Fortifying Nonprofits

Yasser Hassan, Managing Director of MENAT at AWS, lists out the top 5 tips for nonprofits to enhance cybersecurity.

In an increasingly digital world, nonprofit organisations are facing more sophisticated cybersecurity threats, and these institutions must rely on collecting and maintaining sensitive data to effectively carry out their core missions. Safeguarding this data must remain a top priority as nonprofits continue to digitally transform and bring new innovations and capabilities to their organizations, donors, and beneficiaries.

A 2023 research study by the CyberPeace Institute in 2023 found although 41% of nonprofits in Geneva have been the victim of a cyberattack in the last three years, 56% of organizations haven’t established a budget for cybersecurity within their organization. In the United Kingdom, DCMS’s Cyber Security Breaches Survey for 2022 found that 30% of UK charities had identified a cyber-attack in the prior 12 months. Of those attacks, 38% had an impact on the service provided by the organisation, with 19% “resulting in a negative outcome.”  Any loss or theft of sensitive or financial data could result in a nonprofit being liable for the cyber breach, resulting in significant financial and reputational damage. So, what are the initial steps that nonprofits should consider to help mitigate these threats and enhancing their day-to-day cybersecurity?

Below are five top tips from AWS for nonprofit organisations to follow in enhancing their day-to-day cybersecurity:

1. Create a documented security policy – To help ensure all employees are on the same page and have a clear reference point for any queries, the best starting point for nonprofits is to draw up a simple cybersecurity policy. This should clearly outline the expectations and duty of employees to adhere to the collective standards required to enhance cybersecurity. The policy should be clearly communicated throughout an organisation and made easily accessible across internal systems. The policy should include the following four tips as actions for all employees.

2. Require unique credentials for all login requirements – This is something we all take for granted in our personal lives but is imperative in keeping potential bad actors at bay, particularly when dealing with sensitive personal or financial data. All employees must be required to use unique credentials for all work-related login functions with set rules that help ensure that passwords are strong, both in length and complexity. This means bad actors cannot unlock multiple doors across an organisation through accessing one set of credentials.

3. Tighten admin rights, permissions, and privileges – It is obviously important to have the necessary IT system rights in place for your employees to work effectively. Organisations must remember, however, that granting many rights or privileges to many employees increases cybersecurity risk. Best practice is to ensure that all employees only receive privileges that are necessary for their business role. To start, organisations should audit existing privileges, establish a system for documenting any new permissions and perform regular access reviews. Charity and nonprofits can use cloud services such as IAM and Cognito to easily manage and monitor access rights.

4. Back up your systems on the cloud – Using a cloud backup is a crucial step towards making sure data across an organisation is secured, recoverable, and easily accessible should bad actors compromise locally-held information. Cloud backups provide greater resiliency, so that that data cannot be deleted easily by bad actors. AWS Backup provides cloud-native back up services for nonprofit organisations’ key data stores, such as buckets, volumes, databases, and file systems, across AWS services. Cloud backup is a necessity for all nonprofit organizations.

5. Foster a blame-free culture – Underpinning all these recommendations is culture. An organisation’s cybersecurity culture must be driven by inclusion and safe space, avoiding any blame on the part of employees when things go wrong. Phish-testing and more traditional security training methods are increasingly outdated, ineffective, and potentially problematic for employee relations and morale. Organisations should concentrate on driving greater awareness and improving behavioural training to encourage positive changes among their employee base and help enhance collective cybersecurity.

Strong cybersecurity is no longer a “nice to have” for nonprofit organisations. Looking ahead, The BCI’s Cyber Resilience Report 2023 found that 74% of respondents across all sectors consider a ransomware attack to be within the top threats to their organisation over the next five years.  Organizations can help mitigate many of these risks by following the five guiding principles above. Putting these into action, in combination with strong leadership buy-in for cybersecurity investment and a well-understood, widely adopted “security culture” among employees will help any nonprofit enhance its cybersecurity capabilities against future threats.

“If you really want to drive change, look to your leadership. Cybersecurity isn’t just about technology: it starts at the top,” says Orlando Scott-Cowley, Public Sector Security Lead, EMEA, AWS. “Leadership must own and foster a culture which supports cybersecurity.”