You don’t have to be wealthy, well-connected or a major extrovert to serve on a nonprofit board with a heavy emphasis on fundraising. What you do have to have is a major focus on planning and oversight, just as any other board does. Nonprofit organizations face many of the same risks as for-profit corporations, including the risk of losing their hard-earned funds to hard-working hackers. Part of the nonprofit board directors’ duties of oversight include knowing that hackers exist and taking steps to protect the organization’s members, employees and donors from financial risks. For many small nonprofits with little funds to distribute, this is a serious and formidable challenge.
Are Hackers Really Going After Charities?
In a word, yes. In May 2017, companies and nonprofits across the world became victims of a ransomware attack called WannaCry. The virus attacked computers running Microsoft Windows operating systems. The hackers took advantage of organizations that failed to update their systems or that let the virus in through the back door. The attack affected over 300,000 computers for governments, businesses, banks and Britain’s National Health Service (NHS).
Catholic Charities in New York was also victimized by hackers over the course of two years. Their security experts detected a virus in 2017, which was found to have originated in 2015. The personal information of 4,600 past and present clients was stolen from a Glens Falls, NY, server. Cybercriminals didn’t get personal records, such as treatment or therapy records, but they did get dates of birth and Social Security numbers.
Hackers are also targeting small charities, as Indiana’s Little Red Door, a small healthcare charity for families dealing with cancer, found out when they opened an email with “Cancer Sucks, But We Suck More” in the subject line. Hackers blocked access to their client files and financial data and asked for $43,000 in bitcoin ransom to release it. The charity didn’t store any personal information that would be worthy to hackers, so they didn’t pay up. However, it cost them handsomely to rebuild their database.
Why Are Hackers Targeting Charities and Nonprofit Organizations?
It’s a reasonable question to ask what motivates hackers to go after charities and nonprofit organizations that do so much good for communities. The reality is that hackers often get a lot more bang for their buck by going after unsuspecting charities and nonprofits.
Charities often store sensitive information from donors, supporters, grant-makers and philanthropists. Governments also sometimes budget funds for charities in their communities to assist them in the good work that they do. Hackers that can tap into any of these systems can access plenty of sensitive information that they can use as a bargaining chip.
Hackers view charities and nonprofit organizations as low-hanging fruit. They typically have less robust IT protection than large corporations do. It takes hackers far less work to penetrate their computer systems. Hackers are also keenly aware that nonprofit organizations invest as much money as possible in their fundraising efforts and to support their mission. Nonprofit organizations typically allocate less of their budgets for cybersecurity measures.
Perhaps some board directors of nonprofits naively believe that hackers won’t go after them simply because of their nonprofit status.
Still another thing that puts charities and nonprofit organizations at risk is the fact that they welcome new volunteers. Nonprofits don’t always vet volunteers carefully, so there’s always a risk of insider fraud.
Nonprofit Organizations Risk Losing More Than Funds
Because of the financial, personal and sensitive information that nonprofits store for their purposes, they have much to lose in the way of funds. Nonprofits that fail to protect their organizations’ data face other risks as well.
Nonprofit board members that don’t take the proper steps in oversight risk affecting their nonprofit’s good name and reputation for doing great work, which usually means loss of future funds and donor opportunities.
As Little Red Door quickly found out, there can also be a major cost of not being able to operate the nonprofit while picking up the pieces after a hacking incident. The worst-case scenario is that a nonprofit may be forced to dissolve.
The Role of Nonprofit Boards in Protecting Fundraising Efforts
The responsibilities of nonprofit board members in protecting their organizations are palpable. Nonprofit board members are wise to educate themselves about cyber-risks, allow adequate budget to address them and take steps to protect their organizations. While board members may be held liable for data breaches, ultimately, it’s the responsibility of everyone in the organization to be aware of cyber risks.
One of the least expensive ways that nonprofit boards can move toward protecting their organizations is to create a culture of cybersecurity from the top-down and to communicate that culture clearly to everyone in the organization. It’s crucial to train staff to look for signs of irregularity.
Another inexpensive thing that nonprofit board directors can do is to develop policies and procedures about who within the organization can access certain information and how they’re allowed to use it. Nonprofit boards should require two signatures to approve all financial transactions in order to prevent insider fraud. As overseers, they must also monitor procedures and make sure all members, staff and board directors follow them.
Some nonprofit boards are finding that it’s helpful to set up a cybersecurity committee. These committees report to the board on the latest news and information on cybersecurity protection. They also enhance the organization’s culture by publishing tips on fraud and security internally and externally. A cybersecurity committee may also be on the lookout for workshops and seminars on cybersecurity as part of their board development program.
While those are good first steps, boards need to allocate adequate funds in the budget to appropriately protect the organization. Start-ups and small organizations can start small and expand the budget as funds become available. One of the best ways to secure their information at a reasonable cost is by investing in a board portal that has strong security built right into the program.
BoardEffect can help nonprofits and charities to find a board portal solution that fits into their budget. A board portal offers secure, cloud-based data storage, which can save boards substantially by reducing the need to rely on expensive, outside IT experts. The board portal companies perform regular, mandatory security tests to check for unprotected data, so that board directors can focus on fundraising and other pertinent matters.
Administrators of the portal can also restrict user permissions so that only people who need sensitive information may access it, which helps to prevent insider fraud.
Board directors of nonprofit organizations can be held liable if they are lax in their oversight duties. A board portal may just be the best investment they can make.