Security Foundations For Not-For-Profits

Understand common cyber attacks, store sensitive data and take into account privacy considerations to improve your organization’s cyber security.

Cyber attacks and breaches are ubiquitous and not-for-profit organizations face the risks as well. In this blog, we will:

  • Identify some of the most common cyber attacks for not-for-profit organizations;

  • Compare cloud security software and on-premises security software for you to decide which type suits your organization better and,

  • Provide guidance on how to start strengthening your organization’s security.

Common cyber attacks for not-for-profit organizations

One out of seven organizations experience significant data breaches, and it can be crippling to small organizations.

Data breach or data misuse encompasses the external and internal factors. Examples of data breaches or data misuse include: accidentally emailing all contacts on your distribution list and loss of donor data. 

Ransomwares are unlike data breaches. When ransomware hits an organization, it can bring it to a standpoint, and affects the operations of the organization. It has the potential to cause organizations to a complete lockdown. Ransomware attacks hit organizations small and large. Costs for unlocking or recovering from ransomware can be significant, ranging from hundreds to millions of dollars. This kind of attacks do not only affect an organization, but also their customers, donors and its brand image.

Business email fraud is prolific. There are different types of business email frauds, like phishing scams. Attackers could also impersonate an executive member of the organization to encourage a financial transaction that is illegitimate. The scale and means of attacks can be different. For criminals to plan this type of attack, they might break into your email accounts and look for opportunities for a long period of time to redirect transfers to their account, which, can cause devastating organizations that have tight budgets.

Does your organization collect or store sensitive data? Do you know what regulations you need to follow if you store sensitive data?

First off, sensitive data is data that extends beyond phonebook data, including name, addresses, personal contact information, donor information, health care information and other private, confidential information.

The following is the privacy regulatory frameworks that not-for-profit organizations have to adhere to depending on whether the organization is federal or provincial covered. 

  • PIPEDA (federal)/ PIPA (provincial) – regulates access, security and collection of personal information in Canada

  • GDPR – regulates collection of data on EU citizens

In all organizations, data is valuable when you are operating it within your business to help you serve your constituents better. But, if you are collecting data unnecessarily, that creates a risk overhang that you have to be familiar with going forward. Therefore, one of the best practices is to collect and hold data where possible.

Privacy considerations

To collect and store data in a healthy and consistent manner, here’s some good frame of reference for most organizations to consider.

Not-for-profit privacy considerations.png
Cloud vs Desktop Accounting Software.png

Companies are becoming more active in adopting cloud technologies to achieve a more secure environment.

Compare and understand the differences between cloud and on-premises software before deciding which type suits your organization better.

How to improve your organization’s cyber security?

  • People and Culture


Security is a journey and every organization is in a different spot on that journey. Ultimately, the success of security in your organization comes to culture. Organizations that have a strong culture of privacy and security understand their obligations and the ideas of security tend to do well. Therefore, starting a team culture within your organization benefits security.


Educating and training employees as well as volunteers ensure people who are involved in the organization are aware of the regulations and policies around security and their permission to access to information. can support you with this initiative:


Have control over the information that staff and volunteers can have access to. This will not only allow them to complete their job, but also in an effective manner where they do not have access to overwhelming amounts of information. 


Know what is your organization’s sensitive data and where it is kept. Understanding your data organizationally is important to help you put the controls in place.

  • Technical Controls


Either cloud backup or offline backup, having an effective data backup allows you to recover quickly and efficiently should cyber incidents happen. 


Next-generation anti-malware software does not only help keep your devices free from ransomware. They also look out for key loggers and other threats to your security. Next-gen anti-malware takes traditional antivirus software to an advanced level of security protection. 


An increasing amount of companies are cloud-centric. If the same set of passwords and email addresses are being used across multiple accounts and services, you will run into a risk of exposing your credentials and information. Once an account is being compromised, cyber criminals can easily take the same set of credentials to extract valuable data from other accounts and services you use online. Make sure to use unique, strong passwords and save the credentials on password managers like 1Password and LastPass.


Consider using applications like Authy, Google Authenticator, Lastpass as an authenticator instead of the SMS-based option. SMS-based authenticator is relatively easy to attack and cyber criminals could take your phone number for other purposes. Tip: Make sure you remember the password for your authenticator so that if your phone is lost, you can still log out from your authenticator app.


Set patches to run automatically to strengthen your overall security environment.


Keep your devices full encryption turned on. Should you lose your device, data would not be accessible to people who found or stole it. This practice will significantly decrease the value of your loss and mitigate the risks of data breaches on your devices.

ABOUT KOBALT.IO assesses, develops and runs cyber security programs for small and mid-sized organizations. We provide security operations and advisory services to your organization – to empower your ability to embrace cloud infrastructure; protect data stored in critical SaaS applications and your corporate environments, and ensure confidence in your security visibility

Sign up to receive updates and newsletters from

Recent Posts

Follow Us