By Brandon Smith, CPA
Cybercrime poses a major threat to organizations of every size today, and the risks are only increasing as hackers become more sophisticated. Nonprofit leaders often consider data breaches, ransomware and social engineering to be concerns specific to for-profit businesses, but that couldn’t be farther from the truth. From large healthcare institutions to school systems and even small, local charities, nonprofits must recognize the significant threat cybercrime poses to their organization and take strategic action to limit these risks wherever possible.
Cyber-criminals have focused greater attention on NFPs in recent years, hoping to take advantage of a rich trove of financial and other sensitive data held by these organizations. While nonprofits may not have a primary focus on commercial activity, their data can be extremely valuable to hackers nonetheless:
- Donor credit cards and bank account numbers. Organizations often collect and retain this type of information to complete event registrations or process donations.
- Personal information of employees, volunteers, donors and clients. This can include highly sensitive information such as birthdates, social security numbers and health information, along with names, addresses, and phone numbers.
- Financial information about the organization. It is not just donors who are at risk. The nonprofit’s banking and tax information are other targets that hackers may try to steal.
- Daily-use software and data. Ransomware can make routine operations grind to a halt by limiting access to donor databases, employee records, email, systems, event scheduling tools and other daily necessities.
All that data can be sold on the dark web or used to demand ransom from the organization or individuals. Besides the lure of the data itself, nonprofits often make attractive targets for hackers because they frequently rely on older, less secure technologies for cybersecurity and tend to have a less robust defensive posture than their cash-flush peers in the for-profit sector.
Though resources are often limited, especially at smaller organizations, adopting a proactive stance to cybersecurity must be an urgent priority to prevent the high financial and reputational costs of a data breach or loss of key data.
Create a secure operating environment with a cybersecurity risk management program (CRMP).
A well-designed CRMP is fully customized around the organization’s unique operating environment and risk profile. Cybersecurity analysts with specialized experience working with nonprofits are the best option to ensure the team can identify hidden vulnerabilities. Understanding how NFPs function also helps digital security experts propose solutions that align with the organization’s standard operating procedures and work within budget limitations.
Taking the whole picture into consideration, the security team identifies all informational assets that could be at risk, assesses the full spectrum of potential threats to those assets – both internal and external – and determines optimal strategies for managing those risks. A complete evaluation should include scrutiny of processes, internal controls, relationships with vendors and third-party service providers, data management protocols, hardware and software, communications tools, data backup systems,d existing information security procedures.
In addition to risk mitigation, the organization’s cybersecurity program should include a comprehensive plan to address newly identified threats or risk events, as well as thorough training for all staff and volunteers. What can employees do to maintain a secure environment? Who should they notify if they suspect a problem? Prevention is critical to safeguarding the organization’s sensitive data and systems but knowing how to recognize and respond to different types of security events is just as important.
The cybersecurity experts at Mauldin & Jenkins offer a wide variety of services to help nonprofits mitigate the many types of risk they face today. Our information security services include:
- Vulnerability Scanning to identify areas of concern for organizational security
- Penetration Testing to assess resistance to internal and external attackers
- Firewall Configuration Reviews to ensure your systems are protected
- Social Engineering Assessments to help guard against spearfishing; vishing; documents, emails or websites that carry malicious payloads; and other client-side exploits
- Cybersecurity Awareness Training to increase staff understanding and compliance
- IT/Cybersecurity Assessments to benchmark current security programs against the NIST Cybersecurity Framework and develop a roadmap for prioritizing investments
- SOC for Cybersecurity to assess and report on the effectiveness of an organization’s overall risk management program
If you aren’t sure where your or organization stands, there is a good chance your current data security program isn’t as strong as it should be. Reach out to your Mauldin & Jenkins advisors today and learn how to protect your donors and your organization with a rigorous approach to cybersecurity.