Cyber thieves don’t physically grab your keys or force an entry into your home, but the damage they do to your organization can be just as consequential. If your nonprofit becomes the victim of cybercrime, it could suffer a blow to its reputation that’s impossible to overcome.
So it’s important to assess your risks of data breaches carefully, and implement effective security policies and procedures. This will put you in a better position to protect valuable financial and personal data about donors and other constituents.
Are you a sitting duck?
Nonprofits generally have limited administrative personnel and often lack dedicated IT staffers. They also typically have smaller budgets for technology solutions such as firewalls, antivirus programs and intrusion protection. It’s no surprise, then, that the nonprofit sector is one of the most frequently compromised by hackers.
Your nonprofit’s network probably contains a wealth of data to entice hackers — for example, donor information, including names, addresses, credit card numbers and bank account information. Also coveted by cybercriminals are personnel data, such as employee Social Security numbers and direct deposit information, and accounting records related to payroll, payables, banking, investments and other financial functions.
Hospitals and other nonprofit health care organizations that collect and store patient data, including medical records and insurance information, are particularly vulnerable. Colleges and universities also are popular targets because of their multiple networks and many users — that includes students who participate in risky online behavior such as illegal file downloading.
Is your defense strong enough?
Most nonprofits are already familiar with protections such as firewalls and antivirus programs. And as long as you keep your programs current and download updates as soon as they become available, you can count on some measure of cybersecurity.
But your defense strategy should extend to include policies and procedures, such as data-handling rules. Overworked staffers may neglect to weed out old files, but it’s important to provide procedures for disposing of sensitive data that’s no longer needed. And key data and systems should be backed up regularly and stored in a safe offsite location. Because nonprofit employees often share responsibilities, be sure to create accountability for specific jobs.
Training for staffers, volunteers and board members is critical, too. For example, your network’s users should be made aware of such issues as e-mail scams and “social engineering,” where criminals manipulate people into volunteering passwords and other information. Also educate your employees about the proper use of laptops and mobile devices.
Finally, consider taking proactive steps against an attack by hiring a “white hat” hacker. This consultant uses the latest techniques to test your network and devices for holes so that you can plug them.
Are you up for a fight?
Of course, a robust cybercrime-fighting program takes time and at least a small bite out of your nonprofit’s budget. Convincing your board that such expenditures are necessary may be tough.
Increasingly, nonprofits are creating technology committees led by tech executives or other knowledgeable board members. If your board lacks tech expertise, make recruiting someone who understands the need for cybersecurity — and how to achieve it — a priority. Your tech committee might be tasked with creating policies, determining budgets, evaluating software and products such as cyber liability insurance, and planning how your organization would respond to a cyber attack.
If your tech committee plans to act as first responders to a cybersecurity incident, be sure to include a public relations expert in the group. The timing and wording of communications can significantly affect how the media and your organization’s stakeholders respond to an event.
Thwarting cyber thieves
Unfortunately, cybercrime will continue to threaten organizations of all types, including nonprofits, for the foreseeable future. Make sure that your organization is doing all that it can to thwart cyber thieves.