Don’t Risk Your Donors’ Data: How Nonprofits Can Protect Sensitive Information

Your fundraising campaign kicks off next month, that grant application is due next week and, of course, mission-focused work doesn’t take a day off. Every nonprofit has a lengthy to-do list and limited resources to get it all done.

Unfortunately, cybersecurity often falls to the bottom of that list — opening the door for attackers to target sensitive donor information and other valuable data. And these threats have only grown in recent years.

Last year, U.S. organizations reported the highest number of data compromises since mandatory reporting laws went into effect two decades ago. That included more than two million victims associated with nonprofits and nongovernmental organizations — and the costs were millions of dollars more.

Nonprofits that fail to protect sensitive information risk exposing their donors’ personal information, and losing their trust and financial support along the way. But proactive steps — including data devaluation — keep valuable information out of bad actors’ hands and prevent data compromise, even if a system is breached.

How Much Is Your Data Worth to Hackers?

Consider all of the sensitive information that nonprofits hold: client medical records and confidential personal records; employee bank accounts and Social Security numbers; and contact information, home addresses and payment details of high-profile donors.

These types of sensitive Personal Identifiable Information (PII) and Personal Health Information (PHI) are the most common — and the most valuable — targets for hackers. When left unprotected and unsecured, your nonprofit’s data is a treasure trove for bad actors fixated on breaking into bank accounts, stealing identities or committing fraud. Stolen data such as credit card numbers and bank passwords can sell for hundreds, even thousands of dollars online — and the riches come at your expense.

There’s no shortage of recent examples to underscore this threat. Take the International Committee of the Red Cross, which suffered a cyberattack earlier this year that compromised the personal information of more than 515,000 highly vulnerable people across the world. That’s not a position you want your organization to be in.

Many nonprofits work on tight budgets that leave few resources for cybersecurity measures and most lack technical teams to build their own solutions. But in many cases, nonprofit leaders simply assume they won’t be targets of a hack and fail to properly prepare for an attack. One survey found eight out of 10 nonprofits don’t have a policy in place to address cyberattacks — putting them in the crosshairs of nefarious actors looking to profit off lax attitudes and incomplete security measures. Your organization may very well fall into that category.

Data breaches not only expose sensitive data around your clients, employees and donors, but they are extremely costly — to both your finances and your reputation. The average data breach costs $4.24 million (opens as a pdf) due to response expenses, lost business and regulatory fines, according to IBM Security’s “Cost of a Data Breach Report 2021” (opens as a pdf). And studies show half to two-thirds of consumers lost trust in an organization following a breach.

For nonprofits in particular, that loss of trust can have serious financial consequences. When sensitive information is exposed, donors lose faith in your organization and may take their checkbooks to another cause.  

A Data Breach Need Not Be Devastating

As cybercriminals become more sophisticated, data breaches have become virtually unavoidable, with a new attack happening every 39 seconds. 

But that doesn’t mean your organization is helpless against the onslaught of online attacks. In fact, it’s possible to mitigate damages and prevent sensitive data from exposure when a data breach occurs.

Data devaluation makes your data unintelligible to outside actors, meaning your organization’s stored personal, health and financial information will be of little use to hackers who gain access to your network. As your organization looks to strengthen your cybersecurity posture, consider the following approaches to data devaluation and their unique protections:

• Tokenization. This method replaces sensitive PII and PHI with a random string of characters — a token — that’s stored in place of the original data. For example, the value “123” could be replaced with an unrelated value, such as “978.” The original information is kept in a secure, third-party location. To interpret the data, a user must have access to the information linked to the token. Tokenization works best for long-term storage of sensitive PII and PHI, such as financial information, donor lists or medical records.
• Encryption. This method, on the other hand, takes data and locks it up so it can only be accessed with a key. To translate the sensitive information both the sender and the receiver need the right digital key. This process works best to secure sensitive information while in transit, such as a credit card number used in a transaction.

Your nonprofit should determine the right approach to data devaluation — using both encryption and tokenization — to protect how data is entered, how it’s transmitted and how it’s stored in the course of your everyday processes.

Data devaluation is mission-critical

As data breaches grow more common and costly, a strong data devaluation system should be standard practice for all nonprofits. In fact, encryption and tokenization should be considered mission-critical.

These additional layers of security not only alleviate risk and protect key stakeholders associated with the organization, they ensure you can focus on the work that matters most: your mission and the people it helps.

If budget is an issue, consider this: Data breaches are likely to be far more consequential to your bottom line. All it takes is one breach to damage a nonprofit’s reputation, lose public trust, and scare off donors and their critical support. Can your organization afford that risk?