< Back to Thought Leadership

Cyber Security for Not-For-Profits

Data breaches can occur in any organization, and not-for-profits (NFPs) are not immune. Oftentimes NFPs can be at risk because their systems are not up-to-date or are simplistic in nature. It’s very important for NFPs, especially those that collect donor or member information (including names, addresses, email addresses, and credit card information), to address cyber security frequently and holistically. Data breaches don’t have to just mean cyber attacks, either. They can be caused by human error, like employee misplacement of equipment; i.e. laptops, smartphones or flash drives. Most cyber attacks can be prevented through a more vigilant approach to cyber security. There are several components to consider when assessing your organization’s overall security.

There are four cyber security principles to consider:

  • Confidentiality – ensuring information is protected from unauthorized access.
  • Availability – ensuring information and systems are reliable and available for end users.
  • Integrity – ensuring information is protected from unauthorized changes.
  • Security – ensuring that information is confidential, available, and held in integrity through the use of appropriate controls.

There are several controls or tools to consider to improve your organization’s cyber security.

  • Access controls – do you have strong passwords? Are they changed often? Passwords should be user specific and never shared.
  • Encryption – messages can be encrypted for secure delivery; this feature is becoming more cost effective, especially for smaller organizations as security needs increase.
  • Backups – off-site backups are a key component of security.
  • Firewalls – create a barrier between your secure systems and the rest of the internet.
  • Anti-virus and anti-malware software – invest in good software, which includes regularly installing updates from the vendors.

Have a plan for your organization that considers the factors above. Some additional components to consider when developing your organization’s plan include considering:

  • What’s important? Determine critical assets and what the threats could be.
  • How to be proactive? Include controls to prevent problems, not just to detect them.
  • Are we changing as often as necessary? Look at cyber security on an annual basis at a minimum and adjust accordingly.
  • Do we have the right people? Sometimes it’s necessary to outsource security needs to an information technology (IT) firm. There are firms that specialize in NFP security available.
  • Is open dialogue encouraged? All employees of an organization should be involved in assessing risk on a day-to-day basis. Encourage open dialogue if circumstances appear risky or out of the ordinary.
  • Is proper training in place? Educating employees about all aspects of the security plan, as well as current security threats, is key to preventing data breaches.

For more information, please visit the American Institute of CPAs Cybersecurity Resource Center.

If you would like to discuss your organization’s particular cyber security needs, please contact Tom Skoog, head of our IT Advisory Services, at tskoog@blueandco.com.

Blue & Co., LLC acquires Alerding CPA Group

Blue & Co., LLC acquires Alerding CPA Group

Carmel, Ind. (November 23, 2022) – The accounting and consulting firms of Alerding CPA Group (Indianapolis, Ind.) and Blue & Co., LLC (Carmel, Ind.) have announced their merger. The combined firm will operate as Blue & Co., LLC (Blue & Co.), effective December 1, 2022. This acquisition will provide Blue & Co. with greater market […]

Learn More

Not-for-Profit Single Audit Requirements – Evaluation of Revenue Sources

By: Holly Fields, CPA, Senior Manager Not-for-profit organizations (NFPs) that receive federal financial assistance over certain levels, either directly from a federal agency or indirectly through state or local agencies, may be required to have a single audit performed under Federal Uniform Guidance. Single Audit Requirements A single audit includes not only an audit of […]

Learn More

Occupational Mix Survey: What You Need to Know

Every three years, the Centers for Medicare and Medicaid Services (CMS) requires any Hospital that is subject to the Inpatient Prospective Payment System (IPPS) to complete an Occupational Mix Survey (OMS). This data is then used to calculate an Occupational Mix Adjustment Factor (OMAF). The occupational mix adjustment impacts a hospital’s average hourly wage and […]

Learn More