How Much Should 501c3 Nonprofits Spend on IT Security?


What would happen if cybercriminals gained access to your donor information? Your accounting software? Your event registration?
While you might not necessarily expect a 501c3 organization to be appetizing to hackers, nonprofits are actually brimming with sensitive information that can be sold for a pretty penny on the black market. And, since this is an industry that is known for being rather cash-strapped in most cases, chances are that defenses are low to nonexistent (read: you’re an easy target).
So, in an ideal scenario, what should nonprofits be investing in IT security?
The good news is that if you’re asking this question, you’re already on the right track to keeping your sensitive data secure. Whenever we hear this question from our nonprofit clients (which happens more often than you might think), it’s a discussion that we’re always happy to have.
Below we’ll work through the main factors that will affect what your nonprofit’s IT security investment will look like, and what—in an ideal scenario—you should look to invest overall.

Key factors that influence the nature of your IT security spend

The amount you want to invest in your nonprofit’s IT security each year depends on the following factors:

  • Whether or not you’ve had a recent security audit. Before you can make any strides toward bolstering your IT systems, you have to establish a clear baseline. This takes the form of an outside provider performing an objective gap analysis that locates existing vulnerabilities and offers a roadmap for remediation. (Put simply, if you haven’t invested in a security audit recently, you’ll need to.)
  • The size and complexity of your nonprofit. This one is pretty straightforward; the more nooks and crannies your technology environment has, the more effort (and likely money) it’s going to take to secure them. Not only that, but a larger staff count also means investing more time in properly training them on any security policies.

  • The state of your current hardware and software. Are your servers and workstations regularly patched and monitored for health statistics? Are any of your servers out of warranty? Are you running aging, donated machines with Windows XP (that is no longer supported in any capacity)? Is your software patched and properly licensed? If you’re working off of an aging infrastructure, you might need to make some initial upgrades before you can make any progress toward being secure.

  • The nature of your data. Is your nonprofit storing sensitive information about your donors or constituents (be it personal, financial, or otherwise)? Are you subject to any compliance regulations? If your data were to get in the wrong hands, what would the repercussions be? The more tightly you need to control your data, the more you’ll need to invest in things like encryption at the hardware, file, and/or email level.

  • Your tolerance for risk. The million-dollar question: how secure do you want your nonprofit to be? Are you comfortable sacrificing maximum protection for the sake of cost savings? Where? Do you trust your employees to follow best practices without any controls in place? As you can probably guess, the lower your tolerance, the higher your costs will be.


How much should nonprofits spend on IT security?

As you can see from the factors above, there is an adoption curve when it comes to security. Your placement on this curve will dictate the nature of your overall IT spend.
In other words, if you are just now taking the initiative to secure your nonprofit, you’re going to have some significant up-front costs to wade through before you’re in the position to maintain your secured environment. This is a much different scenario than you’ll see with organizations that have been making security a priority and a part of their organizational culture for quite some time.
To get started, you’re going to be hard-pressed to find a (quality) security audit for much less than $10,000. (Please—don’t be seduced by a “free” assessment; you simply won’t get any real benefit out of these.)
From there, you could be looking at another up-front investment of close to $5,000 in engineering and consulting labor to implement the necessary technology solutions and policies to eliminate existing vulnerabilities that the audit uncovered.
Then, once your environment is shored up, you should expect your ongoing security maintenance costs (including testing and adjustments) to hover around $3,000 over the course of each year.
Of course, the main concern with 501c3 nonprofits in particular is that tight budgets often don’t allow much wiggle-room for capital expenditures or even larger ongoing investments that aren’t absolutely critical to day-to-day operations.
But, while there is a very real question about whether or not you can afford fully comprehensive security solutions, you also have to ask yourself if you can afford not to.

Concerned that your nonprofit isn't properly investing in its security? Need  help developing policies? Want that security audit? Let us know--we can help.