Put your nonprofit’s cybersecurity system to the “pen” test
At least 68% of not-for-profits experienced one or more data breaches between 2021 and 2023, according to the CyberPeace Institute. Already in 2025, several nonprofits, including health care, social service and religious organizations, have made cyberattack losses public. Nonprofits can be particularly vulnerable to such crimes because they generally spend less money on cybersecurity systems and have fewer knowledgeable staff members to oversee them.
Even if you’ve implemented what you believe are effective safeguards, you won’t know how well they work unless you challenge them. Penetration (pen) testing finds vulnerabilities that might otherwise go unnoticed until a system is breached. Engaging a contractor to conduct pen testing not only can uncover vulnerabilities but also shows stakeholders and the public that you take threats to your nonprofit’s data security seriously.
Gaps and misconfigured settings
Pen testing provides a comprehensive assessment of the effectiveness of a cybersecurity program and specific controls. It examines technological vulnerabilities as well as those related to an organization’s people, facilities, policies, processes and procedures. Testers generally look for gaps or misconfigured settings that criminals could leverage.
If you engage pen testers, they’ll replicate a third-party cyberattack, targeting your users, systems and network to attempt to gain unauthorized access to sensitive data. They generally start by scrutinizing your network and systems for potential openings via:
- Weak employee passwords,
- Successful phishing emails,
- Ineffective multifactor authorization, and
- Software that hasn’t been patched in a timely manner.
Pen testers may exert pressure on all your networks and systems or just the public-facing ones (for example, through your website or email). These simulated attacks may be scheduled or unannounced.
Categorized by color
Pen testing often is categorized by color. With white box testing, the experts have full access to your systems and networks upfront, including login credentials, source code and architecture. White box testing can be more affordable, but it’s less comprehensive than black box testing, where testers possess no advance knowledge. However, black box testers can’t test internal protections.
Grey box testing is a hybrid method. Testers start with some understanding of your systems and networks but don’t have full access. This approach can be more realistic because real cybercriminals generally don’t go in blind — they may obtain information through online surveillance before attacking.
Weighing the costs
Pen testing can be expensive. But data breaches usually cost much more when you consider the potential consequences, including lost files, identity theft, work downtime, legal costs, regulatory fines, ransom demands and reputational damage. Larger nonprofits are encouraged to make pen testing a regular part of their cybersecurity programs.
You can find a qualified pen tester by looking for vendors with such credentials as Certified Ethical Hacker and Offensive Security Certified Professional. Contact us for recommendations and tips for strengthening your nonprofit’s cybersecurity.
© 2025