When you think of cyber security and data breeches, large government, financial, and retail entities typically come to mind. Since we tend to only hear of breaches with big-named, for-profit entities, many in the not-for-profit space tune it out, thinking these are problems only businesses experience. The reality is that data breaches can occur with any organization. Analysis of data breaches continues to highlight that more and more not-for-profits are being targeted.
Surprised? Most are. The reason is that while large retailers and financial institutions have a huge target on them (no pun intended), they also have extensive security systems, which is why hackers are now targeting not-for-profits. Why try to break into the equivalent of Ft. Knox when you can walk right into a small non-profit’s back door? According to Verizon’s DBIR, 96% of attacks are not very difficult which means even novice hackers can exploit most systems.
Yet the report points out that many cyber attacks could be prevented through a more vigilant approach to cyber security. Unfortunately, these breach events can do irreversible damage to an organization’s reputation and its financial stability. Loss of reputation alone can force a smaller non-profit to shut its doors, as the breach is almost guaranteed to get picked up by the local media and social networks.
Keep in mind, even if your not-for-profit does survive the reputational loss, the costs of settlements, notifying affected parties, and monitoring breached parties are sure to put a financial strain on the organization. These costs are not covered by general insurance, but by cyber-security insurance, which many not-for-profits either don’t have or the coverage is inadequate. Remember this: the worst possible decision is to do nothing. A not-for-profit does not have to spend significant resources on information security in order to protect the organization – but is should have some funds dedicated to cyber security.
Regardless of the focus of your not-profit, technology is now a part of everyday life and business. And if you collect donations like most not-for-profits, you probably are collecting and storing in some capacity sensitive information that hackers may find very valuable in an attack (such as names, addresses, credit card information, etc.) Also bear in mind a data breach doesn’t just equate to a cyber attack. It can be because of human error, such as a misplaced laptop, smartphone, or flash drive containing sensitive information.
So what can not-for-profits do to protect themselves?
1. Get your organization technical help.
Most don’t have the resources to hire the type of IT expertise necessary to protect the organization. Recognize any limitations of your IT source and consider working with a qualified third party. A consultant can help identify risk, as well as set up and manage your network and a data security program.
2. Risk Assessment.
Understand what sensitive data you store and how. This will help you target vulnerabilities and concentrate your limited resources on those areas that pose the most risk. Understand certain activities, such as using credit cards to collect sensitive data or submitting payroll to a third-party provider, put the organization at risk.
3. Have a data security program.
This encompasses awareness, training, procedures, and having an incident response plan. A third party consultant can help you set this up in the most cost effective and efficient way.
4. Secure the network.
Wireless technologies (such as bring-your-own-devices) can put an organization at risk, meaning the organization’s network needs to be secured and plans in place in case of a data breach.
Harvey L. Johnson, CPA, is a Partner at PBMares, LLP, a regional accounting and consulting firm serving clients throughout the Mid-Atlantic. For more information, please contact the author at firstname.lastname@example.org or visit: www.pbmares.com.