Online attacks have nearly tripled in three years, according to the FBI, and hackers are increasingly targeting nonprofits alongside private-sector companies. In this threatening environment, every organization must understand its online risks and basic security requirements.
Who’s at Risk?
Your organization is courting cyberattack if it:
• conducts financial transactions online.
• collects anonymous personal information.
• stores any personally identifiable information.
It’s a broad list: Most nonprofits do all three routinely, as do most businesses. The value of financial and personal data is self-evident, but anonymous data is valuable too. Its collection is less obvious, and its use is less transparent, but it’s the currency in online marketing. All of this information attracts thieves.
Meanwhile, your .org domain designation raises your visibility. Most search engines add a lift in their rankings for nonprofits, so your site may show up high on a searcher’s screen. That’s all well and good—unless the searcher is a cybercrook looking for marks. If so, the miscreant probably knows that nonprofits lag behind for-profit companies in security.
The civilized mind recoils at robbing a charity or any worthy cause. But cybercriminals are interested in your data, not your mission.
What’s at Risk?
For as long as churches, charities, and nonprofits have received and spent money, fraudsters have tried to capture their revenues and steal their property.
Nowadays even the old standby scams usually rely on some online access—the internet can help kite a check, fake a paid invoice, or print surplus tickets to a big event. A sophisticated cyberattack can reach deeper into your organization and steal larger assets.
Ransomware is a specific kind of attack. It invades your systems, blocks your access to your own data, and demands a ransom to lift the block. Ransomware can paralyze your activity, drain your bank account, or both.
Another set of data can be even more valuable to thieves: financial and personal information about your donors, board members, employees, volunteers, vendors, and visitors to your site. How much information about credit cards, bank accounts, social security, and other business—even passwords—lies somewhere in your computer systems? A sophisticated ring that traffics in this stolen data can use it to defraud the people who trust you.
Any of these cyberattacks, if successful, would likely tarnish your brand and your organization. Insurance may cover some damages, but it can’t protect trust, and trust lost is hard to regain. For some nonprofits, such cyberfraud can be fatal.
Lowering Your Risks
• Calculate your potential loss from data theft. Segment your data—donors, employees, etc.—and estimate the damage your nonprofit might sustain if that data were stolen and sold to bad actors. Estimate a range for each constituency, and stress objectivity.
• Identify weak spots. Aging operating systems or financial software should especially stand out. Consult with a reputable cybersecurity company for a vulnerability scan and penetration test to detect weaknesses. Don’t neglect mobile in these reviews.
• Upgrade your systems. Nonprofit tech staffs have patched older systems for years, heroically in many cases. But upgrading is a standard business requirement today, and nonprofits can’t avoid it. Your decision on systems, software, and hardware upgrades—which, when, and how—can have significant consequences.
• Invest in technology. What are the most tedious and unnecessary tasks? Could some parts of your nonprofit machine contribute more to the overall mission if you automated or combined some tasks?
Software abounds in the nonprofit industry, so you should weigh reputation and reviews along with cost. Don’t skimp on a vigorous antivirus defense or a strong, well-regarded payment processor.
• Upgrade your security consciousness. Most cybercrooks hack people, not systems—it’s easier. Making it harder takes clear protocols and rules—automatic software updates, strong passwords changed regularly, two-factor authentication, and others. But it mainly takes a culture. Do phishing emails get bites? If you don’t know, test. Most of all, train. Formally, informally, lunch and learn—security can be interesting.
• Maintain and back up. When hiring a new IT professional, nonprofit experience is a plus, but focus on tech skills. Putting your people and investments to work calls for well-oiled IT, from software updates to onboarding and a help desk.
Meanwhile, robust data backup plans and systems are becoming a requirement. To approach 100 percent effectiveness, a backup system must be real-time, 24/7, automatic, offsite, redundant, and secure.
Should you insure your data? It depends on what’s at stake, how confident you are in your systems, and how you want to balance the two. As the price of data protection drops with new products and services, more nonprofits are likely to cover their potential liability with insurance.
Maintaining best practices in data security will ease a nonprofit’s insurance cost. With or without insurance, use these principles to protect your assets and reputation today.
European Privacy Law Affects U.S. Nonprofits
The General Data Protection Regulation (GDPR), which took effect May 25, is the European Union’s new data privacy law. It governs any digital information that can be linked to an individual.
It applies to any organization that collects personal data from any person in the EU, with or without payment. Violators of the GDPR’s data security requirements will be fined, regardless of a company’s location. Meanwhile, other countries are signaling they may use the GDPR as a model for their own regulations.
So, if your nonprofit sells so much as a coffee mug to a Berliner, you’ll need to review the GDPR.