Not-for-Profit Quick Read

How NFPs can identify and mitigate data vulnerabilities in the digital age

August 25, 2020

To protect data, your technology controls must evolve to keep pace with the ever-changing digital environment. Even if your not-for-profit (NFPs) outsources data management to a vendor or third-party software provider, there are still several steps you should take to identify risks internally:

  • Continuously review controls to prevent damaging data breaches.
  • Be aware of the latest phishing schemes and ransomware tactics.
  • Test your organization’s backup controls and look for vulnerabilities.

In the event of ransomware or other attacks, strong controls can help you maintain your normal course of business and minimize the risk of financial loss (e.g., cost to buy your data back).

While advances in technology provide us with many conveniences, the downside is an ever-evolving technology risk that requires proactive and continuous management. In this article, we’ll discuss specific vulnerabilities and steps not-for-profits of all sizes can take to mitigate them.

Vendor vulnerabilities

Mitigating vendor vulnerabilities starts with selecting the right vendor. Many organizations assume that when a vendor agreement is signed, their data will be managed safely and effectively. However, without rigorous upfront and ongoing vendor management practices, you increase your risk of financial, operational, and reputational damage. Mitigate these risks by implementing a vendor management program that includes appropriate due diligence in vendor selection, risk assessments, contracting, and oversight.

In selecting a vendor, consider the following attributes:

  • Industry experience
  • Reputation
  • References
  • Service level agreements
  • Legal and regulatory compliance
  • Ability to support clients with business continuity plans
  • Overall customer service, including response time

Vendor due diligence verifies that vendors in routine custody of personally identifiable information meet specific security criteria established by your organization. These criteria might include the following:

  • Regular system patching
  • Strong authenticationLimited administrator access
  • Individual accountability

Strong vendor selection and due diligence processes serve as the foundation for the security and monitoring of your organization’s data.

Work closely with your vendors so that necessary controls (for example, access restrictions and logging) are in place from the beginning. Additionally, review the vendors’ System and Organization Controls (SOC) for Service Organizations reports during initial setup and on an ongoing basis to stay up to date on the controls your vendors have in place to secure your data. The SOC 1® report is specifically intended to help user entities evaluate the effect of the vendor’s controls on the user entity’s financial statements. A particularly helpful aspect of a SOC 1® report is that it identifies user-entity controls that are necessary for the vendor’s controls to work effectively.

Further, consider removing applications you no longer use. Chances are, they are not being updated and thus could have security weaknesses. Taking the step to remove them will eliminate any security threats they may pose.  

Social engineering vulnerabilities

Social engineering tactics are morphing and becoming more personal. Phishing continues to account for approximately 90% of attacks, and other devious exploitations are being used to compromise the data of employees, donors, and vendors.

“Phishers” often use stolen pieces of personal information — like your address or previous employer — in interactions with you to appear credible. Popular social engineering tactics include the following:

  • Requesting a donation to a charity in a time of disaster
  • A sense of urgency in the request
  • An attacker pretending to be a coworker, boss, or vendor (pretexting)
  • A message that the recipient won something
  • A bad actor responding to a “question” from a legitimate vendor that the recipient did not request
  • A note encouraging employees to click on a compromised website that looks like a legitimate one
  • An “IT” call to employees noting a software upgrade

Address the risks of social engineering by doing the following:

  • Implementing verification controls for employees to follow whenever there is a request made via email, phone call, or other method
  • Encouraging employees not to open emails if they are not familiar with the source
  • Encouraging employees to slow down when responding to requests
  • Providing ongoing mandatory training to employees regarding good cyber hygiene, including how to detect social engineering tactics
  • Maintaining updated systems
  • Using multifactor authentication

Phishing attacks can also happen through personal email and threaten the organization’s property and data when employees access personal email accounts at work. To mitigate this additional layer of vulnerability, consider discouraging employees from checking their personal email at work.

Continuous training to support a culture of cybersecurity risk awareness is critical for all organizations in today’s digital environment. This training doesn’t have to be expensive either. Key messages and relevant examples can be deployed through various channels, such as email, lunch-and-learns, and team meetings.

Business continuity plan, incident response, and disaster recovery

With a rise in e-commerce, there is an increased risk of data loss and data breach, and IT incidents are likely to occur. It’s important to stay prepared. Develop response and continuity plans that are well-documented and include specific procedures for detecting and responding to an event. Test incident response processes and be prepared to analyze the situation after the fact through forensics.

Implement procedures and processes to back up significant applications and hosts periodically, and introduce tools to detect and notify management of any failed backups. Some organizations back up their data, but don’t test its integrity. You run the risk of interrupting your operations if the backed-up data is not accessible or takes significant time to recover. This data loss or delay in business operations could result in financial and reputational loss. 

Consider the following when creating backup, business continuity, incident response, and disaster recovery plans:

  • Significance of the data, as well as the retention time
  • How often the backup is tested
  • Backup recovery time
  • Location and security of the backup
  • Responsibilities and communication plan
  • Alternate processing and procedures for critical business processes while systems and applications are unavailable
  • Alternate locations where work can continue during a disaster situation
  • The need for cyber insurance

Digital security is a journey, not a destination

Technology continues to enhance the way we do business. With improved efficiency, comes increased risk. Risk assessment is a great place for all organizations to start. You can get help from a trusted adviser or conduct these assessments internally. Make sure you involve staff across the organization to ensure completeness and document your discussions, assessments, and decisions. Additional resources for risk assessment and management are available in the Not-for-Profit Section’s Governance and Management Resource Library.

To help reduce the risks you have identified and assessed, consider the strategies discussed in this article:

  • Only use trusted applications and tools in conjunction with a reputable vendor. Perform adequate due diligence in vendor selection, including review of the vendor’s controls.
  • Have a robust vendor management process that identifies and monitors vendors based on the risks. Even with the greatest applications and vendors, data can be compromised without sufficient controls.
  • Provide training to employees to reduce susceptibility of social engineering scams.
  • Document and test your business continuity and disaster recovery plans so that operations can continue in the event of the loss or theft of critical data sets. Regular testing of the controls in place, coupled with routine assessment of the adequacy of those controls, can help you proactively safeguard your data.

Common feedback from not-for-profits indicates a lack of resources and funding to properly address identified risks. If this is the case for the not-for-profit you serve, consider adding a cost-benefit analysis to the risk assessment process. It may be necessary, and helpful, to prioritize your risk mitigation and response efforts based on potential impact assessments.

Additional Resources

AICPA Cybersecurity Resource Center

Sample Information Security Policy for Not-for-Profit Entities (locked for NFP Section members)

9 Cybersecurity Tips for Small Not-for-Profit Organizations

IT Controls for Not-for-Profit Entities (PDF, locked for NFP Section members)

Cybersecurity & Infrastructure Security Agency (CISA) Critical Infrastructure Vulnerability Assessments


Kadian Douglas, CPA, CISA, is an Information Security Principal at CLA (CliftonLarsonAllen LLP). Kadian has more than 13 years of professional experience in providing financial statement audit and cybersecurity consultative services in a wide range of industries. She can be reached at