Protecting the Mission: A Cybersecurity Guide for Arkansas Nonprofits

Introduction: A Wake-Up Call for Arkansas Nonprofits

It must have been a nearly unbearable day for the Arisa team.

On or around March 18, 2024, Arisa Health, Arkansas's largest nonprofit behavioral health system, serving tens of thousands of clients across 41 counties and 80 locations, began experiencing ominous connectivity issues. The network disruptions proved, however, to be a harbinger of something much more serious — and a nightmarish episode that wouldn't end until Arisa settled a class action lawsuit in 2025 for — gulp — $1.9 million. 

Cybercriminals, a forensic investigation revealed, had infiltrated Arisa's networks in the first half of March 2024, eventually leading to a massive data breach as well as the widespread exposure of sensitive patient data to bad actors, including names, birth dates, social security numbers, medical histories, and insurance information.

A 2025 class action lawsuit asserted that the Arkansas nonprofit had failed to implement adequate cybersecurity safeguards to protect patient records.

The Iceberg Below: Cyberattacks on Arkansas Nonprofits

And while this incident sent shockwaves through the state's nonprofit and healthcare communities, it was hardly an isolated incident. Every day, there are nearly 600 million cyberattacks around the globe, according to Microsoft. 

600 million! Every day. 

And they happen right next door — we often just don't hear about them because many for-profit and nonprofit organizations, unlike Arisa Health, aren't required by law or necessity to report cyberattacks.

Indeed, nonprofits may be uniquely vulnerable.  

The nonprofit sector faced a global average of 2,500 attacks per week in November 2025, according to research from Check Point. This is enormously noteworthy for a couple of reasons: 

• At 2,500, nonprofits sustained the third highest number of attacks among 23 sectors studied by Check Point, behind only education and government. (And we hear about attacks on education and government a lot.)
• The November 2025 findings represent a whopping 57% year-over-year increase for attacks on nonprofits

Why? Why are cybercriminals picking on nonprofits? While somewhat more complex than this, it would certainly have a lot to do with...

• Lack of IT expertise
• Small budgets
• High-value personal data (donors, volunteers, patients, etc.)
• Higher proportion of volunteers, part-time, and remote workers

Whereas enterprise companies can often afford both in-house IT expertise and best-in-class cybersecurity measures, many nonprofits in the state of Arkansas and elsewhere don't even know where or how or even if to begin.

Making them — the servants who serve — soft targets, unfortunately, for opportunistic cybercriminals.

So what's a nonprofit in Arkansas to do, then?

Start here. Start with this user-friendly cybersecurity guide for the state's nonprofits... 

We'll begin by addressing the most common attacks on nonprofits, then we'll give you some actionable steps to take in defending your organization and its mission.

Common Cyberattacks on Arkansas Nonprofits

Wily cybercriminals, regrettably, have not one but many weapons at their disposal for invading the networks of the state's nonprofits. And, these weapons evolve — even as our defenses evolve along with them. Which is why it's so important to see cybersecurity/cyberattacks as a dynamic, ever-changing form of warfare — not something static.

Phishing

Here, think email and other messaging formats.

Phishing attacks often involve deceptive emails that trick recipients into revealing credentials or clicking malicious links. For nonprofits, regular communication with donors and volunteers create many opportunities for attackers to disguise their phishing messages as legitimate requests, inquiries, etc.

Statistics actually show that human error — including clicking on phishing links — is involved in a majority of data breaches.

Malware and Ransomware

Put simply, malware is software designed to damage or disrupt systems. Common entry points for malware include the aforementioned phishing method as well as unpatched (i.e., outdated) software.

Ransomware, which grabs a lot of news headlines these days, is a subtype of malware that encrypts data and then demands payment for a decryption key. While specific ransomware incidents hitting Arkansas nonprofits aren’t widely publicized, the healthcare sector (which overlaps with many nonprofit service providers) has seen numerous ransomware cases, and the same techniques often target nonprofits.

Social Engineering

Attackers increasingly rely on manipulating human behavior rather than exploiting software and hardware. Social engineering techniques, including impersonation and pressure tactics ("This is the executive director. Send me a spreadsheet with all our volunteers' personal information. I need it quickly."), can convince staff or volunteers to hand over sensitive information. Once credentials are compromised, attackers can move freely through systems.

Of course, there are many other tactics, yet these three — phishing, malware/ransomware, social engineering — demonstrate with broad strokes the major MOs of today's cybercriminals.

7 Cybersecurity Steps Every Arkansas Nonprofit Should Take

The good news is: many game-changing cybersecurity practices are feasible and affordable even for small Arkansas nonprofits. Below are seven steps that'll go a long way in helping you protect your mission.

And make no mistake. Your mission does have to be defended. Cybercriminals are pitiless. They don't care that you're doing "good work" on behalf of the community — which you are. They see only $$$.

1. Conduct a Basic Security Audit

I know, I know. The word audit is gross. 

The word audit also feels like something you can skip over and be none the worse for wear. 

Mmm, not a good idea here. Because cybersecurity should start with understanding your nonprofit's current security environment, including threats and defenses. But, I want to stress, this doesn't have to be complicated, time-consuming, or expensive. It's really just a quick but deliberate vibe-check.  

Begin by inventorying your digital assets — websites, email accounts, cloud storage, donor databases — that need protecting and then assess existing safeguards (password strength, software updates, access permissions).

Identifying gaps early helps you prioritize what to fix first.

This is not intended to be an exhaustive checklist, but some pressing questions to ask: 

• Who has access to what — and should they still?
• What happens if someone clicks the wrong email or message?
• Are critical systems protected beyond “just a password”?
• What’s outdated or overdue for updates?
• Could you recover if something went wrong tomorrow?
  

Need more guidance?

Reach out to us at TekTrendz for a free, no-obligation audit of your Arkansas nonprofit and its cybersecurity defenses (or lack thereof). We can help you conduct a security audit. 

2. Get Serious About Cybersecurity First Aid

Truly, the first and most important line of defense against cyberattacks is pretty straightforward.

It's just doing what every organization should be doing. It's right up there with:

• Brushing your teeth at least twice a day
• Buckling your seatbelt every time you drive
• Eating vegetables and fruit

In other words, simple but important stuff — that way too many people probably don't do. 

We can call this cybersecurity first aid. This one-pager from TekTrendz is a great encapsulation.

I'm talking about basic but crucial safeguards like:

• Require strong, unique passwords for all accounts
• Use a password manager to store and generate secure credentials
• Enable multi‑factor authentication (MFA) wherever possible
  

Seriously, don't neglect the first aid. In many ways, it's the simplest, easiest, most impactful thing you can do to defend your nonprofit's mission. Start today. 

3. Train Staff and Volunteers on Cybersecurity First Aid

And take all this cybersecurity first aid — and teach, teach, teach... remind, remind, remind ...observe, observe, observe. 

Make sure everyone on your team — from staff to volunteers — is doing what they're supposed to. 

Remember, the vast majority of data breaches originate from human error. Which also means that people are your first, most critical line of defense. So take training seriously.

After a data breach is the wrong time to start talking about cybersecurity with your team. 

Today is the day to implement training.

Start with this tip sheet. Share it with your team, and follow-up to make sure everyone is complying.

Want us to come talk to your team? We'd be honored to. Especially for our nonprofits! 

4. Backups: Don’t Wait Until It’s Too Late

The reason so many attacks are so debilitating is because most modern organizations, including Arkansas nonprofits, can't operate without their data/information. But if a cybercriminal locks down your data, where do you turn? 

The right answer: turn to your data backups. A few tips:

• Back up critical data at least daily
• Follow the 3-2-1 backup rule
  • Keep 3 copies of your data, on 2 different types of storage, with 1 copy stored offsite. This ensures that a single failure — or ransomware attack — doesn’t wipe out everything at once
• Store backups off your main network
  • Backups should be isolated from everyday systems so attackers can’t encrypt them, too
• Know exactly how far back you can restore
  
  • Ask: If we had to restore today, how much data would we lose? One hour? One day? One week? This “recovery window” should match how much disruption your nonprofit can realistically tolerate.

If you don't want to fool with it, we offer backup services so you can focus on the mission — not backing up your data. 

5. Build a Business Continuity and Disaster Recovery (BCDR) Plan

Most organizations find themselves glad at least once that they have a BCDR in place. 

For us, that came when a tornado demolished our office in Northwest Arkansas in May 2024. The powerful twister may have knocked our network completely offline and destroyed a lot of our equipment, but we lost no data and we were back online within hours. 

Why? Because we had a BCDR plan in place — and we executed it. (We also had data backups.)

A BCDR plan outlines how your organization keeps operating if systems go down. This should include who to contact, how to communicate with stakeholders, and what systems are critical to mission delivery.

When a cyberattack comes, you'll be thankful for a practical resource — a BCDR plan — outlining exactly what to do, when, and where. Data backups and BCDR plans are a formidable one-two punch against cyberattacks and the damage they do. 

6. Monitor Systems (Including Remote Monitoring)

Many of the cyberattack horror stories, like the one told about Arisa Health above, contain details like: "...it was somewhere between [date] and [two weeks later] that administrators discovered cybercriminals had..."

In other words, the attack is staged, but then awareness of the attack comes well down the road.

This is unfortunate, because time is of the essence when cybercriminals strike. 

Monitoring tools can alert you to unusual login attempts, unauthorized file access, or changes in systems that might indicate a breach. Many affordable solutions are now available for small organizations, and monitoring significantly improves your ability to respond quickly.

As G.I. Joe said, "Knowledge is half the battle." And Joe knows.

Monitoring is an essential defense.

Here, too, we can help you set up monitoring systems. We can even monitor your systems for you — remotely.  

7. Consider a Managed IT Security Partner (MPS)

The truth is: many smaller organizations — including Arkansas nonprofits — just don't have the time, money, staff, knowledge, and, frankly, interest in setting up, managing, and monitoring cybersecurity defenses.

If that's you, if that's your nonprofit, we'd be happy to partner with you. Indeed, we currently serve the IT and cybersecurity needs of several NWA-based nonprofits, like the NWA Food Bank.

Whether you need a free consultation or you're ready for a full-throttle cyber defense, reach out. 

We're honored to help the nonprofits that help so many in our community.