4 Ways to Improve Your Nonprofit Website’s Security

The following post is a guest article.

Establishing appropriate cybersecurity procedures is an essential step of building a resilient nonprofit.

Your nonprofit’s website is an indispensable tool for telling your organization’s story, collecting donations, and sharing your impact.

You’ve taken the time to add your brand colors and logo across your pages, incorporate compelling imagery, and optimize it for mobile devices so that all of your supporters will have a high-quality experience on the site. Now, after all of your hard work, the last thing you want is for your website to become the target of a cyber attack.

Nonprofit Tech for Good’s survey of over 1,700 nonprofits around the world reveals that 27% have experienced a cyber attack. To help your organization protect itself against potential data breaches, malware, and other issues, we’ll walk through these four ways to improve your website’s security:

1. Install an SSL Certificate
2. Provide Security Training to Staff
3. Leverage Scanning and Security Tools
4. Establish a Strong Password Policy

All of the best nonprofit websites are both well-designed to prioritize the user experience and secure enough to instill trust in visitors who navigate to them. By taking the time to fortify your website, your organization will be avoiding a simple mistake that could limit your effectiveness.

According to NPOInfo’s guide to nonprofit data collection, your organization should capture a variety of donor details to inform your fundraising and engagement efforts, from their employment information to their giving history. To effectively gather this information through your website, you first need to secure your supporters’ trust.

An SSL (Secure Sockets Layer) certificate is a digital certificate that you can install on your web server to authenticate your website’s identity and encrypt all data transferred between users and your site. This protects your donors from hackers and identity thieves when they enter sensitive information, such as their address, credit card details, or bank account information, during the giving process.

To acquire an SSL certificate, your nonprofit will have to take the following steps:

• Ensure that your WHOIS record, or all the information associated with your domain name, is accurate and up to date.
• Generate a CSR (Certificate Signing Request) on your web server.
• Choose a trustworthy certificate authority (CA) to issue your SSL certificate and submit your CSR.
• Install the SSL certificate on your website.

Today, many hosting providers understand that it’s necessary for their customers to have an SSL certificate. Therefore, it’s worth checking with your hosting provider to see if they offer an SSL certificate as part of their hosting package. If your nonprofit has multiple domains and subdomains, be sure to obtain an SSL certificate that covers all areas of your web presence.

An SSL certificate allows your website to have an HTTPS address. Considering that many browsers label HTTP sites as “not secure,” migrating to HTTPS allows you to instill more trust in users who interact with your website. Your donors will feel much more comfortable interacting with your nonprofit and making gifts, leading to more support for your mission.

Developing a secure nonprofit website requires more than just technological improvements and best practices. After all, your staff members work with sensitive data every day, whether they’re sending email communications to donors or simply logging into your donor management system.

Therefore, it’s essential to train your nonprofit’s staff on the basics of cybersecurity, including topics such as:

• Safe Internet Browsing
• Phishing
• Malware
• Cybersecurity Incident Response
• Information Security
• Public Wi-Fi Risks and the Need for Virtual Private Network (VPN) Protection

Remember to approach nonprofit security awareness training as an ongoing effort. Consider sending out test phishing emails to reinforce your staff members’ learning and having them take annual security assessments to refresh their knowledge.

Making your team aware of cybersecurity risks and security best practices ensures that your nonprofit can continue raising funds without having to worry about data privacy concerns. This is especially important for organizations with hybrid or remote workers.

Your nonprofit has other priorities beyond constantly safeguarding your website against cyber attacks. Instead, you can leverage automated tools made specifically for protecting and monitoring your site. Consider researching the following types of security tools to determine which will be most useful to add to your nonprofit’s technology toolkit:

• Web Application Firewall, which filters and blocks any suspicious traffic to your website.
• Vulnerability Scanner, which searches your website for any potential security flaws or vulnerabilities.
• Antivirus Software, which detects and removes malware from your systems and website.
• Backup Software, which allows your nonprofit to back up its website data and content in case any cybersecurity incident arises.

Additionally, if your organization uses a CMS like Drupal or WordPress to create website content, you’ll want to consider plugins such as WordFence for additional security. Be sure to continually update all of your website software to prevent outdated code that may lead to vulnerabilities in your site.

To operate effectively and keep all your staff on the same page, your nonprofit has many policies related to accepting donations, managing finances, and more. One cybersecurity-specific policy that all organizations must have is a strong password policy.

In your onboarding materials and team training, take the time to reinforce password best practices such as:

• Using a password manager to securely store and share passwords within the organization. This tool also streamlines the login process, since your staff members only have to remember one main password to access all of their accounts.
• Setting complex passwords with a minimum length of 14 characters and a combination of numbers, uppercase letters, lowercase letters, and symbols.
• Changing passwords regularly, usually every 90 days. Set up automated email reminders to make this process as easy as possible for staff members.

Furthermore, enhance your website protection by enabling two-factor authentication (2FA). This method will require your team to pass two identification gateways in order to log into their accounts. In addition to a password, the second identification can be a hardware token, one-time verification code, or push notification that verifies the user’s identity.

Should a password become compromised, using 2FA blocks cybercriminals from gaining access to your nonprofit’s accounts and data.

Managing and protecting your nonprofit’s website is a complicated yet rewarding task. It’s especially important for organizations that handle protected data, such as medical details or other personally identifiable information. Having the right security measures in place ensures that their websites maintain compliance with all local and national regulations governing this sensitive data.

If this all seems like a lot to take on, consider reaching out to web design and development experts for support. According to Kanopi, these professionals can assist with numerous aspects of your nonprofit’s website, from your content strategy to user experience, so you can focus on building relationships with supporters and raising funds for your cause.