Closeup of circuitry on computer

Cybersecurity, as you know, has become a hot topic for organizations across a variety of industries. In particular, not-for-profit (NFP) organizations have been impacted by cybersecurity in a major way in recent years.

According to Community IT, roughly two-thirds of cyber attacks target small or medium sized businesses (including not-for-profits), in an attempt to take advantage of a sector that often has more exposure than other industries. Not-for-profits are particularly vulnerable considering that 56% have not implemented multifactor authentication, 59% do not yet provide regular cybersecurity training to their staff, and 70% do not perform vulnerability scanning. With this in mind, now is the time for NFP organizations to proactively address the massive threat that cybersecurity presents.

The statistics surrounding ransomware are equally alarming. Ransomware attacks have almost doubled since last year [1], and malicious emails are up 600%, largely due to the pandemic. [2] And as for the average ransomware demand, well, attackers are asking for more than $1 million, on average, at this point. [3]

So as the statistics grow and the threats multiply – it’s not just cyber criminals anymore, by the way; it’s also insiders, hacktivists, terrorists, national states, etc. – it is critical that organizations’ cyber defense systems evolve as well, in order to keep pace.

Perhaps the biggest thing to remember is that cybersecurity is everyone’s responsibility. An organization’s IT and cybersecurity teams should be active partners in the delivery of services. The notion that cyber is an IT issue has evolved. Cyber, in reality, is a business risk. As in, it impacts the entire business. And thus, you have to manage security across the entire organization. One of the ways to accomplish that is to engage your IT and cybersecurity teams (or service providers if you've outsourced it) as a partner in how you deliver those services.

Our No. 1 cybersecurity best practice is to take a risk-based approach. This can be accomplished in the following three steps: 

  1. Take an inventory of your business assets (hardware, software, data, locations, people and processes) and identify the cruciality of each asset. 
  2. Identify the risks associated with your business and the assets that support your business (e.g., risk of an insider stealing trade secrets or a hacker stealing/selling the personal information of your employees and customers.)  
  3. Prioritize your cybersecurity investments to align with the risks you have identified and the criticality of the business asset.  

Additionally, it is important to be aware of who you do business with. You should perform due diligence on all third-party vendors and suppliers and perform risk assessments on them. Don’t just ask yourself, “Does this vendor perform the services we need at the right price?” Also ask: “Is this vendor trustworthy?” 

When it comes to new employees, we recommend starting cybersecurity training as part of the onboarding process. From there, security awareness training should be ongoing, not just one-and-done. Sometimes the best way to test your employees is through mock phishing campaigns, which test whether employees have understood and retained the training they’ve received.  

Finally, do not forget to evaluate your own controls and identify gaps in your security system. Are you meeting control standards (e.g., NIST CSF, NIST 800-53, etc.)? Are you reviewing access management and patch management policies, processes and controls? And are you testing for vulnerabilities and penetration points? 

Another major risk to NFPs: Data privacy

Let’s begin with a couple of definitions to make sure we’re all on the same page. 

Data privacy means ensuring that personal data processing is done fairly, lawfully, transparently and in accordance with the potential negative impact that data could have upon the individual if that data were to be exposed.  

Personal data, meanwhile, is any information that relates to an identified or identifiable living individual, either by itself or combined with other pieces of data. When the personal data relates to an individual’s fundamental rights and freedoms, then it should be considered "sensitive" and therefore requires a higher level of protection.

Examples of sensitive personal data include: 

  • Biometric 
  • Health and genetic 
  • Cultural (e.g., race, ethnicity) 
  • Social and political  
  • Criminal  
  • Financial 
  • Data relating to minors

Data privacy is particularly important for not-for-profit organizations. After all, privacy is all about people, and NFPs often process peoples’ sensitive personal data. Additionally, NFPs are generally viewed as softer, easier targets by hackers and other malware users.

All of this stresses the importance of not-for-profits being candid about the ways in which they are storing and using personal data (otherwise know as “processing”). Transparency is a key element in establishing trust – and trust is critically important for NFP organizations.

Fortunately, there are a lot of best practices that not-for-profit organizations can adopt to mitigate their data privacy risk. With that in mind, the first key is to take a risk-based approach to data privacy. That includes taking inventory of your data, understanding the potential negative impacts, identifying the associated risks and prioritizing data privacy efforts to align with those risks.

We can break it down into nine main categories, listed in bold below.

The keys from a governance standpoint are to formally identify an individual or team of individuals to lead data privacy and provide them with proper resources and expertise. In terms of data mapping, you need to know what data you have as an organization within the framework of the “5 Ws” – whose data it is, what it is comprised of, where did it come from, when did we collect it and why do we have it? (And how are we using and protecting it?) And regarding data classification, you need to establish a clear, consistent and appropriate data classification schema that includes both personal and sensitive personal data. Properly classifying data is an essential step in ensuring personal data is properly protected, remember personal data must be protected in accordance with its potential negative impact.

Additionally, it is important to identify a data privacy framework, choosing one that’s appropriate for your organization based on regulatory requirements or expertise. You also want to establish a set of privacy principles and create appropriate policies, processes and procedures based on those principles. Finally, from a training and awareness standpoint, train your staff on data privacy leading practices and keep them informed on the organization’s privacy efforts. 

Data processing agreements are another area that can be critical to NFP organizations. Not-for-profits need to put appropriate contracts in place with organizations with whom they share personal data. These agreements typically require that the vendors only use the data in accordance with the terms of the contract, protect the data accordingly, do not share it with others, and delete it at the conclusion of the contract. 

Lastly, every organization should consider establishing a privacy program – a living, breathing, ever-changing set of guidelines and procedures to ensure personal data is processed fairly, lawfully, transparently and in accordance with its potential negative impact. Remember, just like cybersecurity, data privacy must be baked into the organization’s day-to-day operations for it to be effective.


As you may have noticed, there are a lot of similarities between cybersecurity and data privacy, as summarized below. Not-for-profit organizations not only need to be aware of each, but they need to be taking active steps – or, better yet, proactive steps – to address these risks in advance of a problem presenting itself.  

Of course, Baker Tilly’s not-for-profit specialists are always available to answer questions surrounding cybersecurity and data privacy and to help develop a road map to keep your organization safe and secure. 

For more information, contact us.

Mike Vanderbilt
Brian Nichols
Group meets in a conference room
Next up

Updates from the Statutory Accounting Principles Working Group’s April Spring National Meeting