The recent flurry of FBI warnings against new malware, ransomware, and other cybersecurity threats should have every CFO on edge. Nonprofit databases may contain sensitive data such as personally identifiable information, health records, and more that attract attacks. And, if you think you are immune because your organization is small (and therefore, in your mind a lesser target), think again: cyber attacks against nonprofits grew by 30% in 2024.
Given this information, what cybersecurity priorities should you focus on? The following list offers general guidance. In addition to this information, it may be prudent to speak with your IT director, managed services provider, or technology consultant so that you have a sound plan to protect your valuable data.
Four Cybersecurity Priorities for Nonprofits
The most pressing cybersecurity issues facing CFOs today include ransomware threats, human error, third-party access, and ensuring systems are updated.
Ransomware Threats
Ransomware typically enters a system through users clicking infected links. So-called phishing attacks spoof, or fake, a well-known website, such as Amazon, a bank, or another trusted and frequently used site. The user may be taken to an infected page or prompted to enter login credentials by clicking the link. This can then infect their computer and possibly the entire network. The ransomware encrypts data, effectively locking it until a ransom demand is paid.
Human Error
Most ransomware enters systems through human error. Clicking the wrong link, entering credentials without considering the validity of the request, or downloading infected material all puts your company at risk.
New attacks are even more sophisticated. Some include text messages and phone calls from someone purporting to be from IT asking the user to reset their password. The “IT person” asks the employee for their password to “verify it.” This enables the caller to log into the system themselves, reset the password, and begin whatever crime they want to commit. Some companies report their executives as the target, with the criminals contacting executive assistants and pretending to be helping the CEO with their password reset.
In all cases of human error, the criminals rely on human psychology to trick their victims into making mistakes. They present a sense of urgency, often hinting that something dire will happen if the victim doesn’t respond quickly. Or, they pretend to be a trusted colleague, such as an IT person, to fool the end-user.
Third-Party Risks
With the rise of cloud computing, it’s easier than ever to allow others to access your system. Auditors, for example, are often given access to accounting and financial systems so they can complete some of their work offsite. You may have vendors who access shared cloud drives, instant messaging apps, or other systems. Each person outside of your company who can access your system represents another potential risk.
Operating Systems and Software
Outdated software and operating systems pose a security risk. Criminals exploit known vulnerabilities. Systems that aren’t updated or patched are akin to leaving the front door of your house wide open to let a burglar inside.
Your team must ensure that all operating systems and software are updated whenever the system vendor makes patches or updates. This includes operating systems (like Windows), software (nonprofit accounting software, donor relationship management, and others), and even websites.
Systems that are no longer supported by the vendor should be replaced. For example, Microsoft has announced it is ending support for Windows 10 on October 14, 2025. While computers running Windows 10 will continue to work, Microsoft will no longer issue security patches, leaving machines running version 10 potentially vulnerable to attack. Updating the operating system to Windows 11 ensures that as new vulnerabilities are discovered, you will receive the appropriate updates and patches to address them.
Addressing Cybersecurity Challenges
This list is just the start of a much bigger list of potential cybersecurity risks and challenges that CFOs face. To address them, consider creating a cyber risk and proactive protection plan that addresses common pain points such as:
- Keeping abreast of the latest ransomware attacks and communicating information to employees.
- Frequent training and awareness programs to help employees identify possible phishing attacks.
- Addressing third-party access by reviewing who has access to what and removing permission once the need is gone.
- Working with IT to identify and update vulnerable points within your systems and platforms, including a schedule to update aging software and equipment.
As a CFO, you are entrusted with a great deal of responsibility. You are one of the organization’s leaders who knows and understands the risks. But you are also in an excellent position to address these and other emerging threats.
Welter Consulting
Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact us for more information.
Recent Comments