Many professional cyber thieves set their sights on big data platforms, where one doorway in gives them access to millions of individuals’ data. But, this doesn’t mean that nonprofits are off the hook just because they are the “little fish” in a big pond. In fact, because cyberattacks are often crimes of opportunity, nonprofits too often leave the door open for hackers, and have information that can be valuable in identity theft, nonprofits are major targets, too. Taking simple steps to prevent cybercrimes should be a high priority for every nonprofit. We’ve got some ideas to help your nonprofit take three easy steps to shore up its cybersecurity savvy.
- Multifactor authentication adds one additional step to the traditional request for user ID and password. That’s it! Just one extra step can thwart most cybercrimes. Cyber-attackers are looking for the easy way into your nonprofit’s data, such as getting “behind the member curtain” of a membership association, or deep into the recesses of the server of a public charity where they can see donors’ personal information. If you put up a barrier to make it harder, criminals are likely to move along to find an easier target. Multifactor authentication may seem inconvenient but, in time, it will be as common as the ubiquitous password requirement.
- A little awareness training makes a big difference. Remember how the “hand hygiene” campaign that encouraged medical professionals to wash their hands caused a huge drop in infections in hospitals? That educational campaign shifted the culture across an entire industry. Nonprofits will see similar positive outcomes if we educate staff and volunteers about “cyber hygiene.” Beyond protecting the organization, it can have positive ripple effects as those trained practice safer use of computers at home and pass along those practices to clients/beneficiaries of the nonprofit, too. Each October, Facebook runs a workplace campaign to raise awareness about cybercrimes called Hacktober. Some employers are taking cyber hygiene education so seriously that they test their employees by sending phishing emails to see if the employees will click on links. The employees who click are required to take additional training. Such testing can help a nonprofit workplace prioritize the need to educate its workforce about the importance of cybersecurity.
- Assessment of data collected by the nonprofit and the nonprofit’s cybersecurity weaknesses and strengths is a way to focus and prioritize your nonprofit’s cyber safety habits. Every nonprofit can conduct a free DIY cybersecurity assessment using resources such as this data inventory assessment tool. The assessment can help identify what data the nonprofit has that need to be protected, prioritize the processes and/or programs that need attention, and identify which staff members need to be accountable for cybersecurity across the organization. The National Council of Nonprofits offers resources on cybersecurity that may be useful.
Once those easy three steps have been tackled, the next step is for every nonprofit to be fully prepared for the worst case scenario: a breach. You can include this step as you are doing any organizational planning scenarios: What will the nonprofit’s “incident response plan” be? Who will be involved in the investigation and determination of what data was breached and how extensive the damage is? Who will contact those affected internally, and externally? Who will determine if the nonprofit is required to report the breach to any government agency(ies) and whether there is cyber insurance (or other insurance) coverage for any business interruption and/or expenses resulting from the breach? Forty-eight states have 48 different versions of notification laws for data breaches. Documentation of all that a nonprofit did to prevent and respond to a breach is key to limiting liability.
Common schemes that continue to trip up even cyber-savvy workplaces include the “verify your personal account information” ploy, which involves an email that looks just like it’s from Microsoft, or PayPal, or some other well-known and frequently-used service, requesting you to click on a link to verify your account information. Unless you are absolutely certain the email is legitimate, don’t click on the link! It’s a scam seeking your personal account information. The IRS describes other common tax scams on its website.
One more tip: You may think that your nonprofit is protected from liability for data breaches because your nonprofit uses a third-party payment processor to handle credit card payments. However, make sure that the contract with that third party clearly allocates responsibility to the third party, and provides indemnification to your nonprofit in the event of a data breach, as well as spells out who will be responsible (the nonprofit or the third-party payment processor) for notification of any breach.
What are the lessons for nonprofits from the recent breaches that have been in the news? Being big and having lots of data makes you a prime target, but the only thing that matters in the end is whether you left the door open.
This post is reprinted from the National Council of Nonprofits Blog.
Jennifer Chandler is vice president at National Council of Nonprofits. Her past service for charitable nonprofits includes being a legal advisor, board member, senior staff member, program volunteer, and grantmaker.