyber security is inadequately managed in their organization
Fortunately, there are steps nonprofits can take to tighten up cyber security.
Additionally, SaaS software solutions can help nonprofits of any size secure their technology infrastructure and mission-critical data.
The weakest link in cyber security is human error
The most vulnerable spot in your cyber security framework occurs where your people meet technology.
Cyber threat actors have developed sophisticated strategies for convincing people to make mistakes.
All it takes is one wrong click in an email, one piece of information revealed, or one lost or stolen credential to allow thieves into your systems.
If an unsuspecting employee clicks on a phishing email, it could unleash a ransomware attack that locks up your organization’s data or enable a breach of sensitive donor or financial data.
Some of the most successful phishing attacks combine social knowledge (appears to be from someone within your organization such as your boss) with an urgent request to add pressure.
In the heat of the moment, a mistake gets made and your organization may lose private data, money, reputation, and donor trust.
9 cyber security best practices for nonprofit organizations
Nonprofit organizations can do their part to secure SaaS financial and operational data by following these nonprofit data security best practices:
1. Encourage good password hygiene
Current cyber security science says the best passwords are random and long.
As the administrator, be sure to set your financial management solution’s rules for how frequently passwords must be changed, password complexity, and blocking the ability to reuse prior passwords.
2. Turn on multi-factor authentication
This adds another layer of access security on top of passwords, putting more obstacles between a would-be hacker and your financial data.
After entering the required username and password, two-factor authentication also sends a code via text or email that must be entered before access is granted.
3. Carefully consider roles and permissions
A good SaaS financial system allows the administrator to create roles with varying levels of permission to see, create, change, and delete financial data and perform financial tasks.
4. Use Single Sign On (SSO)
With a financial management solution that enables SSO, employees use a single credential that logs them onto multiple integrated business systems at once, saving time without sacrificing security.
5. Set sign-in lockouts
The system should lock out a user if they make repeated unsuccessful attempts to log in and require administrator intervention to reset.
6. Employ inactivity timeouts
. Without session timeouts, an employee might remain logged on during their lunch break or overnight, allowing anyone in the building to sit down and access your financial system.
7. Restrict access through IP address filtering
You can allow a user to log on anywhere or allow only a specific IP address or addresses on an account.
For example, you could limit access to the IP addresses for an employee’s office and home.
8. Periodically review user accounts, audit logs, and security logs
If you see anything suspicious, drill down further and follow up.
If anyone has left the organization, be sure to shut down their access.
9. Conduct phishing training and drills
Studies show you can dramatically lower the odds a phishing attack will get past employees with training and unannounced drills.
There are services you can use for the training if you don’t want to design the curriculum yourself.
Make everyone take part in training—including executives—and never use the results of the drills to shame anyone publicly.
Are SaaS nonprofit accounting solutions safer than on-premises software?
Your organization’s financial management solution is a core system of record, and it’s imperative to have the strongest possible security protecting it.
For most nonprofit organizations, SaaS solutions offer stronger security than on-premises software hosted on servers and other hardware that you have to maintain internally.
Conversely, with SaaS solutions, you won’t need to spend capital to build a secure data center or worry about having IT staff to maintain your servers.
Your SaaS provider takes care of security and operates at scale to protect thousands of customers’ data, so they invest more in security than most smaller organizations could afford on their own.
How to gauge a SaaS provider’s strength of security
SaaS solutions usually include lots of good security features, but you will definitely want to evaluate the security protocols of any new SaaS vendor you consider.
A secure SaaS vendor should approach nonprofit data security on multiple fronts, including physical and personnel security, network and infrastructure security, network security, and application security:
- Hardened data centers should offer good physical security measures. For example, the Sage Intacct SOC 2 compliant data centers utilize badge access control, biometrics, man
–traps, CCTV cameras, 24×7 security, and strong environmental controls.
- Data segmentation separates your information from other customers’ data.
- Network segmentation increases overall data security and helps slow down cyber attackers, should an incident occur.
- Reliable hardware and infrastructure, including firewalls and servers secured with good procedures for timely installs of updates, patches, and endpoints.
- Data encryption protects data that is transmitted or stored in the cloud.
- Monitoring keeps track of activity within both production and corporate systems to detect problems and attempted intrusions.
- Backup and Disaster Recovery (BDR) ensures your data survives if the worst occurs. Backups restore your data in the event that your data becomes corrupted. Disaster recovery restores application functionality quickly in the event of a failure.
- Third-party certifications and external audits provide independent verification a provider delivers good data protection within a highly secure environment. Security standards certification types include SOC 1 and 2, ISAE, PCI-DCC, HIPAA, Privacy Shield/GDPR, and others.
- Service Level Agreements (SLA) should provide assurance your SaaS financial management solution is available to your organization 24 hours a day, seven days a week, 365 days a year. SLAs should be part of your contract and spell out how you would receive your data back if you were to terminate your SaaS subscription.
Good cyber security is a shared responsibility
Ultimately, your organization and your SaaS provider are partners in the security of your financial and operational data.
The most secure SaaS solution in the world is no match for sloppy security practices by your workforce.
There’s a role for the nonprofit finance leader to play when it comes to ensuring financial data security.
First, take advantage of all of the administrator-level security features available within your financial management solution.
Second, provide leadership in the form of training, resources, and best practices for employees and contractors.
As your organization increasingly relies on cloud SaaS solutions, rather than on-premises software, it’s natural to ask: “Just how safe is our financial data?”
Secure SaaS providers should demonstrate commitment to your data security through external audits, third-party certifications, service level agreements, and even a guarantee.
To learn more, download the Nonprofit Cyber Security: How SaaS Solutions Keep Financial Data Safe e-book below.
Security: Protecting Data Value
Nonprofit organizations share an important responsibility for cyber security in training employees, implementing best practices, and making use of administrator security features available in SaaS solutions. Download our e-book to learn more.
Recommended Next Read
Can your financial reporting and forecasting win your market?