Information Security - An Important Priority for Non-Profits

Castellan Information Security Services is posting several short articles aimed at informing our clients and followers covering some of the 'basic' information security topics and trends. We understand that while some clients require advanced technical and corporate security measures and strategies to meet their needs, some require starting at the beginning to understand the topic better and start their own journey to securing their information.

This article will discuss how information security impacts non-profit organizations and what can they do to ensure they are appropriately protected from the threats and potential damaging impacts of a data breach.

The Threat of Significant Damage from a Data Breach for Non-Profits is Real

Castellan has had the pleasure to work with non-profits and we find in general they are very professional and dedicated organizations who are serving their mandates with pride, hard work and usually with a very busy agenda. We have also experienced that many non-profits, due to the important services they deliver, hold very sensitive and private information, such as: health related data, financial and payment information, names, DOBs, and addresses.

The potential damage that cyber attacks and other data breaches can cause for a non-profit organization are serious. They can result in extreme financial costs to retrieve data, privacy breaches and identity theft for clients and staff, frozen service delivery capabilities, and severe reputational damage for organizations. These situations are real and happening on a regular basis.

As such, it is important to highlight that the nature of non-profit organizations does not reduce the threats to its data or to its corporate obligation to implement a modern and robust information security program. In fact, current trends have seen an escalation in cyber-attacks specifically targeting non-profit organizations. The corresponding damages have been no less severe than those in the private or government sectors.

Some gaps that we see with non-profits impacting their information security risks:

  • A lack of sufficient policies and procedures to govern the safe handling, storage and sharing of sensitive information.
  • Organizations that mistakenly rely on putting their in the Cloud as their sole approach to information security.
  • IT staff or services providers that are very busy running the daily operations, maintain existing systems, supporting service delivery, or implementing new projects.
  • Organizations and decision makers are unaware of the most critical risks and vulnerabilities to their information.
  • Decision makers are hesitant about where to start to implement an information security program.

5 Starting Points - How Can a Non-Profit Start to Implement an Appropriate Information Security Program?

  1. Understand that your IT team or IT service provider may need external help. - Leaving the responsibility of implementing the measures required to protect your organization's information to your IT Staff or IT Service provider is often not sufficient to ensure enterprise-wide protection. In many cases, IT staff simply do not have the time or capabilities to implement the technical measures needed or the mandate to develop the governance tools required to support an effective program.
  2. Recognize that you need to do more than store your data in the Cloud. - A common misconception and false 'sense of security' is that information stored in the cloud can't be maliciously accessed or hacked by an outside source. In fact, a 2022 report produced by IBM (Cost of a Data Breach 2022 - A Million-Dollar Race to Detect and Respond) indicated that nearly half of data breaches in the United States happen to data that was stored in the cloud. Non-profits should recognize more needs to be done to protect their data than storing it in the cloud and seek help from information security professionals about next steps.
  3. Assess where your Gaps may be and identify the highest priority improvement areas. - The best starting point in determining an appropriate way forward is to conduct an assessment of your current information security posture (polices & procedures, staff training / awareness, 3rd party risks, disaster recovery planning, up to date technical counter measures). This assessment will help determine where the most critical gaps exist and help guide what to tackle first.
  4. Have a plan or roadmap developed to take incremental approaches that fit your capacity, operations and budget. - Based on your assessment of the most critical gaps and risks a reasonable and 'due-diligence' based approach is to seek assistance from information security professionals to help develop your plan. Information security professionals will lay out how to systematically address these gaps with industry leading security counter measures tailored towards your organization's needs and expectations.
  5. Start to implement measures along a reasonable / achievable roadmap. - Once a plan is in place the work can begin to implement counter measures and the pieces of an enterprise-wide information security program on a priority basis that does not overwhelm your daily operations, mandate, or budget. Not everything has to be done immediately!

While the threat of a data breach is real for non-profits and the damages can be severe, the process to implement effective counter measures does not have to be overwhelming. Through planning and the implementation of incremental security measures that align with your internal gaps can present a reasonable and effective solution.

Castellan Information Security is a Winnipeg-based 'end-to-end' information security company that specializes in information security and have worked with both large and smaller private and public organizations to help them reach their information security objectives. If you have questions about this article or would like to speak to us about how our services can help your company protect its information please feel free to contact us directly at



View More

Unite Interactive