paint-brush
Digital Asset Protection: The Risk of Insider Threats for Nonprofits And What Can Be Doneby@zacamos

Digital Asset Protection: The Risk of Insider Threats for Nonprofits And What Can Be Done

by Zac AmosOctober 6th, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Insider threats show up in many different ways in nonprofits, resulting in loss of over 5% of revenue. To protect against insider threats, nonprofits should strictly vet volunteers, limit permissions inside the organization, develop business continuity plans, and establish a culture that fights insider threats.

People Mentioned

Mention Thumbnail
featured image - Digital Asset Protection: The Risk of Insider Threats for Nonprofits And What Can Be Done
Zac Amos HackerNoon profile picture

Nonprofit owners and managers must be as vigilant about protecting digital assets as the world’s most renowned tech companies. Financial institutions and health organizations have some of the highest concentrations of personally identifying information, but nonprofits are unsuspecting stores of Social Security numbers, banking information, and more.


Insider threats are becoming more prevalent in the digital threat landscape. How can nonprofits that require copious outside assistance keep data safe?

Unpacking Insider Threats

The term “insider threats” is complex, primarily when nonprofit organizations have so many moving parts. Over 90% of businesses feel threatened from the inside, meaning it should be a top priority for nonprofits whose mission is to improve the world.


They have permanent staff alongside a constantly rotating door of volunteers, sponsors, and business partners. Any one of these contributors may be an insider threat and compromise data with their access. Examples of inside threats include:


  • Using fraudulent payment processing and accounting
  • Working with threat actors to create vulnerabilities for cyberattacks
  • Stealing donor or stakeholder information
  • Selling data illegally to third parties
  • Mismanaging fundraising funds with harmful intent


Nonprofits lose over 5% of revenue to fraudulent activities like these. However, not all insider threats relate to digital resources, though they are some of the most common nowadays. Other insider threats include social engineering or manipulation of inside parties working for criminal outfits. These people can influence marketing, investing, and collaboration decisions for nonprofits.


Nonprofits lose donor loyalty by ignoring the importance of protecting against insider threats. It has consequences on reputation and income. Most importantly, it impacts the charity’s mission when staff and supporters lose morale from compromised momentum. These strategies protect organizations on all sides from insider breaches.

1. Strict Volunteer Vetting

Nonprofits rely on the kindness of volunteers to execute projects. Unfortunately, interest does not always signify good intentions. A desperate need for staff leads to people from every background having internal insights into the nonprofit. Most volunteers will work with honest intentions, but insider threats are too prevalent to provide blanket optimism.


Vetting volunteers eliminates concerns because management can perform safety measures to ensure high-quality helpers. Nonprofits may interview, perform background checks, and review references to determine character quality. It provides camaraderie between all volunteers because they have a strong sense of authenticity and trust.

2. Limiting Permissions

A case study of 20 nonprofit organizations revealed teams are too trusting. Around 43% of participants stated an overabundance of trust is the reason behind insider threats. Giving too many parties information and inadequate oversight are problems with simple remedies. Nonprofits must analyze this fact if they have yet to undergo digital transformation.


Paper resources are more accessible for insider threats to tamper with or steal, and limiting who has access to business-critical information reduces the likelihood of theft. It also minimizes risk response because nonprofit managers will spend less time discovering the person or people behind the breach if only a small group of staff and volunteers have keys or passwords.

3. Developing Business Continuity

Do nonprofit owners and managers have consistent documentation and plans that are easily accessible in case of an insider threat? Business continuity documents should be accessible to anyone detecting the insider threat.


The plan must contain action steps for managing and reporting the threat in a clear enough format that anyone can carry out the phases independently and notify relevant management. Here are some suggestions for what to include in a continuity plan in case of an insider threat:


  • Phone numbers and links for police
  • Who to notify in information technology in the event of a digital breach
  • Who to tell in management to contain the threat
  • Shutdown actions, such as deactivating Wi-Fi, locking doors, or freezing company financial assets
  • Executing digital backup recovery measures
  • What evidence to gather


Nonprofits are responsible for practicing and fine-tuning the continuity plans as new insider threats become more severe. Oversight must stay in touch with current events and trends in the sector to know what to protect against. Action must be proactive instead of reactive to have the most significant effectiveness.


The plan must receive scheduled attention annually for reevaluation with advice from a fraud professional. The document should be thorough yet efficient because the last obstacle a nonprofit needs during a crisis is a too-laborious procedure for isolating the threat.

4. Establishing Culture

Every previously mentioned action culminates into a nonprofit culture that opposes insider threats. The more a group works to establish that precedent, the more it reduces a threat actor’s willingness to work toward a breach.


Creating safeguards and being transparent to donors and staff increases awareness of what the nonprofit is doing to protect its resources and people. Why would threat actors be motivated to target an organization with more robust security than another?


Another way to establish a positive culture that fights insider threats is to view protective measures as positive instead of preventive. For example, nonprofit organizations giving tours to new volunteers can point out their state-of-the-art security cameras and note which locations and documents are off-limits. Doing so outlines they do this out of safety for their staff, donors, and mission instead of out of fear or susceptibility to insider threats.


The more aware everyone is of these anti-insider threat details, the more likely workers are to report suspicious activity or challenge questionable language or actions from other stakeholders. Minimizing complacency and empowering staff members with confidence and agency increases the likelihood they expose insider threats.


Even if they do not turn out to be legitimate, it diversifies a person’s view on what a threat could look like and how nonprofit managers can reduce false positives in the future.

Guarding Against Insider Threats in Nonprofits

Social good projects will only increase in influence as time goes on. More people will donate their time and money to causes to improve the world. However, this puts any relinquished data in a potential threat actor’s hands.


Nonprofits are a great place for cybercriminals to gather data. Charities can set precedents that the sector is well-protected by using these strategies to deter malicious activity.