Cyber Security Q&A: Nonprofits at Risk

Cyber security breach of nonprofits

Meet Chris Dufour, Cyber Security Expert

Day-to-day concerns. Upcoming deadlines. Online safety?

Is cyber security on your organization’s back burner? Cyber security is as important for nonprofits as businesses. Nonprofits’ online records may include personal information such as donor data, credit card numbers, and staff employment and health insurance information.

What do we need to know about cyber security and how to avoid risks?

We connected with Chris Dufour to talk about cyber security in nonprofits.

Dufour is a cyber security expert, instructor with SEcureCog, and a director at White Canvas Group. Dufour provides advice about security and privacy for both nonprofits and businesses.

TST: Why should data security be a priority for nonprofits?

Dufour: We never know who may be interested in our data for nefarious purposes. Think about membership email distribution lists that can be found via simple Google Dorking techniques. While you may not think it’s a big deal that that data is not secure behind your nonprofit’s firewall, your members will be pretty PO’d to find themselves future victims of a Chinese spear phishing scheme.

TST: What are some common myths you hear about security? What do you think is important for nonprofits to better understand cyber security?

Dufour: I hear that it’s just not a big deal: “Who would want to hack my organization?” Well, if you’re not spending ANY attention on your own cyber security, then how do you know WHO’S a threat to you? You don’t. In many cases, you’ll never know. But there’s some simple things you can do to make your nonprofit appear to be less of a target, which is all it takes sometimes to deter a hack.

TST: What are frequent issues you find in electronic security?

Dufour: The biggest one is that people mistake good electronic security for TOTAL cyber security. The truth of it is, 90% of most attacks these days happen in spite of technical means, and most of those are some sort of social engineering technique like spear phishing.

TST: How is security for businesses different than nonprofits–or is it?

Dufour: It shouldn’t be. You’ve got to think about security like you would finance: You HAVE to keep track of financial records and manage payroll, right? Security is just like that. It’s not the responsibility of the IT guy; it’s EVERYONE’S responsibility. Businesses are having just a hard a time recognizing that nowadays as nonprofits.

TST: What are best practices for nonprofits to secure their financial records or donor and employee data?

Dufour: Use trusted software and think twice before posting something onto a web-based portal of any kind. Take the time to research vulnerabilities of the systems you’re using and plug as many of those holes as you can.

About Web sites

TST: As some nonprofits outsource Web site creation and maintenance–or may even have a volunteer providing Web services–what are important guidelines for first steps and ongoing maintenance to deter hacking and security breaches?

Dufour: The bottom line here is inculcating a respect for security in everyone who interfaces with your organization, from employees to contractors to FAMILIES. One of the easiest ways to figure out somebody’s password is to crack another password on another site they use, like Facebook. 9 times out of 10, you’re using the same password for multiple site logins. So if I put up a fake Facebook login page that your son logs into, now I can impersonate your son online and even get YOU to surrender information to me willingly. OR I can try using that password on other services and sites.

On databases

TST: How secure is the cloud?

Dufour: If you put it on the internet, given enough resources, someone will eventually be able to find it.

TST: So, that is not a good thing in this case?

Dufour: For me personally, I think the benefits of cloud-based computing and storage outweigh the potential security risks. But that’s just me, and I know plenty of organizations whose data was mishandled or otherwise exploited by attackers because it was in the cloud. Just take appropriate security precautions ALWAYS when storing data in the cloud. Use SUPER-STRONG password strings, don’t hang everything in the same place, and generally make it as difficult as you can for a potential attacker to get over your castle wall. Also be savvy about WHAT you’re storing in the cloud: does your membership know that all their contact information is stored on a spreadsheet that you’re storing in the cloud? Does that spreadsheet include a line item for member passwords to your website or CMS? Just be very cognizant of EVERYTHING you put into the cloud and take every measure you can to protect it.

Social Media

TST: In what ways might an organization be concerned about security on social media?

Dufour: I think social media is one of the biggest vulnerabilities for organizations nowadays because of the richness of information people put on their profiles. I can do some simple research and have you friend a fake persona that I’ve created, and then through the relationship I build with you through that persona, derive personal information that I can then use to exploit your organization. That’s to say nothing of all the mayhem hackers can cause by brandjacking your official social media channels and spewing forth incorrect or inflammatory information, or crowdsourcing legions of people to write negative reviews about your services just because they’ve got an axe to grind with you.

TST: What is the best advice you can give to individuals about security and privacy online?

Dufour: I can’t say this enough: If you put it on the internet, given enough resources, someone will eventually be able to find it. And more importantly, PAY ATTENTION to the non-obvious hacking threats out there, like evidence of someone interacting with you online to discern information that could then be used to exploit your affiliation with work or organization. We’re living in the age of NO PRIVACY, so even privacy controls on the social media we use are only as good as the next update to that software.


chris dufour photo

About Chris Dufour

Chris Dufour is a preeminent expert in employing digital strategy and technologies for defense, intelligence, and diplomacy. A founding member of what is now known as the Joint IED Defeat Organization, Chris piloted studies in web-based data gathering and sense-making to detect online criminal networks. As a program manager in irregular warfare, Chris managed the R&D portfolio for strategic communications, public diplomacy support, information operations, and psychological operations at the Combating Terrorism Technical Support Office. He has advised, led, and participated in several studies of social networking phenomena for government, academia, and industry. He has designed social media marketing strategies for small and large businesses, and he has written every type of web content from blog post to video game script.

Chris is a noted industry speaker on digital influence and social media having been recognized at conferences such as IQPC’s Information Operations Global and Sister Cities International. Presently, @Du4 (as he is known on Twitter) is a director for the White Canvas Group, where he currently manages social media strategy and digital influence training projects for the US Special Forces and Intelligence Communities as well as a host of Fortune 200 businesses and nonprofits. He has trained more than 2,000 people in advanced uses of social media and social media safety for families. If you need help securing yourself or your organization online, reach out to Chris at

  • gmart

    “the benefits of cloud-based computing and storage outweigh the potential security risks” “use SUPER-STRONG password strings” — Number one, you need to ask yourself if the benefits (often convenience and cost) truly outweigh the risks. What if your donor database is hacked, stolen, or maliciously altered? What effect will that have on your donors and your organization. Strong passwords are necessary, but as we have seen with the Target and other hacking and the vulnerabilities with OpenSSL, there can be back-door and systemic weaknesses that allow someone to get to your data no matter how strong your password is. Bottom line: if it is in the cloud, it is vulnerable.

  • Cindy Leonard

    “Security is just like that. It’s not the responsibility of the IT guy; it’s EVERYONE’S responsibility.”

    Thank you so much for stating that out loud – such a critical point that is frequently overlooked!

    • Amy DeVita

      Thanks for your comment, Cindy. Do you see a lot of organizations involving departments outside of IT for security?

  • Pingback: Nonprofit Cyber Security Needs - Top Nonprofits()

  • Pingback: Nonprofit Cyber Security Breach at NCCS - Third Sector Today()

  • Pingback: Password Security: What Do You Use? - Third Sector Today()