Why Cybersecurity Should Be On Your Nonprofit’s Radar

Did you know that more than 50 U.S. cities and small towns were attacked by ransomware in 2019?

These governments fell victim to fake emails that included attachments mistakenly opened by staff. Baltimore chose to not pay the ransom and instead spent $18 million to recover from the attack.

This should be your organization’s wake-up call, because the nonprofit industry is also on the map.

From the World Economic Forum’s “The Global Risks Report 2019,” a large majority of respondents expected increased risks in 2019 of cyberattacks leading to theft of money and data (82%), and disruption of operations (80%).

If security isn’t a serious priority for your organization, I’m going to share some reasons why it should be.

The Nonprofit Industry Is Vulnerable

A growing concern for the nonprofit industry is how unprepared organizations are right now for defending against cyberattacks.

From NTEN’s “State of Nonprofit Cybersecurity Report 2018,” it reveals three areas where gaps exist in relaxed security policies:

• 68.2% of respondents do not have documented policies and procedures for when they get attacked.
• 59.2% of respondents do not provide any cybersecurity training to staff on a regular basis
• Only 17.1% of respondents require using a management tool for storing and sharing user IDs and passwords

Rising Attacks, Regardless of Size

Just like the small towns, hackers don’t discriminate when it comes to your organization’s size, because your data is valuable.

There’s a secret part of the internet called the “the dark web,” where the stolen data — credit card numbers, usernames and passwords — are sold for high dollar.

Hackers have learned organizations are making the mistake of not taking security seriously and ignoring potential threats.

The last five years have been challenging for nonprofits (of all sizes) that were unaware and unprotected:

• Save the Children. In 2017, the major international organization was scammed through fake emails by a hacker posing as a staff member. It lost $997,400 to a fraudulent business in Japan.
• The Girl Scouts, Texas Chapter. In 2014, the organization announced on Facebook that its website had been hacked with the homepage defaced. During the attack, users were registering and paying for camps on the organization’s website.
• Utah Food Bank. In 2015, this small organization had its website hacked, and 10,000 visitors who donated online lost their personal information to identity thieves.
• Red Barn. Also in 2015, another organization’s website was hacked as part of a server-wide attack during a fundraising event. The damage was so bad that the organization had to remove its website, purchase a new domain name and rebuild from scratch.

A Mindset Shift Needs to Happen

I asked nonprofit and technology leaders about why they believe security is low on their organization’s priority list.

We discovered there are five specific reasons:

1. Misbelief. Organization leaders think they have nothing valuable to steal and would never become victims of cybercrime because government, financial and for-profits are first in line.
2. Lack of knowledge. Staff and volunteers are busy running the organization, so they don’t have the time nor interest to learn about cybercrime industry trends.
3. Limited technical expertise. Senior-level management lack judgment and try to be their own subject-matter experts. Instead, they should be consulting industry professionals who can train their staff on cybersecurity best practices.
4. Conflict with the board. A few members may be aware of online threats but are telling marketing and communications leaders their security needs to be on the backburner (for months to years).
5. Budgeting concerns. During annual planning, organizations don’t see a need to act or seek funding to protect the organization and its constituents because they haven’t become a victim yet.

The problem with this type of thinking is that, while your security policies are being ignored every month, a hidden risk grows.

Leaving your IT system in the dark with a lack of strong infrastructure makes your organization much more vulnerable to attacks.

The longer organizations disregard this issue, the more it becomes an expensive and complex problem in the future. And hackers will continue to target nonprofits for attacks.

Prevention Is the No. 1 Goal In Cybersecurity

It's only a matter of time before your organization gets scammed by email or your website gets hacked.

Trying to deal with an attack will end up costing your organization a lot of time, energy and resources. Data breaches can become a long-term, recurring problem and can be expensive to fix.

The key is to prevent the risk from happening in the first place.

For these reasons, there needs to be a mindset shift in the nonprofit industry, so organizations can become fully prepared and safe from potential cyberattacks.

When your data and IT systems are protected, you can get back to focusing on serving your mission.