The news isn’t good. In fact, it’s downright scary. A report from the FBI's Internet Crime Complaint Center puts the financial loss from cybercrime in the U.S. at more than $1.3 Billion in 2016, a rise of 24 percent. Brands such as Equifax, Target and the Democratic National Committee are among the many victims. And cybersecurity attacks in 2017 are rapidly on the rise. According to IBM CEO Ginni Rometty, “Cybercrime is the greatest threat to every company in the world.”
Nonprofits Are at Risk
Nonprofits aren’t immune. In fact, nonprofit organizations may be prime cyber-attack targets. Most collect and store sensitive data like emails, social security numbers, billing information and more. Despite this, nonprofits are often hesitant to make cybersecurity a priority due to the investment of time and resources. It’s time they reconsider. To understand the magnitude of the issue, Lori Read, CEO of fundraising technology firm Aegis Premier Solutions, encourages clients to focus on their own nonprofit. She asks them to “imagine if there was a ransomware attack where all of your donor information was stolen and sold on the dark web. And the attack was made public and repeatedly mentioned in the press. Donor information is your main asset. Think of how catastrophic that would be.”
Prepare, Prevent, Respond, Recover
Cybersecurity uses a set of principles and practices designed to protect computing assets and online information against cyber threats. It may seem an overwhelming task to build these safeguards, but not if you break them down.
Those on the front lines with the most advanced cybersecurity practices are the nation’s largest corporate and government institutions. Nonprofits can take their lead from these organizations by implementing the following initiatives captured in a four-step cybersecurity approach: Prepare, prevent, respond and recover.
1. Prepare
- Conduct a Yearly Audit | Most experts recommended that nonprofits hire a third party security organization to conduct a thorough gap analysis to assess their information technology capabilities and vulnerabilities. These specialized companies can look into your nonprofit’s practices and those of your vendors. (Vendor cybersecurity considerations will be examined in part 2 of this cybersecurity series). Conduct this audit annually or anytime your organization experiences a change, such as an office move.
- Establish Processes | Have concrete, replicable cybersecurity processes in place for all of your information technology systems and data. Smithsonian Associate Director Lara Koch urges nonprofits to carefully route the audience journey by asking themselves, “How many places will data travel? How is it handled? By whom? How is data handled internally?” From there, she encourages nonprofits to layer in processes for data protection.
- Insure Your Assets | Consider purchasing cyber insurance. Have appropriate coverage based on the size of your database. Most commercial insurance companies now provide it.
- Learn | The DMA has a helpful privacy resources section and the FTC data security section provides interesting background. US-CERT, a cyber organization in the U.S. Department of Homeland Security, also has a highly useful tips website that speaks to both technical and non-technical readers.
2. Prevent
- Upgrade | Older operating systems, computers or networks are more susceptible to data breaches. Make the investment to upgrade your nonprofit’s technology.
- Make Updates | Regularly update operating systems and applications as technology companies routinely publish software security patches.
- Train Employees | Train employees on spear-phishing and how to recognize malicious links in emails and website pop-ups. Get professional training on how to protect against viruses, malware and spyware.
- Set Policies | Develop strict policies on what employees can download from the Internet and have restrictions on downloading new applications without the sign-off of an IT person or supervisor.
- Passwords | Encourage employees to secure and change passwords regularly.
3. Respond
- Be Ready | Have processes in place for what you would do if your nonprofit had a cyber attack. For instance, what procedure would you follow if there was a large loss of customer information? If you were a victim of a cyber ransom attack?
- Know the Roster | For cyber-security crisis planning, Read suggests that a nonprofit think through the players that will be involved by asking, “Who should you notify, when and how? Which security companies will you contact? Where will you go for legal advice? Who will you turn to for consulting on communicating with the press and your donors/constituents?”
- Report the Crime | Any attack on a nonprofit should be reported to law enforcement such as FBI’s Internet Crime Complaint Center.
4. Recover
- Bring in the Experts | Recovery activities take place after a cyber-attack. Gather experts on your roster to build a plan to rebuild.
- Prevent Further Loss | Take the steps needed to prevent similar cyber-attacks from occurring again.
- Build confidence | Work to restore confidence with your donors, constituents, partners and employees.
Cybersecurity should be a top priority for your nonprofit. Leadership and security experts can work together to take proactive measures to protect your nonprofit against potential cyber threats. Start by asking yourself if your security measures and policies are sufficient. If not, then reach out and get the help you need.
Angela Struebing is president of CDR Fundraising Group, a multichannel agency focused on helping nonprofits maximize their online, direct mail, telemarketing and DRTV fundraising results. As president, Angela is responsible for overall agency management and strategic planning for national nonprofit clients to include The Wounded Warrior Project, Shriners’ Hospitals for Children, MoMA and the Marine Toys for Tots Foundation. Angela is a frequent speaker at industry events and is recognized for her strategic expertise. She has also served as Education co-chair for the Bridge Conference.