In July 2014, Goodwill Industries learned from a credit card company that some of its customer data might have been stolen. The Maryland-based charity, whose 2,900 stores fund job programs, has been working with fraud investigators to learn the extent of the breach. But regardless of the size of any financial losses, the nonprofit has taken a hit to its reputation, thanks to widespread media coverage of the incident.
Data thieves and other cybercriminals don’t limit their attacks to large, high-profile organizations. Any nonprofit that has a computer network or collects financial or personal information — in other words, most nonprofits — risks data theft. If you don’t already have effective policies and sophisticated protections in place, your organization could be the next headline.
Nonprofits generally have limited administrative personnel and often lack dedicated IT staffers. They also typically have smaller budgets for technology solutions such as firewalls, antivirus programs and intrusion protection. It’s no surprise, then, that the nonprofit sector is one of the most frequently compromised by hackers. It provides cybercriminals with opportunity.
Your nonprofit’s network probably contains a wealth of data to entice hackers. For example:
- Donor information, including names, addresses, credit card numbers and bank account information,
- Personnel data, such as employee Social Security numbers and direct deposit information, and
- Accounting records related to payroll, payables, banking, investments and other financial functions.
Hospitals and other nonprofit health care organizations that collect and store patient data, including medical records and insurance information, are particularly vulnerable. Colleges and universities are also popular targets because of their multiple networks and many users — including students who participate in risky online behavior such as illegal file downloading.
While identity and financial data theft are still the primary objectives of most hackers, nonprofits increasingly need to worry about extortion schemes. A cybercriminal, for example, might steal and encrypt valuable data and demand ransom for the encryption key.
Most nonprofits are already familiar with protections such as firewalls and antivirus programs. And as long as you keep your programs current and download updates as soon as they become available, you can count on some measure of cybersecurity.
But your defense strategy should extend to include policies and procedures, such as data-handling rules. Overworked staffers may neglect to weed out old files, but it’s important to provide procedures for disposing of sensitive data that’s no longer needed. And key data and systems should be backed up regularly and stored in a safe offsite location. Because nonprofit employees often share responsibilities, be sure to create accountability for specific jobs.
Training for staffers, volunteers and board members is critical, too. For example, your network’s users should be made aware of such issues as e-mail scams, the proper use of laptops and mobile devices, and the risks of “social engineering,” where criminals manipulate people into volunteering passwords and other information.
You might also consider taking proactive steps against an attack by hiring a “white hat” hacker. This consultant uses the latest techniques to test your network and devices for holes so that you can plug them.
Time and money
Of course, a robust cybercrime-fighting program takes time and at least a small bite out of your nonprofit’s budget. Convincing your board that such expenditures are necessary may be tough.
Increasingly, nonprofits are creating technology committees led by tech executives or other knowledgeable board members. If your board lacks tech expertise, make recruiting someone who understands the need for cybersecurity — and how to achieve it — a priority. Your tech committee might be tasked with creating policies, determining budgets, evaluating software and products such as cyber liability insurance (see the sidebar “The insurance solution”), and planning how your organization would respond to a cyber attack.
If your tech committee plans to act as first responders to a cybersecurity incident, be sure to include a public relations expert in the group. The timing and wording of communications can significantly affect how the media and your organization’s stakeholders respond to an event.
Build a better fortress
Data is likely one of your nonprofit’s most valuable assets, and it’s important to protect it as you would physical property. If your current cybersecurity policies and practices are a little skimpy, it’s time to work with your board and outside experts to build a better fortress.
Sidebar: The insurance solution
Even if you can’t put a monetary value on the data your nonprofit collects, a cybersecurity breach can cost your organization plenty in legal fees, staff time and reputation.
Traditional insurance policies such as general liability and directors and officers liability typically don’t protect against such attacks. So you might want to consider buying cyber liability coverage. This type of policy can cover damage to both first parties (your organization) and third parties (donors, grantmakers, clients and other stakeholders), including costs associated with litigation, forensic and regulatory investigations, crisis management, reputation repair, credit monitoring, data restoration and business interruption.
Note, however, that such coverage — particularly a comprehensive policy with a high dollar amount — can be expensive. Before buying a policy, consider the potential risks and costs of an actual data breach.