How to Right-Size Cybersecurity to Fit the Small Non-Profit (AAFCPAs)
Technology
February 21, 2024 - AAFCPAsThis is a thought leadership article from PrimeGlobal member firm AAFCPAs on the particular susceptibility of small non-profit organizations to data breaches, analysing the specific risks and outlining preventive measures.
Access our Technology Insights hub to access similar tools and resources to help your firm adapt to current challenges and opportunities that face the accounting profession.

Organizations rely on technology for communicating, managing our work, assisting us in making accurate and timely decisions, assisting customers, and staying in the know wherever we go. But along with this comes a mounting risk of data breach. Particularly susceptible are small non-profit organizations with fewer technical safeguards, outdated security protocols, and modest IT budgets.
Understand your risk
Cyber threats have become increasingly sophisticated. Compounding this is a recent surge in remote work, Bring Your Own Device (BYOD) flexibility, and online transaction processing, all of which collide to create a broadened threat landscape. Organizations that store electronic patient data, personally identifiable information, and banking and credit card records stand to face even greater upheaval should they fall prey to ransomware, viruses, social engineering attack, third-party or employee data breach. The smaller an organization is, the greater the impact due to lack of resources
Financial and Reputation Loss: Small non-profit organizations store sensitive information about donors, clients, and employees. But cybercriminals are intent on stealing that data to conduct phishing scams, launch extortion or ransomware attacks, and open credit. Should confidential data be compromised, it could damage your ability to fundraise. It could also trigger costly litigation.
Insurance Terms: Insurance companies often require that baseline security standards be in place to uphold cybersecurity coverage. Yet many nonprofit organizations lack the in-house expertise needed to properly evaluate policy language and terms. This could result in a coverage lapse should a breach occur. There are cases where an organization thought they were covered but the coverage was denied because the policy required adequate IT controls.
Regulatory Compliance: Some small non-profit organizations are subject to cybersecurity laws and regulations such as HIPAA and the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply with those could result in costly fines and litigation.
Constituent Trust: When constituent data is compromised or when essential services are lost, this can cause permanent damage to that relationship.
Take preventive measures
Even the smallest investment in time, training, and vigilance can make a big impact in bolstering your cybersecurity profile.
AAFCPAs advises small non-profit clients to start by conducting an IT general controls assessment to pinpoint areas of risk along with opportunities for improvement. In doing so, consider the types of data exposures you face including specific threats within your industry, such as those related to fundraising platforms or volunteer workforces.
They recommend organizations designate one individual within the organization to act as security manager responsible for planning, software upgrade, backup, patching, and incident response. Then document procedures, plans, and policies to clearly define acceptable use and response protocols. Consider remote work and BYOD exposures when drafting policies. Define authentication and access control including how and when access will be revoked once it is no longer needed. Should access and privileges be limited to a need-to-know basis? What are password protocols? How is sensitive data handled? What is mandated from a compliance standpoint? Then revisit, assess, revise, disseminate, and train all employees and volunteers to ensure ongoing awareness.
Constituent trust is critical. If resource enhancements are needed, AAFCPAs provides a right-sized approach to security. They help small non-profit organizations under heightened risk conduct IT security assessments to better understand their strengths and vulnerabilities.
Content by:
AAFCPAs
AAFCPAs is considered an attractive alternative to national CPA firms by discerning clients who appreciate exceptional value. We provide audit, tax, accounting, and advisory solutions to non-profit organizations, commercial companies, and wealthy individuals/estates. Since 1973, our sincere approach to business and service excellence has built a thriving firm, with 3 offices in Massachusetts, driven by an altruistic mission to improve the economic well-being and quality of life for all our constituents. AAFCPAs donates 10% of its net profits annually to non-profit organizations..
Learn more