With so much information from large corporations available to hackers, it seems ludicrous that hackers would go after nonprofit organizations and fundraisers — but that’s exactly what’s happening. Cyber risk for nonprofits is a topic your board will want to explore to protect your organization.
There are also “hacktivists” — people who are so dedicated to their own causes that they’re hacking into the sites of their opposition to take them down or inhibit their voices. In some cases, the hacktivist is an insider. Since nonprofit organizations exist for a cause, it’s difficult for many leaders and members to fathom that an insider might be the culprit who steals money or data; however, the risk is real.
In many more instances, cybercriminals understand that large corporations have sophisticated IT teams and large budgets to combat cybercrimes. Getting into their systems takes much more work than it used to. Hackers don’t have as much to gain from non-profit organizations and fundraisers as large businesses, but the data or funds they acquire may be enough relative to the amount of work they have to do to steal the information.
Ransomware Attacks Are Rising
According to data from blockchain research firm Chainalysis, 2023 is on pace to be one of the biggest years for ransomware attacks, second only to the prior year. They report that ransomware gangs have extorted over $449 million from victims, and project attackers could extort $898.6 million from companies by the end of 2023.
Cleaning up after a cyberattack is usually time-consuming and costly, but also brings further negative impacts including reputational risk, which should be motivation enough to put the topic on your next board agenda.
Nonprofit Organizations and Fundraisers Have Many Assets to Protect
Nonprofit organizations exist to create awareness of a cause and to help raise funds to make improvements for people and communities. Board directors and leaders often focus so heavily on achieving their short-term goals and benchmarks that they overlook important matters like protecting data and personal information from cyberattacks.
While many nonprofit organizations and fundraisers may be smaller than businesses targeted by cybercrime, they still have much data to protect. Nonprofit organizations obtain sensitive information from their donors, supporters, and philanthropists. Governments also sometimes fund charitable causes.
A breach of a nonprofit’s or fundraiser’s database creates an environment in which funders could lose trust in the organization’s security.
The obvious fallout is that funders will decide to redirect their donor funds to other charitable causes with more secure servers and systems. A large breach may even force an organization to dissolve.
All Individuals Are Responsible for Cybersecurity
Most cyber experts recommend that businesses take a top-down approach to managing cybersecurity. The same approach works equally well for nonprofit and fundraising organizations. Experts admit that there is no surefire way to prevent cyberattacks. For this reason, all organizations need to work toward developing a culture of cybersecurity.
Forbes outlines the following cybersecurity threats nonprofits need to be aware of including:
- Data breaches from third-party vendors
- Email phishing schemes
- Data breaches from employers
- Malicious software
- Natural disasters
While everyone in the organization bears some responsibility for keeping funds and data safe, the bulk of the responsibility falls on leadership and the board of directors. When regulatory investigations are taking place, investigators will expect board directors to have answers. Board directors can expect to be held liable if they’ve been lax in their oversight duties or fiduciary matters.
Board directors are expected to be knowledgeable about the types of cyber threats that typically occur. Stakeholders also expect nonprofit boards to take action to protect their constituencies. All individuals must do their part to enhance security, yet the board directors will ultimately be on the hook.
Nonprofits and Fundraisers Need to Protect Against Insider Fraud
It’s disappointing to think that someone who has long been committed to a nonprofit’s cause would actually launder money or steal funds or information from a nonprofit organization or fundraiser, but diligent board directors recognize that insider fraud happens.
Nonprofit organizations must take a proactive approach to protecting funds and data on the front lines by limiting access to information to only those who need it.
Balancing Operating Funds with Fundraising
All nonprofits must be careful about how they manage their funds. It’s often difficult for boards to balance fundraising efforts with managing operating funds while adequately allotting for cybersecurity needs.
Board directors need to make difficult decisions about how to disseminate limited funds that are available. Addressing cybersecurity issues often falls toward the bottom of the list, but that doesn’t mean boards should ignore it altogether.
Be aware that not investing in prioritizing cyber risk may end up costing your nonprofit more in the long run due to the risk of potential ransoms, downtime in dealing with a breach, and regulatory fines. As part of a responsible risk management program, nonprofit boards must balance the potential for cyber risks with the cost of preventing them.
Grants are available for nonprofits to financially support their efforts to bolster security. The Grant Portal has a search function that allows nonprofits to narrow down grants topically.
IT techs should help identify the top concerns and assist board directors to set up a plan to mitigate them if an attack occurs. This is a minimal approach that should only be considered for the shortest timeframe possible.
Steps for Protecting Against Cyberattacks in the Nonprofit and Fundraising Realms
The National Council of Nonprofits acknowledges the importance of nonprofits taking cyber risks seriously. They recommend a three-step process for protecting nonprofits:
1. Assessing Cyber Risk for Nonprofits
Take an inventory of all the data your nonprofit collects. Your board should be able to answer the following questions:
- What data do we collect?
- What systems does the data travel through?
- Where do we store the data?
- Who is responsible for ensuring the data is secure?
- Are we collecting data we don’t need?
- Are we destroying data in accordance with our document retention policy? (The Federal Trade Commission requires organizations to properly dispose of information in consumer records and reports to prevent unauthorized use of data.)
The answers to these questions may open up new discussions about potential vulnerabilities concerning data.
2. Ensuring Confidential Information Is Secure
Does your board understand the definition of personally identifiable information? The U.S. Department of Labor defines personally identifiable information as, “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”
Every state, along with the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, has laws that require organizations to notify individuals of data breaches involving personally identifiable information, and nonprofit boards should be aware of the data breach regulations in their states.
Nonprofits should also protect non-personally identifiable information such as data collected on surveys.
3. Drilling Down the Actual Risks
Consider the likelihood of cyber risk for nonprofits as noted in Step #1 above. Does your organization outsource activities to accountants, IT consultants, a payroll service, a cloud storage service, a donation processing service, or other vendors? Open API enables systems to share data which means the lack of security at another company or organization could make your system vulnerable to a cyberattack.
Once your board has identified cyber risks, it’s wise to heed the following tips to prevent cyberattacks at nonprofits as reported by Blackbaud:
- Require staff and volunteers to lock all devices when not in use
- Instruct workers to connect to approved networks only
- Validate strange emails and voicemails
- Educate staff and volunteers on the risks of social engineering attempts
- Require remote workers to change the password on their home Wi-Fi router
- Instruct workers to only use approved devices
- Install updates and patches often and make sure remote workers are doing the same
In addition to being proactive in addressing cyber risk for nonprofits, your board may consider investing in cyber liability insurance for further protection.
Unless a nonprofit enlists the help of a member who has expertise in IT and cyber protection, most organizations will need to use part of their funds to employ an IT expert to help them protect against hackers. IT experts should be required to perform regular, mandatory security tests to check for unprotected data.
Board members should seek assurance that the fewest members possible can access sensitive information and only when they need it. Board members must also develop policies and procedures for who can access information and how it may be used.
Onboarding for new board members should require cybersecurity training and existing board members will likely need a refresher at least once a year on good practice.
While it’s important to have these policies and procedures in writing, it’s just as important for the board, management and your governance professional to monitor procedures to make sure members are following them.
Governance Technology Protects Nonprofits
Nonprofits are keeping pace with how technology can assist them with many tasks and activities, but at the same time, the risks of cybercrime have escalated accordingly as nonprofits have become increasingly reliant on technology. Governance technology is also part of the solution to preventing cybercrime.
With a board management solution, your board is in the driver’s seat with controls that limit access to important board information from third parties. User-based permissions protect sensitive information and robust data encryption keeps board communications secure.
See how BoardEffect, a Diligent Brand, can help strengthen your charity or nonprofit’s cyber resilience. Request a demo today to learn more about how governance technology can address cyber risk for nonprofits.