How To Make Sure Your Non-Profit Doesen’t Get Hacked

The title of this post is misleading. No organization big or small can ever be secured from hacking. Think Edward Snowden and the NSA.

That being said, there is a lot you can do to make it difficult and expensive to compromise sensitive information that your non-profit organization or social enterprise collects. And these tips will go a long way to make sure you’re non-profit does not get hacked.

Why Non-profits are a Target

Non-profits may possess information that is valuable to hackers:

  • Donor details – Your donors and supporters could be high net individuals. If a hacker were able to send an email from your organization to your donors, there is a greater chance they would open them allowing the hacker to target your donor.
  • Personally identifiable information (PII) – Personal information such as social security numbers, email addresses, phone numbers and address details allow hackers to re-create identities which are then sold on the underground markets.
  • Financial and Health information – Credit card numbers, bank account details, amounts transferred, patient data etc can be used to launch phishing attacks

What hackers will target

  • Your staff – Access to one email inbox provides the ability to pivot and gain broader access.
  • The website – Your website may be hosted internally or with a service provider. Wherever it is, it is being actively targetted right now. I operate some internet facing infrastructure and it is under attack every day of the year.
  • The CRM – CRM’s typically hold the keys to the kingdom and are the ultimate goal of the hacker.
  • Social Media – A social media account is typically also targeted commonly in conjuction with an attack on users email accounts. Hacked social media accounts expose your followers to further attacks.

Limiting the possibility of successful attack

As mentioned previously, it is very difficult to secure your information assets against a motivated attacker. However, you can make it harder to compromise your information assets. Doing so raises the opportunity cost for bad guys targeting your startup and reduces the motivation for attack.

Here are some suggestions to get you started:

  • Move your self-hosted or service-provider hosted email to Google Apps for Non-profits. Not only is it easier for your users to use on the go, but Google invests heavily into protecting their GMail infrastructure.
  • Move your website to WordPress hosting with Moving to WordPress means that you are using open-source software open to security inspection by thousands of security researchers around the world. is a managed wordpress hosting provider who take their security very seriously. From my research on the web, these are the guys I have trusted and used in the past to host my personal WordPress sites.
  • Consider transitioning from self-hosted and managed CRMs to or
  • Secure your Twitter account using login verification
  • Reach out to organizations such as Hackers for Charity and Podomere who will review your information protection strategy as well as conduct a penetration test of your information assets to provide a real-world and controlled security review of your information assets.

Moving your information assets to external service providers may seem counter-intuitive, but the idea is that these organizations are motivated to ensure your assets are secure from hackers as their business model depends upon it.

The list of protection mechanisms supplied here is not exhaustive as each organizations needs vary, however feel free to ask a question in the comments and I’d be happy to point you in the right direction.