In 2016, the US-based accounting company CohnReznik conducted a study of 470 nonprofit executives. It found that more than half were concerned about cyber security—57% listed it among their top 10 concerns. But only 29% were planning to raise their spending on cyber security measures, and just 11% had instituted a risk or IT committee at their nonprofit.

The study showed that while executives are concerned about cyber security, there’s a significant gap between worry and taking action. And that’s a concern, because there are several aspects of how nonprofits operate that make them particularly vulnerable to a hack. These include:

Bare-bones technology. It’s not uncommon for nonprofits to satisfy their technology needs on the cheap. Many use donated computers and hardware, as well as older, unsupported versions of software and operating systems. The older a system is, the more vulnerable it is to data breaches. In addition, it’s not unusual for nonprofits to save money by using open-source software— which is often more vulnerable to cyber attacks than the proprietary version.

Collecting payment and contact information. Many companies and organizations collect contact information and take payments online— but nonprofits live and die by their member mailing lists, while collecting donations and membership dues online. This information is particularly valuable to hackers, and presents an obvious vulnerability to exploit.

Lack of resources and expertise. Many smaller nonprofits can’t afford elaborate security measures or to keep a dedicated IT professional on staff. This makes them an easy target for hackers. Lack of basic security measures such as two-factor authentication and password complexity requirements can make them even more vulnerable.

Employees and volunteers. One of the biggest threats to cyber security in most organizations—including nonprofits—is the people who work for them. A disgruntled employee or volunteer can easily steal a laptop and wreak havoc with the data. And anyone can misplace an important thumb drive or laptop, or have it stolen.

Single-mindedness. While many organizations are made up of people who share a dedication to a certain mission, nonprofits often attract exceptionally focused, single-minded people. And that’s a good thing—but it can lead to blind spots. It’s easy to be so focused on the nonprofit’s mission that you lose sight of dangers, like cyber security, that aren’t directly related to that mission.

Misconceptions about their vulnerability. Smaller nonprofits often operate under the same misconception small businesses often have—that their size makes them less of a target. The opposite is actually the case—smaller nonprofits are often easier targets for hackers than larger organizations with more resources to devote to cyber security. And hackers know it. Smaller nonprofits may not bring in a large amount of cash, but their lists of sensitive donor information still make them a worthwhile target.

When it comes to cyber security, it’s not if you’ll experience a breach—it’s when. Being aware of the particular risks faced by nonprofits is the first step towards building the impetus to take action.