With so much information available to hackers within large corporations, it seems ludicrous that hackers would go after nonprofit organizations and fundraisers, but that is exactly what is happening.
Some criminals, known as hactivists, are so dedicated to their own causes that they are hacking into the sites of their opposition to take them down or inhibit their voice.
Since nonprofit organizations exist for a cause, it’s difficult for many leaders and members to fathom that an insider might be the culprit who steals money or data; however, the risk is real.
In many more instances, cyber criminals understand that large corporations have sophisticated IT teams and large budgets to combat cyber crimes. Getting into their systems takes much more work than it used to. Hackers don’t have as much to gain from non-profit organizations and fundraisers, but the data they acquire may be enough in relation to the amount of work they have to do to steal the information.
Recent Ransomware Attack Affects Thousands
The largest ransomware attack in history occurred recently, alerting charitable organizations of their vulnerability. Cybercriminals unleashed malware called WannaCry that infected over 300,000 computers in various realms, including government, business, banks and Britain’s National Health Service (NHS). The attack proved that the charitable organizations had failed to secure and protect their operating systems.
The Charity Commission in the United Kingdom took quick notice of the attack, and responded by issuing a public alert with sound advice about section 15(2) of the 2011 Charities Act in the U.K.
Nonprofit Organizations and Fundraisers Have Many Assets to Protect
Nonprofit organizations exist to create awareness of a cause and to help raise funds to make improvements for people and communities. Board directors and leaders often focus so heavily on achieving their bottom-line goals and benchmarks that they overlook important matters like protecting data and personal information from cyberattacks.
While many nonprofit organizations and fundraisers are smaller than large corporations, they have much data to protect. Nonprofit organizations obtain sensitive information from their donors, supporters and philanthropists. Governments also sometimes fund charitable causes.
A breach of a nonprofit’s or fundraiser’s database creates an environment in which funders lose trust in the organization’s security. The obvious fallout is that funders will decide to redirect their donor funds to other charitable causes with more secure servers and systems. A large breach may even force an organization to dissolve.
All Individuals Are Responsible for Cybersecurity
Most cyber experts recommend that businesses take a top-down approach to managing cybersecurity. The same approach works equally well for nonprofit and fundraising organizations. Experts admit that there is no surefire way to prevent cyberattacks. For this reason, all corporations need to work toward developing a culture of cybersecurity.
Everyone in the organization bears some responsibility for keeping funds and data safe. The bulk of the responsibility falls on leadership and the board of directors. When regulatory investigations are taking place, investigators will expect board directors to have answers. Board directors can expect to be held liable if they’ve been lax in their oversight duties or in fiduciary matters.
Board directors are expected to be knowledgeable about the types of cyber threats that typically occur. They are also expected to take action to protect their constituencies. All individuals need to do their part to enhance security, but the board directors will ultimately be on the hook.
Nonprofits and Fundraisers Need to Protect Against Insider Fraud
It’s disappointing to think that someone who has long been committed to a nonprofit’s cause would actually launder money or steal funds or information from a nonprofit organization or fundraiser, but board directors would be remiss not to recognize that insider fraud happens.
Nonprofit organizations need to take a proactive approach in protecting funds and data on the front lines by limiting access to information to only those who need it.
Steps for Protecting Against Cyberattacks in the Nonprofit and Fundraising Realms
Unless a nonprofit enlists the help of a member who has expertise in IT and cyber protection, most organizations will need to use part of their funds to employ an IT expert to help them protect against hackers. IT experts should be required to perform regular, mandatory security tests to check for unprotected data.
Fortunately, there are a few easy and inexpensive steps that nonprofits can take to create a culture of cybersecurity. Boards can set up a cybersecurity committee and give them responsibility for reporting to the board about the latest news in cybersecurity protection, lessons from other corporations affected by breaches and any new regulatory concerns. The committee could also take responsibility for publishing fraud and security tips internally and to the membership. Nonprofits may also want to look for opportunities for leaders, members and board members to attend business fraud seminars.
Board members should seek assurance that the fewest members possible can access sensitive information, and only when they need it. Board members also need to develop policies and procedures for who can access information and how it may be used. It’s good practice for all corporations to require two signatures to approve financial transactions. While it’s important to have these policies and procedures in writing, it’s just as important for board members to monitor these procedures to make sure members are following them.
Balancing Operating Funds with Fundraising
With the exception of well-established nonprofit and fundraising organizations, many nonprofit organizations are struggling start-up operations with little operating funds. Investing in cybersecurity is not a fundraising venture, so members are less likely to engage in it as much.
Board directors need to make difficult decisions about how to disseminate the little funds available. Addressing cybersecurity issues often falls toward the bottom of the list, but that doesn’t mean they should ignore it altogether.
Nevertheless, board directors can attempt to prioritize the risks of cyberattacks with the goal of investing more time and money in cybersecurity as funds grow. IT techs may be able to identify the top concerns and help board directors to set up a plan to mitigate them if an attack occurs. This is a minimal approach that should only be considered for the shortest timeframe possible.