Nonprofit Cyber Security & Compliance: How Engaging Networks Keeps Your Data Protected with a Multi-Layered Approach

Ken Donaldson

Written by: Ken Donaldson, MBA, MSIS, CISSP-ISSAP | CEH | CHFI | CCSA | CCSK

At Engaging Networks, protecting our clients’ data has always been a top priority. Over the past six years, we’ve transformed our approach to cyber security from a set of basic compliance tasks into a comprehensive, proactive program spanning all aspects of our operations.

Our commitment to donation security has led us to achieve the SOC 2 Type II attestation, HIPAA compliance, and Payment Card Industry (PCI DSS) compliance for donor transactions. What began as a need to safeguard credit card data has evolved into a company-wide ethos of standardized best practices, continuous risk management, and a culture of security excellence. This journey reflects our long-term commitment to compliance, not just to “check a box,” but to continually strengthen the trust that nonprofits place in our platform.

Here’s what we’ve learned throughout this security transformation, and how we’re embracing a future of resilient, multi-layered defense:

Key Pillars of Our Cyber Security Program

Our recent compliance journey reinforced several key pillars of a strong security posture. These pillars ensure we stay ahead of threats and maintain trust:

Standardization with Best Practices: We aligned our systems and configurations with the industry best-practice benchmarks for nonprofit data compliance to ensure a secure baseline from the ground up. For example, adopting prescriptive standards like the Center for Internet Security (CIS) AWS Foundations Benchmark provides clear, step-by-step guidance on securing everything from network settings to user permissions. This standardization means our AWS environments and applications are configured securely and consistently according to proven guidelines, reducing variability and misconfiguration (a common source of breaches).

Change Management & Patch Discipline: Change management is a critical aspect in any nonprofit cyber security program. Our formal processes to manage changes to our systems and code, ensure that updates are reviewed, tested, and approved before deployment. This change control not only prevents accidents, but also provides an audit trail for data compliance regulations.

Hand-in-hand with change control is a strong patch management regimen: we apply security updates to servers, applications, and dependent libraries promptly and systematically. By documenting all procedures – from how we harden a new server build to how we respond to an incident – we ensure consistency and accountability.

Continuous Monitoring & Layered Protection: A multi-tiered approach to security monitoring and threat prevention – rather than relying on any single control – is key. At the network and application perimeter, we leverage Cloudflare Enterprise services to shield our platform. Cloudflare’s always-on DDoS mitigation absorbs malicious traffic surges, ensuring our clients’ fundraising and advocacy pages remain available even under attack. The integrated Web Application Firewall (WAF) acts as a smart shield against web exploits, such as SQL injection or cross-site scripting, filtering out dangerous requests before they reach our applications.

We employ both Cloudflare’s managed rule sets and custom WAF rules tuned to our environment, so new threats can be addressed rapidly as they emerge. Cloudflare’s bot management technology helps us distinguish real supporters from malicious bots, automatically blocking or challenging any abusive automation interacting with your fundraising efforts (such as bots attempting fraudulent donations or credential stuffing).

Training and Qualified Personnel: The best tools and policies mean little without knowledgeable people behind them. That’s why we place heavy emphasis on security training and a strong team culture. All Engaging Networks staff undergo regular security awareness training to recognize social engineering attempts, protect sensitive information, and adhere to secure practices in their roles. We also invest in our technical teams to ensure they stay current on cloud security and compliance skills – for example, our engineers are well-versed in AWS security features, and our compliance staff is trained on frameworks like SOC 2 and PCI. Ultimately, maintaining security is everyone’s responsibility, not just the IT department’s. This focus on people and education ensures that security isn’t just a box on a checklist, but a mindset shared across the company.

Enterprise-Grade Compliance (SOC 2 and Beyond): Achieving SOC 2 Type II compliance was a milestone that validated many of the practices above. A SOC 2 Type II audit is an in-depth, months-long examination that checks not only what controls you have, but how consistently you follow them over time. Passing this audit meant demonstrating, with evidence, that our security controls (from access management to incident response) are well-designed and operating effectively day in and day out. Third-party auditors “verified that Engaging Networks provides enterprise-level security for all of its customer data”.

For our clients, this certification offers tangible assurance that a trusted outside firm has attested to our security posture meeting a high standard of care. Of course, compliance is not a one-time project – maintaining SOC 2 means continuously executing on our controls and undergoing annual audits to renew the attestation. Similarly, we maintain our PCI DSS compliance (as a PCI Level 2 service provider) through annual self-assessments and quarterly network scans, among other measures. It’s a continual cycle of improvement: plan, implement, get audited, refine – and then repeat.

HIPAA Compliance for Donations and Fundraising: We undertook the process to become HIPAA compliant to further safeguard health-related donor information that may be collected during fundraising activities. Although Engaging Networks doesn’t process medical records, we recognize that health-focused campaigns often involve personal health details subject to HIPAA regulations. This initiative included refining access controls and data handling procedures, updating our breach notification protocols, and implementing specialized HIPAA training for key personnel. Aligning with the HIPAA Security Rule underscores our commitment to safeguarding sensitive donor information to a standard that exceeds compliance, reflecting our dedication to trust, integrity, and the protection of our client data.

What’s Next: Continued Compliance & Protection

Security is a journey with no finish line, and we are committed to continually enhancing our defenses. Looking ahead, Engaging Networks is focused on several key initiatives to stay ahead of the nonprofit cyber security curve:

Ongoing Risk Assessments: We plan to conduct more frequent and granular risk analyses (beyond the annual ones) to identify emerging threats and control gaps. By performing targeted risk assessments on specific areas, such as third-party vendors or new product features, we can proactively address issues before they impact on our clients.

Expanding Training and Awareness: We will continue to broaden our security training programs for both staff and partners. This includes regular security refreshers for all employees, advanced training for our engineers (e.g. secure coding practices, cloud security workshops), and even educational resources for our nonprofit clients. Our goal is to cultivate an even stronger security-first mindset organization-wide and to extend that knowledge outward. The more security awareness grows among all stakeholders, the less often we’ll see avoidable mistakes.

Advanced Threat Detection & Response: We are investing in enhanced real-time threat detection capabilities. This may involve deploying new security monitoring tools or services (such as advanced SIEM or behavioral analytics) to spot suspicious patterns across our network quickly. Additionally, we’re refining our incident response processes to ensure that if something does slip through, our team can react immediately and effectively. Faster detection and response means minimizing potential impact. We’re also exploring automation in this arena – for instance, automatically isolating a suspicious user session or IP address the moment an alert triggers, which can contain threats before human responders even step in.

Further Hardening and Standardization: In the spirit of continuous improvement, we’ll continue to refine our baseline configurations and eliminate any unnecessary exposure. This could include measures like even stricter network segmentation, expanding our use of least privilege access, and regularly benchmarking our AWS environment against the latest CIS recommendations. Each year, the CIS Benchmarks and other best practices evolve (for example, new controls for cloud container security or identity management), and we intend to adopt those that make sense for our platform. By continually hardening our systems, we reduce our attack surface area over time.

Monitoring Regulatory Changes: The compliance landscape for data security and privacy is constantly changing – new laws and standards will emerge that affect us and our nonprofit clients. We are closely monitoring developments, including data privacy regulations and sector-specific requirements for charities.

Final Thoughts

Six years of security evolution at Engaging Networks have taught us that nonprofit cyber security and data protection is an ongoing journey, not a destination. Security is not something you achieve once and declare victory; it’s a continuous cycle of assessment, improvement, monitoring, and education. Our multi-layered approach – incorporating standardization, robust processes, advanced tools, and empowered personnel – ensures that, as new threats emerge, we are ready to meet them in a coordinated manner. Compliance milestones, such as SOC 2 Type II, are critical checkpoints, but the accurate measure of success lies in day-to-day diligence and the trust we earn from our clients. Engaging Networks will continue to provide a secure and reliable foundation for organizations to build lasting relationships with their supporters. Security is a journey we undertake proudly every day, together with the inspiring nonprofits that entrust us with their data and dreams.