Why Nonprofits Can No Longer Afford to Ignore Data Security
Nonprofits juggle competing priorities every day — and often on a tight budget.
So, it’s understandable why cybersecurity spending often languishes on the back burner. Rather than investing in cybersecurity, nonprofit decision-makers are forced to allocate limited resources to fundraising efforts, employee pay and day-to-day operations. But the reality is that neglecting security results in much higher costs — and potentially serious consequences — in the long term.
The Costs of Downplaying Security in a Daunting Cyber-Threat Landscape
Budget concerns and retention issues continually plague organizations, so it’s easy for things like tech adoption to fall to the bottom of to-do lists. Nonetheless, nonprofits remain a prime target for bad actors.
Why? Because nonprofits store a great deal of personally identifiable information in their databases — from client medical records and employee social security numbers to donor payment information. Cybercriminals sell personally identifiable information on the black market to other bad actors, who use it to commit fraud, steal identities or break into high-profile donors’ bank accounts. Since this information has a real dollar value, cybercriminals do whatever they can to access and compromise it — and their tactics are growing more effective and efficient.
While the number of data compromises dropped 3% in 2022, the number of individuals impacted grew by nearly 44%, totaling more than 422 million people. This is partly due to the rising number of software supply chain attacks in which bad actors gain access to an organization’s network — and a wider range of victims — through a third-party vendor.
With the average cost of a data breach expected to reach $5 million in 2023, organizations simply can’t afford to ignore security measures. But the monetary impacts associated with data breaches aren’t the only repercussions nonprofits encounter when they fail to prioritize security.
PCI-DSS Compliance: What Is It And Why Is It Important?
Like any organization that accepts, processes, stores or transmits payment information, nonprofits are responsible for maintaining compliance with the Payment Card Industry’s Data Security Standards (PCI-DSS). This means nonprofits must be able to securely accept payments for donations, membership fees and ticket sales — or risk noncompliance fines and reputational damage.
PCI-DSS noncompliance fines can range from $5,000 to $500,000. Getting hit with a fine requires nonprofits to tap funds that could otherwise be allocated toward core mission work. Additionally, noncompliance increases the risk of a successful cyberattack, which can incur additional costs to the organization.
For example, in the event of an attack, donors may lose trust in the organization’s ability to secure their data. It’s also difficult to acquire new donors if the organization has received negative publicity due to a cyberattack or credit card fraud.
So, while it’s understandable that retention issues and budget concerns may push security to the bottom of your to-do list this year, there’s too much at stake to ignore it. If you need to make budget cuts this year, maybe it’s time to reconsider which areas of the organization you’re targeting for savings.
Devalue Your Data to Maintain Security and Compliance
Your mission becomes much more difficult to achieve without donor trust and support. The good news is that you can ensure Payment Card Industry (PCI) compliance and maintain a tight security posture when you devalue your data.
1. Identify Your Compliance Requirements
The first step toward ensuring compliance is to determine the relevant PCI requirements based on how cardholder data is accepted. Most nonprofits who accept payments online fall into two categories: SAQ-A and SAQ-EP.
If your website relies on a PCI-compliant third party to collect payment information, your organization is likely in the SAQ-A category, and the majority of PCI compliance requirements are the responsibility of your third-party payment processing vendor. However, you are still responsible for a minimal set of PCI-DSS requirements, and you must still vet your third-party payment processing partners to ensure they comply with PCI-DSS.
Conversely, if your organization processes credit card payments using your own servers or website, you classify as SAQ-EP, which means PCI compliance is your responsibility.
2. Devalue Your Data
While there are multiple boxes you have to check to meet the PCI’s security standards, data devaluation is table stakes in maintaining compliance. The two main approaches to data devaluation — encryption and tokenization — make data in your network indecipherable to attackers, which means it’s useless even if a bad actor gets their hands on it.
While both approaches to devaluing your data are useful, they each serve a unique purpose. Encryption is an effective option for securing credit card transactions because it makes data in transit unintelligible to anyone without an affiliated digital key.
On the other hand, tokenization is generally best suited for long-term storage of data like medical records and financial information. This approach encodes each piece of personally identifiable information with a random string of characters stored on your servers. The token that links back to the information must be stored in a secure, outside location.
With cybercriminals doing whatever they can to gain network access, it’s imperative for your data to remain unintelligible in the event of an attack. Incorporating tokenization and encryption into your nonprofit operations not only helps you maintain PCI compliance, but also improves your overall security posture — leading to increased donor trust and the support that enables you to achieve your mission.
The preceding blog was provided by an individual unaffiliated with NonProfit PRO. The views expressed within do not directly reflect the thoughts or opinions of NonProfit PRO.
