Search blog

Why nonprofit leaders need to invest in cybersecurity training for their employees

Computer code with the words Data Breach superimposed over it

Although nonprofits may feel they’ve taken the necessary precautions to protect their online privacy, many still find themselves facing unique risks, with limited defense mechanisms in place to prevent cyberattacks, such as cybersecurity training.

Most nonprofits have not run even a single vulnerability assessment to evaluate their potential risk exposure. This type of oversight can make nonprofits an easy target for hackers.

Recently, Blackbaud, one of the world’s largest providers of finance and technology for nonprofits, had to pay a ransom to have cybercriminals destroy sensitive data they had stolen.

In this article, we’ll discuss the crucial role cybersecurity training for nonprofit employees plays in preventing such occurrences, along with specific tips to improve privacy and reduce security vulnerabilities.

Cybersecurity for nonprofits: why is it needed?

A nonprofit needs to have an agile security framework that is properly embedded into the technology and processes used by employees and end users. One survey shows, however, that only 42 percent of organizations have implemented digital skills training initiatives to educate employees on cybersecurity. This failure can lead to serious repercussions, including operation and service disruptions and increased exposure to liability.

Prioritizing cybersecurity can help a nonprofit add value to its brand and strengthen donors’ trust.

What are the biggest forms of cybersecurity risks nonprofits face?

The following are the most common cyberattack outcomes nonprofits face:

Data breach

A data breach refers to unauthorized access to proprietary or personally identifiable data through malicious insider activity or third-party attacks.

Because hackers don’t discriminate between for-profit and nonprofit organizations, nonprofits should provide cybersecurity training to all employees and subcontractors to ensure they understand the importance of data protection. Organizations should also carry out a thorough assessment of network security. No matter the size of a nonprofit, data breaches can be devastating in terms of reputation damage and regulatory fees.


Downtime is when a computer is unavailable for use, and is a prime time for hackers to make their move. Hackers launch cyberattacks to bring down systems with the intent of compromising the targeted organization’s mission.

Downtime outcomes don’t always have to be targeted, though—an employee might accidentally introduce a malware-infected device to the network that could shut down critical systems.


Ransomware, as the name suggests, is used to elicit ransom payments through blackmail. This form of malware shuts down an organization’s system until the hackers receive payment. Once the payment is made, the hackers will supposedly delete any data they copied from the organization’s database and provide access to a key that will restore system access.

As mentioned above, Blackbaud fell prey to this form of cyberattack, where hackers were able to extract a copy of a subset of data from the organization’s self-hosted environment and hold it for ransom.

Understanding cyberattack delivery methods

Most cyberattacks fall under one of the three categories described above, but there are several other delivery methods through which hackers can attack nonprofits:

Phishing attacks

Phishing, as well as spear phishing attacks, spoof trusted sources of content in a bid to extract sensitive information. For instance, nonprofit human resources staff might receive a spoofed email from the organization head requesting employee W-2s. This is also commonly called email phishing.

Denial of service (DoS) and distributed denial of service (DDoS) attacks

DDoS attacks attempt to overwhelm a system’s resources to take away its ability to function. 

Malware attack

Malware refers to software installed in your system without your consent and knowledge. These malicious attacks may affect a single place or spread to other machines or applications (self-propagation).

SQL injection attack

Hackers use a SQL query to the database that drives a website to gain access without authorization to data on the server.

Useful tips to educate employees on cybersecurity practices

Invest in employee training

Cybersecurity maintenance is a continuous job. New attacks can develop at any time, so your efforts to curb security risks cannot be limited to annual cybersecurity training.

Network devices should be updated yearly, and employees must be updated regularly about new developments in organizational security.

Educate your employees about looming dangers and their possible solutions, emphasizing a wide variety of approaches. Make sure your employees recognize the importance of safe security measures. Focus on building a viable security and training structure that helps individuals identify threats.

Train employees how to respond to potential cyberattacks

Create a clear channel for your staff to alert your nonprofit’s administrator about any suspicious emails or unusual activity—even if they turn out to be false alarms. The channel should also be used for reporting lost devices.

In case a cyberattack or data breach does occur, alert the entire organization immediately. Make sure you have an internal communications plan as well as a good PR strategy in place to be prepared for the worst, as well.

Encourage a “safe browsing” culture

Try to create safe browsing awareness in your organization, cautioning your staff to be wary of suspicious attachments and links from unknown sources when they use company devices.

You can also make it a requirement that all employees utilize a virtual private network (VPN) to encrypt their data and traffic when connecting to the company network. Most popular consumer VPNs are fully compatible with common operating systems and act as a good first layer of defense against cybercriminals. Whether they’re replying to a phishing email, playing a video attachment, or browsing the internet, your employees and volunteers need to be mindful of their activities.

Conduct “live fire” practice attacks

Create opportunities for your employees to put their newly acquired cybersecurity skills into practice by letting them experiment in a realistic environment. After all, you can’t really expect your team to be fully prepared if they’ve never had to put these concepts into action.

Test your organization with a “live fire” simulation. Although this exercise can be a little expensive, it gives your team a chance to fully absorb the principles of recognizing a social engineering or phishing attack. Try to schedule this simulation during the course of a busy workday to make the situation as realistic as possible.

Concluding thoughts

The increased time, energy, and resources spent dealing with a major cybersecurity breach can lead to general organizational instability

Assuming your nonprofit organization won’t register on hackers’ radar is wishful thinking. The only way to forestall severe consequences is to prevent cyberattacks from happening in the first place. With your data and IT systems well protected, you can then get back to focusing on serving your nonprofit’s mission.


Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.