skip to main content


Not-For-Profit & Higher Education

Our decades of experience serving not-for-profit and educational organizations of all structures, sizes, and complexities helps us provide you with accounting, advisory, audit, and tax services you need to sustain and grow your organization and maintain your tax-exempt status. Find out how.


September 24, 2019


Books, music, and movies offer factual and fictional stories that capture our imagination, invoke emotion, and move readers to act. The most interesting stories have drama, plot twists, tragedies, ironies, and comedies that reflect on current conditions and paint a vision of better conditions. Not-for-profit organizations, like many other private and governmental organizations, have been digesting a best-selling cybersecurity story fueled by fear, uncertainty, and doubt. If you are one of those board members, consider if the cybersecurity story you are reading or listening to is fact or fiction.

Start with why

Many issues and questions surface as not-for-profit boards discuss cybersecurity risks. Sorting through the cybersecurity issues and questions takes focus and patience to understand. But you don’t need to be a technology or security expert to be effective. Simon Sinek, the famous British-American author, motivational speaker, and organization consultant has written books and spoken extensively about a powerful technique he uses—start with why. To do so, NFPs need to ask why is [cybersecurity] important to their mission. The answers will galvanize the organization’s focus and motivate stakeholders to do things that will help meet the mission and avoid or minimize the things that will jeopardize the mission.

For example, let’s imagine the mission is “To restore, maintain, and sustain [art, botanical gardens, cultural history, forests, health & welfare assistance, landmarks, parks, wetlands, etc.] for the benefit of [community, city, state, etc.] current and future citizens”.

  • Why is cybersecurity important to the NFP’s mission? The board may conclude that cybersecurity is important to the mission because without the trust and ongoing assistance of others supporting the mission, patrons will have less or no access to [art, botanical gardens, cultural history, forests, health & welfare assistance, landmarks, parks, wetlands, etc.].
  • Why would trust be diminished due to a cybersecurity issue? Supporting stakeholders may lose confidence in the ability to continue the mission if:
    • There is a data breach event that puts stakeholders’ personally identifiable information at risk of identity theft or physical harm. 
    • A malware attack successfully misappropriates or damages assets (email leakage, improper transfer of operating funds, ransomware attack encrypts key systems and records).
    • Required disclosure of the data breach tarnishes the reputation of the NFP which deters current and future supporters from making contributions or patrons from using [art, botanical gardens, cultural history, forests, health & welfare assistance, landmarks, parks, wetlands, etc.].
  • Why would NFPs be targeted by cyber threat actors? Threat actors don’t care about the mission. They are motivated by dollars or destructive ideals. The easier to steal or destroy the better. They target unprepared and unsuspecting NFPs they know have details on funding sources [endowments, charitable trusts, philanthropists, etc.] that help make the mission possible. They want to sell the information harvested on the dark web (PII data like names, phone numbers, birthdates, Social Security numbers, credit card numbers, email and/or mailing addresses, etc.) Or they want to gain access to email systems, financial systems, HR systems, payroll systems, procurement systems, etc. to perpetrate hurtful cybercrimes to disrupt, divert, or disable legitimate communications, deliveries, payments, or deposits.

Understand what must be protected

We could continue asking “why”, but at this point it should be abundantly clear why cybersecurity is an important issue for NFPs. Without exhaustively asking why, what needs to be protected may be incomplete and create a blindspot leaving your organization vulnerable to costly exploits. Why informs NFPs what they need to protect:

  • Non-public information (NPI)— NPI is inclusive of PII and PHI but also includes transactional or contextual information NFPs may collect from donors, employees, program participants, or suppliers. Examples include:
    • Financial, credit, and medical data
    • Home address and telephone numbers (including home email addresses)
    • Social Security Number
    • Birth date
    • Mother’s maiden name; other names used
    • Family data
    • Religion, race, national origin
    • Account numbers
    • Performance ratings
    • Complaints
    • Litigation information
    • Intellectual property
    • Acquisition/Divestiture information
  • Networks, Servers, and Devices— Networks, servers and other computing devices store, transport, and process NPI so they must be protected to maintain confidentiality, integrity, and availability of NPI.

    Employees and third parties— Employees and third parties that handle NPI and must be trained to understand how to protect NPI and guard against phishing and other social engineering threats.

Practical how-to guidance

“What”, informs NFPs how they may protect their important and sensitive data. There are so many point solutions that may be helpful and technology companies are willing to sell. However, NFPs should resist buying tools advertised to help without framing a holistic cybersecurity program. The cybersecurity program is the blueprint to address how the NFP mitigates cybersecurity risk. NFPs have limited funds. It is incumbent of them to understand the priority, sequence, and dependencies of what needs to be done over time. These activities will have varying costs, levels of effort, levels of difficulty, and ongoing maintenance costs. That necessitates a strong discipline to communicate and balance resource requirements to achieve the mission with the budget available. Finite resources mean NFPs will need to accept some cyber risk. Risk acceptance must be explicit not surprising. 

  • Do you have the right people, processes, and technologies to protect your business from cyber threats? A good place to start is to review the NIST Cybersecurity Frameworki which has become a benchmark for what to do not only in the US but is being adopted or emulated across the globe. Additionally, there is complementary guidance from NACD, ISACA, and The IIA on how to elevate cybersecurity to your company board’s governance agenda. If that is too much to consider, review the Center for Internet Security punch list of 20 critical information security controlsii to determine not only are they in place but whether they are being done well enough. Realize that there are no silver bullets for cybersecurity. These frameworks, guidelines, and benchmarks do nothing for your organization if the company is unwilling to accept they have some gaps that will require a plan of action to close the gaps. 

  • Here are four pragmatic measures to consider:

1. Independent Assessments 

Annual independent assessment is a critical governance tool to provide a comprehensive evaluation of implemented security policies, procedures, controls and staff in relation to best practices and industry standards. If risks have shifted it may warrant reallocating resources accordingly. Cyber threats are becoming more numerous and damaging with every device that connects to the internet. It’s not going to stop. Think about it. If you need convincing, read the 2019 Verizon Data Breach Investigation Report and you will either agree or fall asleep because you don’t understand it and 

that may speak volumes about your cybersecurity maturity. Cyber risk is a business risk that has managerial, operational, financial, legal, and technological dimensions. Technology changes faster than all the other dimensions making it difficult for businesses to adapt to it. We’ve been trained to deal with catastrophic loss by reviewing business continuity plans and getting the right insurance coverages. That said, these strategies or tactics need to be revisited or updated to understand the appropriate mitigations to protect your company from a cyber-attack. Insurance is a logical risk tool, but it doesn’t fix your cybersecurity posture. People, processes, and technology help you do that. 

2. Vulnerability Management

Preventive and detective security controls are the keys to minimize the impact of ransomware and other types of hacker attacks in the enterprise.  Hackers do their homework. Their reconnaissance efforts begin with an understanding of the vulnerabilities in the target environment (think your network). Threat actors use many of the same tools IT security departments would use to scan your environment for the latest vulnerabilities to ascertain exploit impacts. Understand vulnerability scanning must not be a mechanical process. Rather, a vulnerability management program requires:

  • Discipline - Vulnerability scans must be done monthly or after every major change in your environment and rescanned to verify patching/remediation was effective.
  • Coordination - Patching and remediation efforts take more time than scanning which constrains IT and security teams from doing other things. Taking time to scan and know vulnerabilities does nothing if IT doesn’t prioritize time and resources to fix critical or severe vulnerabilities.

  • Governance - Vulnerability reporting should be transparent to the executive team and board to ward off false assurance. If your NFP is thin on resources you can outsource your vulnerability scanning program to a managed security services provider (MSSP). 

3. User Awareness Training 

The need for User Awareness Training is evergreen. The technology landscape changes, consumer choices change, user behaviors change. Consider supplementing your program with an active phishing campaign periodically, if your user awareness program is a tired PowerPoint deck or a policy acknowledgment done once a year or only completed during employee onboarding. It is relatively easy to put a phishing email in front of everyone on your system to see which users are quick to put the firm at risk. Your internal or external IT experts can likely handle this chore, or it is relatively inexpensive to outsource this kind of system test.

4. Incident Response Planning 

Provisioning an incident response team is an important prevention, detection, and correction planning step. Planning incident response when an incident is occurring is rarely productive or successful. Realize that incident response involves a coordinated communication plan and orchestration of internal and external resources. NFPs should investigate the sustainability of shouldering this effort on their own. Smaller businesses have been turning to Managed Detection and Response (MDR) service as an economical approach. MDR providers bring the tools, processes, and people to watch for malicious activity on your network and work quickly to respond appropriately by interrupting unfriendly connections, or containing malicious activity from spreading extensively to lower the cost of recovery. In many respects, MDR is a force multiplier that provides access to leading edge technologies, refined processes and dedicated personnel 24x7x365 for a fraction of the cost an NFP could build it. There’s a lot more to incident response, but in particular, establish relationships with federal, state, and local cybersecurity officials as well as federal agencies like the Department of Homeland Security (DHS), and US Computer Emergency Readiness Team (US-CERT)iv.. Sharing information with law enforcement agencies about unusual network activity, denial of service attacks, phishing attacks, and quarantined malware allow more parties to be vigilant. Observations of malicious activity provided to law enforcement may help triangulate the identity of hackers and eventual prosecution. Are you prepared?

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc. and its subsidiary entities. UHY Advisors, Inc. provides tax and business consulting services through wholly owned subsidiary entities that operate under the name of "UHY Advisors." UHY Advisors, Inc. and its subsidiary entities are not licensed CPA firms. UHY LLP and UHY Advisors, Inc. are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. "UHY" is the brand name for the UHY international network. Any services described herein are provided by UHY LLP and/or UHY Advisors (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.