3 Areas Nonprofits Need to Focus on for Operational Security

As the pace of technology adoption quickens, so does the likelihood of cybersecurity breaches and data leaks that could have damaging impact on an organization’s ability to operate. While these threats are of concern to every sector, nonprofits, in particular, have unique facets that must be taken into account.

One of the most underdeveloped areas of technology cohesion is the backend technology that nonprofits rely on to run their operations. While there is an ample amount of options for nonprofits to manage donors and volunteers, there needs to be more investment around fraud protection, data and identity breaches, and security and access to sensitive demographic and financial information.

Let’s identify the top three areas that nonprofits should focus their operational security.

Fraudulent Transactions

One of the most damaging, yet recurring, issues that organizations have is around fraudulent transactions occurring through their online transaction systems. Global losses for fraud total over $21 billion annually, yet nonprofits, in particular, have some unique challenges that they must face.

• Donation page configuration. Unlike eCommerce shopping that will usually require some sort of address in order to complete a transaction, some nonprofits remove extra fields in order to obtain the donation as quickly as possible. While secure forms will ensure this is totally acceptable, some organizations are behind when it comes to securing their online donation forms, especially if built by a volunteer unfamiliar with current security standards.
  
• Donor Indifference. Given the rise of peer-to-peer donations made because of the relationship with a friend, some donors may not have as tight a connection to the nonprofit and, hence, may not think much of a small donation found on their credit card statement. In reality, this may be the entry-level attempt to test the effectiveness of a stolen credit card, and your organization may be the target for testing it.
  
• Subpar Technology. Unfortunately, there has been an increase in technological vendors who are looking to provide single-campaign solutions, but have not fully vetted the security, authentication or dispersal compliance that are unique to nonprofit organizations. Always ensure that you ask your vendor what they do to ensure PCI compliance and security of transactions on their platform, as well as charitable compliance. 

The costs of not addressing fraud can be immense, with one organization losing $170,000 because of fraudulent credit cards. Ensuring that your organization is prepared to properly manage online donations will not only avoid a potentially disastrous situation, but gain the trust of donors to donate to your organization.

Resource: Learn about four key areas where your nonprofit can address credit card fraud immediately.

Technological Access

While fraudulent transactions are typically focused on individuals, there are other more dangerous challenges when it relates to access to the very technology that your organization relies upon.

According to a recent study on cloud security, the average organization experiences 12.2 compromised account threats per month. And most concerningly is that 92% of organizations have cloud-based credentials for sale on the dark web. And the nonprofit sector itself is experiencing a rise in email-based attacks to gain access to an organization’s infrastructure.

One of the most effective ways to stop unwarranted access to an organization’s login information is to implement two-factor authentication for the tools your organization relies on. Many software platforms either offer this as an option or as a requirement, depending on the sensitivity of the data held within the platform. Enabling two-factor authentication is extremely effective, with Google finding that turning it on stopped 100% of automated bot hacks attempted.

Yet, according to the most recent NTEN "State of Cybersecurity Report," 55.6% of nonprofits do not require multi-factor authentication for their organizations. And only 6.7% of nonprofits required this feature for all their technology. Especially for any technology relating to sensitive data or financial information, this should be required.

Resource: Learn how Neon One is addressing security and access for its technology ecosystem.

Data Access

While fraud and attempts to obtain unwarranted access are troubling, many organizations do not realize that an increasing threat to their security comes from within. According to recent reports, data breaches that can be traced to malicious insiders rose from 25% in 2016 to 34% in 2018. Insider attacks can also come at a greater cost as well, with the percentage of revenue loss increasing 15% last year compared to 2018.

Putting policies in place around data access and breach procedures will go a long way in identifying potential weaknesses that your organization has around data security. For instance, a review of your organization’s permission controls within software that houses either sensitive demographic or financial information is a good start.

Consider establishing levels of access depending on the role that the employee has at the organization, as well as audit trails for any employee to ensure that no one feels they are above the policies.

Ensuring that staff are trained on data breaches will also showcase that your organization is prepared for anything, either from outside or within. Again citing the NTEN study on cybersecurity, only 7.1% of nonprofits have ever simulated a security breach for their organization’s software. Establishing at least a yearly simulation will go a long way around establishing a  culture of respect around data management.

Resource: Check out this excellent roundup of resources relating to data security put together by the National Council of Nonprofits.

The potential for technology is immense for nonprofits, but embracing technological advancement also comes with understanding the risks that come with it. Yet with a few simple changes to how your organization approaches security, your organization will be able to sleep at night knowing that your data is secure and your organization can be trusted.