Why Cybersecurity Matters for Nonprofits and 6 Ways to Secure Fundraising
Like any for-profit company, nonprofits aren’t immune to the threat of being compromised. Data breaches are frequent across all industries, with a cyberattack occurring every 39 seconds.
Security is essential on any platform, especially when dealing with payment data. A technology stack to protect your nonprofit and its loyal donors is non-negotiable. Today, we’re covering why proactive security measures are critical to sustaining your donor’s trust. Read on to discover a few ways you can improve your cybersecurity hygiene to stay ahead of any potential risk.
What Is Cybersecurity?
Cybersecurity is the practice of protecting your systems, networks, and programs from digital attacks. When looking at cybersecurity through the lens of a nonprofit, it expands beyond just protecting your systems to safeguard the people who support your organization.
There are several different types of cyberattacks, but three of the most common include:
- Phishing Attacks: Stealing sensitive information by sending fraudulent emails that resemble emails from trusted sources
- Denial of Service (DoS) Attacks: Triggering a crash to make a network inaccessible to its intended users
- Malware Attacks: Using malware software to gain unauthorized access or to cause damage to a computer
The information you’ll learn about in this post will help you protect your nonprofit against each of these types of attacks under the larger umbrella of cybersecurity.
Why Cybersecurity Matters for Your Organization
- 113 nonprofit data breaches in 2021
- 17% year-over-year increase in data breaches from 2020 to 2021
- $206 billion is estimated to be lost to online payment fraud between 2021 and 2025
- $180 per lost or stolen Personal Identifiable Information (PII) record
- 63% of Give.org’s 2021 Donor Trust Report respondents rated the importance of trusting a charity as a 9 out of 10.
The Long-Term Value
Security and stability lead to deeper donor trust. When you think ahead to retention, donor confidence also impacts their likelihood of returning and giving again. Preventing data breaches reduces the risk to your nonprofit’s reputation and the costs associated with a data breach.
Among the different costs of a breach in 2021, the lost business represented the largest share at an average total cost of $1.59 million. Keep reliability at the forefront of every business decision and consider how you can continue taking the necessary steps to uphold the highest security standards.
6 Actions to Protect Your Nonprofit Organization From Security Threats
There are a number of tactics your organization can take to ensure that it is following security best practices. Here are a few things you can think about to get started:
1. Be wary of unfamiliar emails or texts that come to your personal or work devices
This is one of the most common ways that phishing attacks occur. An attacker pretends to be an executive or founder of your organization and asks for personal information such as your credit card, social security number, password, or protected company data. One way to check if this is a hacker is to look at the sender’s email address. Often the email address will have the same prefix but not the same domain name as your organization.
2. Do not click unknown links or download attachments in any personal or work communications
Clicking on links or downloading attachments in emails and text messages can lead to malware being downloaded on your computer or phone. One way to check if a link is trustworthy is to hover over the link. You’ll see the full link pop up in the left corner of your browser. If the website’s domain does not match that of your organization or the company that is supposedly reaching out to you, do not click the link.
3. Flag suspicious activity or phishing attempts that appear to be risky
Send suspicious emails to your IT team. If you do not have an IT team, you can report the email as a phishing attack to your email service provider. For example, with Gmail you can mark the email as spam which notifies Google that this is unwanted email. You can also go a step further and report the phishing email to Google.
4. Update your password on any platforms you use, particularly ones that store sensitive information
Do you have the same password for all of your work accounts? It’s time to update it. It can be challenging to remember passwords for all of your accounts. Try a password management app or implement single-sign-on for a more secure experience.
5. Use multi-factor authentication and single-sign-on tools
Multi-factor authentication (MFA) and single-sign-on (SSO) are great security tools. MFA offers another layer of security outside of a password by requiring two or more verification methods before the user can log into an account. If a team member’s password is compromised, a hacker still cannot access that user’s account without the other verification methods.
SSO is an authentication tool that allows users to sign onto multiple applications with only one set of credentials. Typically, single-sign-on software requires users to update their passwords at a regular cadence with much more robust password qualifications. When SSO is paired with MFA, you see the best of both worlds when it comes to password security.
6. Ensure your fundraising platform is following security best practices
While there are a number of actions your organization can take to improve security, your fundraising software should also prioritize and be proactive in their security measures. We deep dive into those platform security considerations below.
6 Cybersecurity Considerations for Your Fundraising Platform
Security should be a key consideration in your fundraising platform evaluation process. Here are six questions to ask when deciding which platform is best suited to protect your organization and its donors.
1. Does my fundraising platform have a data security team?
Your days are busy at a nonprofit. It’s essential that you find a platform that serves as an extension of your team to help get everything done.
When you evaluate different fundraising software providers, determine whether they have a department focused solely on platform security and policies. Since it’s unrealistic to monitor your platform 24/7, finding the right people and tools to serve as your eyes and ears can provide much-needed peace of mind.
We Practice What We Preach
Classy and GoFundMe have Information Security and Privacy as well as Risk and Compliance teams in place. We prioritize having the technology and industry expertise to protect our global nonprofit community proactively. We know that supporting our customers behind the scenes allows them to focus on what matters most—their mission.
2. What governance policies and security training does the platform have?
Promising to respond and rebuild in the case of a data breach is not enough to gain donors’ trust. Find a platform with proactive policies to protect your organization’s information at all costs.
Ask about the platform’s level of compliance and explore its coding principles to ensure each platform feature is grounded in security. In addition, make sure the platform’s team is receiving regular training to remain up to date on the most effective security procedures.
We Practice What We Preach
Independent auditors evaluated Classy and GoFundMe systems, which passed the highest security protocols set by PCI DDS. In addition, Classy roots all of its development decisions in the Open Web Application Security Project (OWASP) Top 10 Principles and requires its entire staff to complete security training annually. Developers are required to undergo recurrent secure coding training as well.
3. How does security influence the platform’s development?
The infrastructure on which a fundraising platform is hosted informs the security level around your organization data and your donors’ data. You’ll want to look at the fundraising platform’s architecture and ask about it in conversations with any vendors you’re considering.
When you look at your fundraising platform’s architecture, consider if it’s hosted on-premise or in the cloud. If it’s hosted on the cloud, you’re benefiting from a Software-as-a-Service (SaaS) environment, which affords your nonprofit the latest technology without the need to worry about upgrades.
We Practice What We Preach
Classy uses a secure cloud architecture and multiple security measures to protect sensitive data. These include:
- AWS Virtual Private Cloud
- PCI Level 1 Certification
- 24x7x365 Security Scanning and Threat Monitoring
- Network Level Vulnerability Scanning
- Annual Penetration Testing
- WAF and DDOS Protection
We also build security into the foundation of all our products and services. This includes load balancer-based compute isolations, role-based access control, secure logging, static and dynamic code analysis, and OWASP secure coding principles. Using tokenization, encryption, and key management, Classy never stores credit card information and always protects other sensitive data.
4. How often is the platform scanned and monitored for potential issues?
When it comes to sensitive data, you’ll always want to know how it’s being stored, who can access it, and the protocols in place to ensure there are no leaks. A breach can happen quickly, so you’ll want to be sure your fundraising platform is monitoring for issues constantly.
We Practice What We Preach
Classy uses 24/7/365 monitoring leveraging IDS and IPS, network level scanning, and WAF (Web application firewall). We also know that 30% of our platform’s donation volume occurs between Giving Tuesday and New Year’s Eve. We take specific steps to deliver a secure, stable, and reliable giving platform for all of our customers.
We maintain reliability, readiness, and security throughout the year on the Classy platform, but take the following preemptive measures heading into the peak giving season.
- Completed annual audit for PCI Level 1 Certification for the highest accuracy and readiness
- Partner with a team of AWS Solutions Engineers who maintain an all-day, live mission control room to monitor platform activity in real-time on Giving Tuesday and other major giving days throughout the year
- Preemptive scaling of our infrastructure for Giving Tuesday to add servers to our cluster, which helps to support our already best-in-class infrastructure security and highly available architecture with automatic scale protocols in place
- Proactive pause on product development between October and January to recognize the critical period for fundraising and ensure all products and features work as expected
5. Are there any audits in place to ensure continued compliance?
It’s critical to consistently re-evaluate your protocols to ensure they meet the highest standards. That starts with understanding how your fundraising platform addresses audits and stays up to date with the latest compliance measures as the world of security technology continues to evolve.
We Practice What We Preach
By putting in place and adhering to procedures and standards, Classy and GoFundMe ensure our platform and systems keep the data of our partner organizations safe and secure. We conduct regular audit reviews that adhere to the OWASP Top 10 Principles when developing and implementing features and security controls. Our development and engineering teams also undergo a recurrent secure coding training.
In the months leading up to Giving Tuesday, Classy conducts a well-architected audit of best practices, in partnership with AWS and Cloudflare.
6. What technology does the fundraising platform use to ensure secure payments?
Security on any platform is essential, especially when dealing with PII and payment data. Donors want to know that their payment information is secure, regardless of which method they find easiest to donate through. As more nonprofits diversify their payment options for supporters, it’s essential to regularly ask how vendors transfer that data and emphasize security.
We Practice What We Preach
ClassyPay offers the secure and trusted payment options of, PayPal, Venmo, and cryptocurrency through Coinbase. We select best-in-class payment processors to integrate into our payment solution with a thorough evaluation of their security measures. Stripe Radar implements blocking and review rules for fraud protection, and the Classy team regularly audits suspicious and fraudulent activity. We also prioritize a timely response to any incidents, both internally and externally.
Raise More, Do More With Secure Software
Maintain trust with your donors and feel confident in the stability and reliability of your platform. Whether your organization is evaluating new technology or exploring proactive ways to uplevel your policies, take the proper steps to protect your community and safeguard its mission. We’d love to help you get started with more information about the Classy and GoFundMe policies and our customer support team to answer any other questions that come to mind.
Keep Your Fundraising Secure
Subscribe to the Classy Blog
Get the latest fundraising tips, trends, and ideas in your inbox.
Thank you for subscribing
You signed up for emails from Classy