Managing information risk within nonprofits
While many nonprofit organizations feel there is little risk to sensitive internal information or funds being obtained by hackers, there is a rising tide of threats to information security. If not addressed thoroughly, malicious software attacks can put your organization’s reputation, finances and even very survival at risk.
The story seems all too common; hackers compromise data security protocols and gain access to sensitive information (such as bank accounts, intellectual property, personnel records). Public relations, information technology, management and other personnel scramble to understand what happened and handle the crisis. Concerned donors or employees worry that they are victims of identity theft, and will lose a great deal of their own money.
While many executives will read such a story with sympathy, few will react with alarm or equate the event with their own organizations. However, threats to information security are increasing at all organizations, as account takeover and fraud become more prevalent. While many of the reported stories of information breaches involve large, well-known organizations and companies, in the world of cybercrime, size and profile do not matter—only information does.
Targets and vulnerabilities
The increase in the value of data has made hacking into a profitable enterprise. It’s the data that holds the value for the hacker. Ninety-seven percent of data breaches that occurred in 2012 were considered targets of opportunity (according to a recent data breach study). This means they were not specifically targeted, but were found by automated scanning systems to be vulnerable to known exploits.
Although the financial services industry has the largest percentage of breaches, nonprofits are also among the top compromised entities, in part due to lower budgets to implement protective measures. Organizations large and small are vulnerable to breaches by criminals, and have something attackers are interested in, such as:
- Bank account information - Online banking accounts are particularly attractive to thieves, enabling them to transfer funds when a computer virus is introduced into a system used to manage the account.
- Payroll, cost accounting and other systems - These systems may include Social Security and other human resources-related information that have a potential dollar value to the hackers.
- Remote access information - When attackers want to mask their activities, they often launch the attacks from compromised bystanders. They rent access to a compromised network and utilize it to conduct attacks.
What can organizations do?
Nonprofit organizations must take proactive steps to minimize their security risks and mitigate any potential financial losses and compromised reputations. To get a quick and cost-effective understanding of your threats and vulnerabilities, we recommend performing a high-level review of your internal and external network assets via a penetration test or rapid security assessment to understand your obvious first-attack vectors.
Even a high-level review would discover the critical security threats and vulnerabilities that tend to be the start of 97 percent of compromises. Addressing these threats can at least elevate your organization enough to make you less likely to be compromised. By implementing this type of program, nonprofit executives can be justified in feeling that their information risks are minimized.
Long term, these assessments can be used to incorporate new practices into a full information technology risk management program, and protect the organization from attackers who are going further than just easy targets. The program will help the organization identify, prioritize and monitor risk for your organization. Processes such as identifying all key risks within the organization, including their likelihood and impact, developing quantitative and qualitative measures and establishing risk monitoring and continuous improvement activities provide true security without significant expense.
For more information
For more information on this topic, please contact Corbin Del Carlo, director, privacy and security services, RSM US LLP at 847.413.6319.