News & Events

Internet Security and Mobile Security: 10 steps to peace of mind for nonprofits

Article
04.23.2025

Guest author: Allan Jacks, vCISO, Morefield Communications

Nonprofits juggling limited resources know that internet security is essential, but many neglect it out of fear, intimidation, or simply exhaustion at the daunting and seemingly endless task.

The following are 10 tips to help your organization stay safe.

1. Just because you don’t look, it doesn’t mean everything is fine

In the age of heightened risks, fewer companies are looking into their systems, and those that do aren’t looking deeply enough. Disregarding what’s lurking in servers and software instills a false sense of security and minimizes the urgency to take action.

The first step to stronger security is working up the nerve to look. Chances are good that employees bring “anything and everything” to company systems, ranging from pet photos to Xbox games.

2. Eat the elephant one bite at a time.

There is room for improvement in every company, but where do you begin?

Start with assessing risk and determining your highest priority. Ask: “If something happens today, what’s my biggest exposure?” For example, consider the impact on your operations if your volunteer management system were to go offline.

Any movement in the right direction is moving. Remember that the effort could take years, and it will involve HR, risk management, and the CFO and CEO to stay on target to minimize risk.

3. Get to the why

Many people view security as a matter of checking compliance boxes, but regulations and standards are there for a reason. While an IT manager can restore disrupted systems and inaccessible documents, knowing why those systems need anti-virus protections and backup files can help prevent significant disruption when a disaster occurs.

4. Think before you click: Lessons from ILOVEYOU

The ILOVEYOU computer worm spread via email in May 2000, targeting company emails. It arrived as an attachment that, when opened, overwrote files and sent itself to all contacts in the email address book, resulting in widespread damage.

In one instance, it was discovered that an IT manager, intrigued by a message from a longstanding colleague, was among those responsible for opening an email that led to the company's vulnerability to hacking.

Make sure employees know to stop and think before clicking on a mysterious link. If you’re unsure, call the sender first to make sure it’s legitimate.

5. Just because you can, doesn’t mean you should

Effective risk management requires proper delegation and prioritization of tasks. For example, if an employee is promoted from IT staff to management but continues performing their old tasks, it hinders the organization’s security efforts because they neglect their new role. Proper delegation ensures that everyone focuses on their specific duties, which is essential for minimizing risks and enhancing security.

6. Nobody bares their britches in a Zoom meeting

Virtual meetings are utilitarian but not revelatory. Participants aren’t likely to openly disclose their challenges and mistakes. It’s essential to get into the field and talk to people directly.  If something has happened, it’s best to discover it sooner than later.

7. Someone always assumes the risk

Organizations have a choice to mitigate or transfer risk. Someone within the organization or board makes the decision that deems the level of risk acceptable.

Mitigation may involve diligent use of strong passwords, allowing the organization to focus on higher-level security measures. Transferring risk could entail moving non-personally identifiable data onto the cloud.

Nonprofits face risks particularly when handling sensitive donor information or financial data. It is essential to implement robust security measures, even with limited resources.

Documenting risk assumption ensures accountability, regulatory compliance, and protects a nonprofit's reputation. It promotes transparency and trust among stakeholders and donors.

8. There is no magic bullet

In internet and mobile security, every day is Zero Day. Today's policies, processes, documents, and standards won’t protect against tomorrow’s threats. Someone will click a link or install a piece of software that is openly accessible, creating risk. As a fundamental step, use password managers with “break glass” functions to create and safely save random passwords while retaining retrieval capabilities in case an emergency renders someone out of action.

9. Practice makes perfect

Have an incident response plan in place and test it with tabletop exercises. More importantly, document the plan for access when needed.

For example, test your response plan in this scenario: An IT manager spills coffee on the server, electrocuting himself and disabling the server. Can your team reference your response plan to identify the immediate steps to ensure safety, restore operations, and document the incident for future reference?

Tabletop exercises like this are valuable reminders that having a knowledgeable staff is good, but key information needs to be accessible and documented.

10. Take a logical, methodical approach

In business, a system crash is disruptive but – except for certain organizations -- not life-threatening. Take a logical approach to IT security and edit the worklist to a manageable level. Be proactive rather than reactive. Plan, document, and improve.

About the Author

Guest author, Allan Jacks is Virtual Chief Information Security Officer for Morefield Communications. He has worked in information technology and security for over 30 years and has a background in compliance. Allan can be reached at allan.jacks@morefield.com.

Related Industries

Jump to Page

Boyer & Ritter LLC Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek