Cybersecurity for nonprofits: Understanding threats and weaknesses
Many nonprofit organizations do not consider themselves as potential targets for a cyberattack because they think they do not possess information hackers want. However, the NetDiligence 2016 Cyber Claims Study ranked nonprofit organizations as a top-five affected industry. With these threats in mind, many nonprofits must evaluate their security posture to avoid data and system loss, business interruption and reputational harm.
While many think that credit card information is the most stolen, the NetDiligence® study found that the majority of information that is stolen is personally identifiable information (PII). PII includes names, addresses, email addresses, social security numbers and banking information. Most nonprofits possess a wide range of valuable PII from employees, donors and other types of constituents.
In RSM’s recent 2017 cybersecurity outlook and key considerations for nonprofits webcast, it was discussed how nonprofit organizations can better evaluate their cybersecurity posture.
The challenge to securing an organization is that data can reside in many places, and is difficult to manage and trace. Today’s nonprofit organizations are highly dependent on technology, with a network including applications, databases, remote users, service providers and mobile devices typically storing and sharing vast amounts of private data. In addition, nonprofits are increasingly outsourcing several key functions, transitioning data to third parties or cloud vendors. Even though the data is stored elsewhere, the responsibility for that information stays with the organization.
Cybersecurity threats can come from many places, both online and offline. The causes of breaches are typically thought of as malicious, but they can also be unintentional. Common cyberthreats that can face nonprofit organizations include:
- Inside attackers: Malicious and disgruntled employees can change, delete or destroy data, damage systems, and steal or sell sensitive information.
- Outside attackers: Attackers don’t necessarily target a specific organization. They can hack into systems, launch denial-of-service attacks, develop social engineering attacks and perform email hacking or even extortion.
- Viruses and malware: An organization can become infected or infiltrated by a host of viruses or malware that can originate with a phishing email or infected file. These can give an intruder access to a network to control or steal sensitive data.
- Employee accident: Employees can cause a breach through innocent errors, such as losing a laptop, or sending an email with a file or clicking on a link that installs malicious software.
- Non-malicious system or coding errors: Information technology (IT) personnel can inadvertently create vulnerabilities in software or applications, especially when implementing new systems.
- Trusted third-party vulnerabilities: Vendors such as cloud providers that control an organization’s data or systems can suffer a breach or mishap that exposes critical information. Again, outsourcing those systems or data does not absolve the organization of the responsibility for protecting that information.
Unfortunately, many nonprofit organizations are unaware of the technical weak spots that could directly lead to a breach. For example, many attacks can go completely undetected. In addition, organizations often do not have an effective strategy for encryption or patch management that helps to keep hackers out of the system. Vendor mismanagement is another concern, with third parties lacking thorough oversight and due diligence practices.
Just a single breach can significantly damage an organization’s finances and reputation. NetDiligence’s survey found that the average breach costs $665,000 in covered costs. This is considerable since the majority of respondents were small organizations. For example, a small health care organization with $50 million in revenue lost 10,000 records in a breach. The organization suffered a $256,000 loss after providing notice to victims and paying legal and forensics costs. Breaches can lead to regulatory fines that can make financial losses climb quickly.
To begin to implement an effective cybersecurity strategy, organizations must first assess their readiness. Employees must understand applicable regulations such as state privacy regulations, payment card industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA) guidelines.
If cyber coverage is desired or purchased, organizations should understand the coverage. The process should be collaborative with a potential insurer and the organization, educating executives about their own technology operations and potential threats. The assessment should take a high-level view of an organization, encompassing people, processes and technology.
According to Mark Greisiger, president of NetDiligence, “It’s important to show that your organization has made a good faith effort to safeguard information assets. It is well understood that achieving 100 percent effectiveness in cybersecurity is not realistic. What’s key is demonstrating that your organization is proactive in mitigating its cyberrisk.”
An overall cyberrisk assessment is also a key tool to help nonprofits enhance preparedness. This assessment should examine networks, systems, applications and data. A data breach incident response plan is also an element of a comprehensive cybersecurity strategy, detailing the steps that should be taken to prepare and respond to a breach if and when it occurs.
“Most organizations, including nonprofits, should anticipate that a data breach or other cyber incidents will occur,” commented Greisiger. “It is, therefore, prudent to have an actionable data breach response plan at your fingertips so that your organization can respond to the crisis in a timely manner and improve your chances of minimizing cyber losses.”
Finally, organizations must emphasize the importance of ongoing training for all employees and vendors and periodic review of insurance coverage for gaps and any potential new threats.
Even though many nonprofit organizations are not large enterprises and typically do not possess large volumes of sensitive data, they are attractive targets for a cyberattack. However, organizations can implement a more effective cybersecurity strategy by understanding the unique threats and challenges they face, and how to increase readiness and preparedness to discourage or respond to an attack.