Reputation is everything to a nonprofit organization—and a data breach can destroy a reputation in one fell swoop. That’s why, time and again, our lengthy list of nonprofit clients asks us what they should be doing to better protect themselves—and what, exactly, they should be protecting themselves against.
These are smart questions given that a Washington think tank—The Center for Strategic and International Studies—has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion, or almost 1% of global income.
In fact, we’ve been asked about nonprofit security so many times that cybersecurity took the #1 slot in our biannual tech trends brief.
What are cybercriminals after when they target nonprofits?
Nonprofit organizations handle volumes of sensitive data every day. From donor information to client financial records, and confidential emails, nonprofit organizations are the keepers of data that is extremely valuable—especially on the black market.
What are the top cybersecurity threats to nonprofits? (How are cybercriminals getting in?)
- Absence of Password Policy. If you allow members or vendors to access private info on your network via a password, you better make sure you have a comprehensive password policy in place. Is two-factor authentication required? How long do passwords need to be?
- Unsecured Software. Budgets are tight for all nonprofits. But software is not the place to skimp. I know many nonprofits that are still using Windows XP, even though it is 12 years old and no longer supported by Microsoft. The older your operating system, your computers and your network, the more susceptible they are to data breaches.
- Open-source Software. Speaking of budgets, nonprofits often use open source software as a way to less expensively get things done. However, open source software is often extremely vulnerable to attacks.
- Online Payment Processors. Cybercriminals know nonprofits take membership dues and fees for a variety of conferences and events. They also know that if you are not using a reputable online payment processor then you are vulnerable—and so are all of your members.
- Your Employees (or Former Employees). What happens to desktops, laptops, and mobile devices when an employee leaves your company? Are security measures in place to ensure mobile devices are wiped clean and access is denied?
What can nonprofits do to better protect themselves?
Make cybersecurity a top priority—and make security awareness part of your organization’s culture. Know that you are now the target—and that the attack can come from across the world or across the hall. Ask yourself if your security measures and policies are sufficient. (Wondering how to do this? Check out this article on crafting a successful data privacy policy.)
Do your policies address system usage and access, and ways to manage change? Do they provide an audit trail for you organization? Do they dictate how to handle an employee leaving or being terminated? Do you have a comprehensive BYOD plan in place to protect your data? Are your firewalls, anti-virus, and passwords being updated regularly? Are your operating systems being regularly patched?
Evaluate your current security elements and policies by asking:
- What do we intend to protect?
- How are these elements being protected?
- Do our policies and operations support the protection of these elements?
A comprehensive data security policy does more than assuage your fears, it can provide your membership and donor base with significant peace of mind.
And that goes a long way in solidifying your organization’s reputation—and can influence the rate at which prospects become members.