Why Cybersecurity Matters for Nonprofits and 6 Ways to Secure Fundraising

Like any for-profit company, nonprofits aren’t immune to the threat of being compromised. Data breaches are frequent across all industries, with a cyberattack occurring every 39 seconds.¹

Security is essential on any platform, especially when dealing with payment data. As a result, a technology stack to protect your nonprofit and its loyal donors is non-negotiable. Today, we’ll cover why proactive security measures are critical to sustaining your donors’ trust. 

Read on to discover a few ways to improve your nonprofit cybersecurity hygiene and stay ahead of any potential risk. Hear exclusive insights from GoFundMe’s Chief Information Security Officer, John Downey, on protecting your organization and its valuable supporters and simple lessons he’s learned throughout his two-decade-long career in computer software and security.

What Is Cybersecurity?

Cybersecurity is the practice of protecting your systems, networks, and programs from digital attacks.² Assessing nonprofit cybersecurity expands beyond protecting your systems to safeguard the people who support your organization.

There are several different cyberattacks, but three of the most common include:

• Phishing attacks: Stealing sensitive information by sending fraudulent emails that resemble emails from trusted sources
• Denial of service (DoS) attacks: Triggering a crash to make a network inaccessible to its intended users
• Malware attacks: Using malware software to gain unauthorized access or cause damage to a computer

The information you’ll learn about in this post will help you protect your nonprofit against each of these types of attacks under the larger umbrella of cybersecurity.

Why Cybersecurity Matters for Your Organization

The Numbers in 2022³

• 1,802 total data compromises 
• 422,143,312 total victims 

The Long-Term Value

Security and stability lead to deeper donor trust, potentially resulting in recurring donations. When you consider retention, donor confidence also impacts their likelihood of returning and giving again. Preventing data breaches reduces the risk to your nonprofit’s reputation and the costs associated with a data security breach.

Among the different costs of a breach in 2022, lost business represented the largest share at an average total cost of $1.42 million.⁴ Keep reliability at the forefront of every organizational decision and consider how you can continue taking the necessary steps to uphold the highest security standards.

5 Actions to Protect Your Nonprofit Organization From Security Threats

There are several cybersecurity measures your organization can take to protect its community. In our interview with John Downey, he shared a few simple recommendations to start with:

1. Be wary of unfamiliar emails or texts sent to your personal or work devices

This is one of the most common ways that phishing attacks occur. An attacker pretends to be an executive or founder of your organization and asks for personal information, such as your credit card, Social Security number, password, or protected company data.

One way to check if this is a hacker is to look at the sender’s email address. Often, the email address will have the same prefix but not the same domain name as your organization.

For example, if your CEO’s email address is [email protected], the hacker’s email address may be [email protected].

2. Do not click unknown links or download attachments in any personal or work communications

Clicking links or downloading attachments in emails and text messages can lead to downloading malware on your computer or phone. 

One way to check if a link is trustworthy is to hover over the link. You’ll see the full link pop up in the left corner of your browser. If the website’s domain doesn’t match your organization’s or the company allegedly reaching out to you, don’t click the link.

3. Flag suspicious activity or phishing attempts that appear risky

Sending suspicious emails to your IT team is another red flag. If you don’t have an IT team, you can report the email as a phishing attack to your service provider. For example, with Gmail, you can mark the email as spam, which notifies Google that this is an unwanted email. You can also report the phishing email to Google.

4. Update your password on any platforms you use, particularly ones that store sensitive information

If you have the same password for all your work accounts, it’s time to update them. Try a password management app or implement a single sign-on (SSO) tool for a more secure experience.

SSO is an authentication tool that allows users to sign into multiple applications with only one set of credentials. Typically, SSO software requires users to update their passwords regularly with more robust password qualifications. When paired with multifactor authentication (MFA), you see the best of both worlds regarding password security.

5. Ensure your fundraising platform follows security best practices

While there are numerous actions your organization can take to improve security, your fundraising software should also prioritize and be proactive in its security measures. We deep dive into those platform security considerations below.

6 Cybersecurity Considerations for Your Fundraising Platform

Security should be a key consideration throughout your fundraising software evaluation process. Here are six questions to ask when deciding which platform is best to protect your organization and its donors.

1. Does my fundraising platform have a data security team?

Your days are busy at a nonprofit, whether coordinating fundraising events or analyzing donor behavior. It’s essential that you find a donation platform that serves as an extension of your team to help get everything done.

When you evaluate different fundraising software providers, determine whether they have a department focused solely on platform security and policies. Since it’s unrealistic to monitor your online fundraising platform 24/7, finding the right people and tools to serve as your eyes and ears can provide much-needed peace of mind.

We Practice What We Preach

Classy and GoFundMe have an Information Security and Privacy team, in addition to a Risk and Compliance team. We prioritize having the technology and industry expertise to protect our global nonprofit organizations proactively. In addition, we know that supporting our customers behind the scenes allows them to focus on what matters most—their mission.

2. What governance policies and security training does the platform have?

Promising to respond and rebuild in the case of a data breach is not enough to gain donors’ trust. Find a platform with proactive policies to protect your organization’s information at all costs.

Ask about the platform’s level of compliance and explore its coding principles to ensure each platform feature is secure. In addition, make sure the platform’s team receives regular training to remain up to date on the most effective security procedures.

We Practice What We Preach

Independent auditors evaluated Classy and GoFundMe systems, which passed the highest security protocols set by PCI DSS. In addition, Classy leverages industry standards, such as the Open Web Application Security Project (OWASP) Top 10 Principles, in its software development lifecycle. The entire staff completes security training annually, and developers must undergo recurrent secure coding training.

3. How does security influence the platform’s development?

The infrastructure of a fundraising platform informs the security level of your organization’s and donors’ data. You’ll want to look at the fundraising platform’s architecture and ask about it in conversations with any vendors you consider.

When you look at your fundraising platform’s architecture, consider if it’s hosted on-premise or in the cloud. If it’s hosted on the cloud, you benefit from a software-as-a-service (SaaS) environment, which affords your nonprofit the latest technology without worrying about upgrades.

We Practice What We Preach

Classy uses a secure cloud architecture and multiple security measures to protect sensitive data. These include:

• Amazon Web Services (AWS) Virtual Private Cloud
• PCI Level 1 Certification
• 24/7/365 security scanning and threat monitoring
• Network-level vulnerability scanning
• Annual penetration testing
• Web application firewall (WAF) and distributed denial-of-service (DDoS) protection

We also build security into the foundation of all our products and services. This includes load balancer-based compute isolation, role-based access control, secure logging, static and dynamic code analysis, and OWASP secure coding principles. Using tokenization, encryption, and key management, Classy never stores credit card information and always protects other sensitive data.

4. How often is the platform scanned and monitored for potential issues?

Regarding sensitive data, you’ll always want to know how it’s stored, who can access it, and what protocols are in place to ensure no leaks. A security breach can happen quickly, so you’ll want to be sure your fundraising platform monitors for issues constantly.

We Practice What We Preach

Classy uses 24/7/365 monitoring, leveraging an intrusion detection system (IDS), network-level scanning, and WAF. We also know from Classy’s State of Modern Philanthropy report that 30% of our platform’s donation volume occurs between Giving Tuesday and New Year’s Eve. This fuels our desire to take specific steps to deliver a secure, stable, and reliable giving platform for all our customers.

In addition to maintaining reliability, readiness, and security throughout the year on the Classy platform, we take the following preemptive measures heading into the peak giving season:

• Completing an annual audit for PCI Level 1 Certification for the highest accuracy and readiness
• Partnering with a team of AWS solutions engineers who maintain an all-day, live-mission control room to monitor platform activity in real time on Giving Tuesday and other major giving days 
• Scaling of our infrastructure preemptively for Giving Tuesday to add servers to our cluster, which helps to support our best-in-class infrastructure security and highly available architecture with automatic scale protocols
• Pausing on product development between October and January proactively to recognize the critical period for fundraising and ensure all products and features work as expected

5. Are there any audits in place to ensure continued compliance?

It’s critical to consistently reevaluate your protocols to ensure compliance with the highest standards. That starts with understanding how your fundraising platform addresses audits and stays up to date with the latest compliance measures as the world of security technology continues to evolve.

We Practice What We Preach

By putting in place and adhering to procedures and standards, Classy and GoFundMe ensure our platform and systems keep our partner organizations’ data safe and secure. 

As mentioned, we conduct regular audit reviews that adhere to the OWASP Top 10 Principles when developing and implementing features and security controls. Our development and engineering teams also undergo recurrent secure coding training.

Leading up to Giving Tuesday, Classy also conducts a well-architected audit of best practices in partnership with AWS and Cloudflare.

6. What technology does the fundraising platform use to ensure secure payments?

Security on any platform is essential, especially when dealing with personally identifiable information and payment data. Donors want to know that their payment information is secure, regardless of which method they find easiest to make a donation.

As more nonprofit organizations offer diversified online payment processing options for supporters, it’s essential to ask how vendors transfer that data and emphasize security regularly.

We Practice What We Preach

Regarding nonprofit payment processing, Classy Pay offers the secure and trusted payment options of PayPal, Venmo, and cryptocurrency through Coinbase. We’re also preparing to launch SSO this summer, so users can eliminate weak passwords and increase security. 

We select best-in-class payment processing vendors to integrate into our payment solution, then thoroughly evaluate their security measures. In addition, Stripe Radar implements blocking and reviews rules for fraud protection, while the Classy team audits suspicious and fraudulent activity regularly. We also prioritize a timely response to any incidents, internally and externally.

Raise More, Do More With Secure Software

Balance nonprofit transparency and security, maintain trust with your donors, and feel confident in the stability and reliability of your platform. 

Whether your organization is evaluating new technology or exploring proactive ways to uplevel its policies, take the proper steps to protect your community and safeguard its mission. 

We’d love to help you get started with more information about the Classy and GoFundMe policies. Plus, our customer care team can answer any other questions that come to mind.

Article Sources

1. “How Many Cyber Attacks Happen Per Day in 2023?” Techjury, last modified February 27, 2023, https://techjury.net/blog/how-many-cyber-attacks-per-day/#gref.
2. “What Is Cybersecurity?” Cisco, accessed June 8, 2023, https://www.cisco.com/c/en/us/products/security/what-is-cybersecurity.html.
3. “2022 Data Breach Report,” Identity Theft Resource Center, accessed June 8, 2023,  https://www.idtheftcenter.org/wp-content/uploads/2023/01/ITRC_2022-Data-Breach-Report_Final-1.pdf.
4. “Give.org Donor Trust Report | 2021,” Profiles in Charity Trust and Giving, Give, accessed May 31, 2023, https://give.org/docs/default-source/donor-trust-library/2021-donor-trust-report.pdf.