Nonprofits & Cybersecurity: Countering Weaknesses with Sound Controls
In January 2017, Indiana-based nonprofit, Little Red Door – which provides cancer services to local patients – fell victim to a ransomware attack. After a staff member reportedly downloaded malicious software through an email, hackers were able to access the nonprofit’s server and backup drive and held it ransom for 50 bitcoin (at the time, the equivalent was about $43,000).
Due to the cyber-attack, Little Red Door spent months arduously re-entering patient information into its systems and trying to fortify its security infrastructure. It also struggled to secure grant funding in the wake of the breach due to not having complete records in place.
Why are we telling you this story? Because like Little Red Door of East Central Indiana, you’re probably thinking your nonprofit is too small or your mission won’t attract attention from hackers – or maybe you just think you’re fully prepared and couldn’t possibly be susceptible to a cyber-attack. But frankly, the problem is, you’re wrong.
Nonprofit organizations are becoming more, not less, likely to be victims of cyber threats as hackers take advantage of inadequate technology protections, limited employee security awareness and an industry generally unprepared for overcoming crippling cyber-attacks.
Weak Spots: Why Nonprofits Are ‘Easy’ Targets
Unfortunately, as focused and driven as nonprofits are to fulfill their missions and serve their communities, they often fall short when it comes to operational infrastructure. Most nonprofit grants and donations support specific charitable endeavors as well as communications and fundraising, but IT infrastructure and security controls might take a back seat.
Because many nonprofits also solicit online donations through their websites, they may open themselves up to greater potential risk. Hackers have been known to hijack “donate” buttons and redirect donors to third-party sites for payment processing. Credit card fraudsters also frequent nonprofit donation sites to test credentials from stolen cards – leaving organizations to also deal with assessing and reporting fraudulent donations.
Smart Controls: How Nonprofits Can Boost Cyber Defenses
To prevent cyber-attacks from wreaking havoc within nonprofit operations, it’s critical to invest time and resources (and yes, budget) on implementing sound controls that will safeguard sensitive organization and donor information and ward off growing external threats.
Technology. Nonprofits need to allocate budget and resources (internal or outsourced) to implementing and maintaining technology infrastructure that will safely secure data. Organizations may want to consider leveraging cloud services to store information versus maintaining onsite servers. Outsourced managed service providers can also ease the burden of managing, maintaining and updating technology infrastructure and software – something most nonprofits cannot spare time or resources for.
Backups. Whether hosting internal servers or using the cloud, nonprofits should ensure critical data is backed up to a remote, offsite location. In this case, if a hacker infiltrates an organization’s primary server, a backup would remain intact, allowing the nonprofit to restore a copy once it is operational again.
Access. Many nonprofits run light on full-time staff and rely on rotating waves of volunteers, and as such, it’s critically important to ensure the organization maintains strict data access controls. Full-time employees – particularly those who deal with donor relations, accounting or other financial matters – should be afforded access to sensitive information, however, that privilege should not be blindly extended to all those who work or volunteer for the organization. Part-time or seasonal volunteers, for example, who support fundraising or community programming, may not require full access to donor databases or company financials. Access controls should limit what information is readily available to employees and volunteers, and in some cases, nonprofits may want to consider keeping access logs or monitoring what information is accessed and by whom.
Training. Because cyber-attacks so often stem from the actions of an employee (most often unintentional but, in some cases, malicious), information security awareness training must be a priority for nonprofit organizations. At least annually, employees – and volunteers who have access to organization and donor data – should be required to complete a training course that reviews potential risk factors and best practices for maintaining secure operations. Many third-party services offer these types of courses, and they can be administered online or in-person.
With growing cybersecurity risks threatening to cripple already lean nonprofit organizations, robust security controls are essential to keeping operations running and allowing nonprofits to continue supporting their important missions. The costs associated with technology implementation and training are quickly being outweighed by those of being unprepared for a cyber-attack.
To learn more about implementing sound cyber controls at your nonprofit, please contact the team at MFA.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented was obtained from sources deemed qualified and reliable; however, MFA makes no representations as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.