Cybersecurity Strategies for Nonprofit Websites
Originally published on June 28, 2023 in the NTEN Blog
Keeping a nonprofit organization's website secure is critical. Cyberattacks can cause significant damage to an organization. Cybersecurity threats include disruption to its operations, data breaches, financial loss, and damage to its reputation.
Despite these, organizations in the nonprofit sector tend not to be at the forefront of devoting significant effort or resources to cybersecurity. According to NTEN’s Cybersecurity for Nonprofits report, 59% of respondents to an industry-wide survey of nonprofits did not provide training on cybersecurity for their staff. In addition, 70% of charities do not perform comprehensive vulnerability assessments to determine cybersecurity risks.
Nonprofit web managers, working with an organization’s IT department, can play a significant role in promoting cybersecurity in their organizations. As stewards of the website and online properties, web managers are uniquely positioned to advocate and take a leading role in protecting their organizations from cyberattacks and mitigating cybersecurity risks.
Eight cybersecurity strategies
Following are eight cybersecurity measures nonprofit web managers can adopt to help protect their websites and stay ahead of new threats. The first set of strategies involves process and training that, when adopted, can go a long way to mitigate risks and vulnerabilities that come with human error and lack of cybersecurity knowledge. The second set of technical strategies can be implemented with the help of your organization’s IT department and involves patching up and closing vulnerabilities in your systems and infrastructure.
Non-technical
Promote a strong password culture. Passwords should be complex and difficult to figure out. Many guidelines say they should be at least 12 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols. In addition, using a password management tool can help to generate, store, and secure passwords.
Train employees on cybersecurity. Educate staff about risks and vulnerabilities. Give people the ability to identify potential security threats when working online and with computer systems.
Conduct regular security audits. Security audits identify and evaluate an organization's strengths and weaknesses to protect itself from cyberattacks. They identify gaps in an organization's defenses and ensure appropriate steps are taken to mitigate those risks.
Limit user access. Grant users permission to read, write or execute only the files or resources necessary to do their jobs. This principle is also known as the access control principle or the principle of minimal privilege.
Technical
Use SSL/TLS encryption to encrypt data transmitted between your website and your users' browsers. This prevents attackers from viewing or tampering with data exchanged between two nodes.
Use a web application firewall (WAF) to filter and monitor HTTP traffic between a web application and the Internet. A WAF protects against cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection attacks.
Back up your website. Website data needs to be protected by backup software. Web managers need to be able to quickly restore your website in case something goes wrong.
Keep software up-to-date. Software used on your website, including the content management system, modules, and plugins, should continually be updated with the latest security patches.
Investing in cybersecurity goes a long way
Investing in time, training, and resources and developing new cybersecurity processes and procedures can go a long way to protect nonprofit websites from most cyber-attack threats. Web managers are in a prime position to take a leading role in organizations to advocate for these measures to ensure their organization is protected and taking a proactive approach to cybersecurity.
As a final note, cybersecurit
y is an ongoing process rather than something you do once, and it is done. Organizations should regularly review and update security measures to avoid new threats.
Learn more
Download the 2023 Website Security for Nonprofits guide for help protecting your website from attacks.