An important primer about the significance of cybersecurity for nonprofits, with Bart Holzer, CIO of Affinity Technology Partners. With over 25 years of experience, which includes two decades at the FBI, Bart provides insight into the changing landscape of cybersecurity threats and what they mean to nonprofits.

Bart starts by addressing the myth that non-profit organizations are not likely to be victims of cybercrime. He states, “Totally false. We know they’re going to go after nonprofits. Nonprofits are in the news every day either getting grants or having success in their programs, and we know most nonprofit funding goes to programming and not to security, and the bad guys know that too.” This reality check brings home the critical need for nonprofits to prioritize cybersecurity as much as their for-profit counterparts.

The conversation, with host Julia Patrick, moves on to the threats that non-profit organizations face and how sophisticated modern cyber-criminals have become. Bart remarks, “We have seen where the excellent hackers have started selling their tools. So that proverbial kid into his mom’s basement can buy sophisticated tools. So it’s even worse than what we’ve seen in the past.” This chilling revelation points out the increasing accessibility of advanced hacking tools, making it imperative for nonprofits to stay vigilant.

How nonprofits can start to build a robust cybersecurity program, Bart says, starts at the top: Executive leadership must make security a priority throughout and instill a culture of security. This top-down approach will ensure that everybody in the organization—employees, volunteers, contractors—understands and participates in following security protocols.

He also proposes that resources should be harnessed from trusted organizations, such as the Center for Internet Security (CIS), which has free tools and frameworks to help nonprofits evaluate and uplift their cybersecurity condition. Time might be short, but there is a need for understanding and exerting basic “security hygiene”.

When discussing the costs of all this, Bart suggests that nonprofit organizations spend 2% to 5% of their budget share on cybersecurity. The investment is not only to protect from financial loss but also to protect the reputation that a data breach can potentially cause to the organization, its stakeholders, and even its donors!

The session ends with practical advice on engaging with third-party vendors, as Bart describes how it is important for third-party vendors to have strong security practices, appropriate certifications, and data protection clauses in their contracts.