Why Cybersecurity should be on your Not-For-Profit’s radar
At the onset of 2020, cybersecurity was an increasingly ever-present concern for Not-for-Profit (“NFP”) organisations; the rate of incidents had steadily increased over the past few decades, and organisations of all sizes increasingly found themselves at risk. In recent months this concern has intensified, as more companies and organisations attempt to pivot to a remote work environment and secure their networks as a result of the coronavirus pandemic.
Not-For-Profit cybersecurity challenges
Traditionally, Not-for-Profit organisations have faced increased exposure when it comes to cyber threats. These organisations are the keepers of a variety of data that is a virtual goldmine to hackers, such as credit card numbers, emails, personal identifying information, and health information. In addition to being a steward of this sensitive data, Not-for-Profits also tend to be faced with a limited budget with which to implement strategic cybersecurity practices and as such may be seen as extremely attractive targets to cybercriminals.
Another unique cybersecurity challenge faced by Not-for-Profit organisations is the oftentimes dichotomous relationship between efficiency and security. Unlike For-Profit businesses which tend to place emphasis on security, Not-For-Profits tend to focus on simplicity and ease-of-use when designing their online protocols. This is because the more cumbersome the donation process the less likely the donor will successfully finalise a transaction.
As an example, it is common practice among retailers to add additional verification services, such as requiring customers to input CVV codes when making credit card purchases. Conversely, Not-for-Profit organizations are moving toward more efficient technologies such as “one-click” giving, as their primary concern is minimising barriers for individuals to make a donation.
Not-For-Profit cybersecurity risks
For Not-For-Profit organisations, which typically rely heavily on grants and donors, a cybersecurity breach that results in a loss of donor confidence can be lethal. Even if a nonprofit organisation does survive the reputational loss, the costs of settlements and recovery will place severe financial strain on organisations.
Unfortunately, it seems it’s not a matter of “if” an organisation will face some type of cyber-attack, but rather how often; a successful attack can be devastating, and recovering will cost significant time, energy and resources.
In fact, just recently the Not-For-Profit community has been greatly impacted by a significant case of cybercrime, with information being stolen from a major NFP cloud computing vendor. The cyberattack on this entity was carried out over several months, and during that time the hackers stole sensitive data from donors, potential donors, patients, and other individuals tied to the affected organizations.
Not-For-Profit cybersecurity solutions
For these reasons, it is critical that organisations are proactive and take immediate action to safeguard from potential cyberattacks. This includes analysing and testing the organisations IT systems, instituting policies and procedures to safeguard data, ensuring employees are educated on best practices, and monitoring IT infrastructure so that it remains up to date and secure.
- Analyse and Test Internal IT Infrastructure
A risk assessment should be conducted to thoroughly review the organization’s IT environment, specifically looking for vulnerabilities in the functions of the nonprofit that contain the most valuable assets. These systems should be thoroughly tested to expose any unknown weaknesses within the organisation’s systems. Furthermore, even if your organisation’s systems are protected, all of the organisations outside vendors are also potential access points. Third-party relationships should be viewed as an extension of the organisation and held to the same standards.
- Examine your online Donation Acceptance Policies and Procedures
It is critical donors have absolute confidence when making online donations, and this can only be sustained through instituting policies that protect their information without being overly cumbersome. This is why it’s essential to use a secure donation platform that keeps donors and donations protected from cybercriminals. Not-for-profits must also protect donor data from internal misuse, and restrict access to cardholder data to individuals with an internal business need (such as transmitting card transactions).
- Educate Your Stakeholders
Human error can undo even the best security setups, therefore it is critical for the nonprofit to implement formal cybersecurity training. Training users on best practices can go a long way to reducing the risks of a cyberattack being successful. Proper employee training can both enhance and fill in the gaps in an organizations security protocols.
- Asses and Reassess
Cyber risks are in a constant state of flux, and new threats appear and evolve constantly. To maintain secure systems, it’s critical to continually assess cybersecurity controls and conduct these tests on an annual basis.
Ultimately, Protecting your nonprofit from the devastation of a cyberattack is reliant upon proper communication of cybersecurity strategies and plans, and an in-depth understanding by the board, management and all organization stakeholders.
At HLB, we have a unique understanding of the Cybersecurity challenges facing Not-for-Profit organisations. Our team can expertly help ensure your data and IT systems are protected, allowing you to focus on that which is most important; the charitable mission of your organisation!
By Israel Tannenbaum, HLB USA