Hackers strike once again, this time causing a data breach at a prominent New York nonprofit social services agency. The incident sends up a red flag that highlights the cybersecurity issues that nonprofits across the globe should be concerned with.
The breach caused sensitive medical information belonging to the current and former clients of People Inc. in western New York to be compromised.
This unfortunate event highlights the facts that hackers are still hard at work attacking vulnerable organizations like nonprofits that don’t have the necessary IT expertise to protect their systems. The nonprofit’s response indicates that a growing number of organizations are taking their responsibilities of developing a data breach response plan more seriously. At the same time, nonprofits need to do more to bolster cybersecurity to protect their customers and patrons.
With the rapid progress of cyberthreats and the power and fortitude of modern cybercriminals, nonprofits need to persevere and enlist the help of experts and management software programs to improve their efforts to face the future’s trials.
Data Breach Exposes Vulnerabilities of Services for Vulnerable Populations
People Inc., which is now one of the state’s largest nonprofit agencies, was started by a small group of parents and professionals in 1970 to help individuals with intellectual disabilities with services, employment, health care, outreach, and recreational programs. Their success led them to expand their mission to include seniors and families with developmental disabilities and other disabling conditions to reach their highest potential and integrate into society with the greatest amount of acceptance and independence possible.
Representatives from People Inc. discovered the breach on February 19, 2019, and have not yet been able to identify the hacker. People Inc. stated that up to 1,000 of their clients may be affected by the breach. They remain concerned about the leakage of accounts that contained names, addresses, Social Security numbers, financial information, medical data, health insurance information, and other government identification.
The nonprofit reported that the apparent source of the leak was attributable to an employee’s email account. They also noted that they suspect that a second email account may also have been compromised, but they were unable to confirm that. During their investigation, they discovered that the first compromised email account had a weak password which may have created an opening for a brute-force cyberattack. The organization performed a password reset to secure the email account and they disabled the second email account as a precautionary measure. To date, People Inc. isn’t aware of any situations where information was actively abused.
People Inc. enlisted the help of a cyberforensics firm to conduct an investigation and also contacted the FBI. They informed past and current clients of the breach on May 29th and offered free credit monitoring services to those who were impacted.
What Can Nonprofits Learn from the Most Recent Data Breach?
Best practices for cybersecurity measures indicate that all organizations, including nonprofits, should manage cybersecurity as part of their risk management program. Cybersecurity experts recommend that organizations follow the three lines of defense including management control, risk management, and the internal audit process. These processes are also often referred to as ownership, oversight, and assurance.
The first line of defense is management control which encompasses the information security department or whoever is responsible for cybersecurity issues. Management security means that organizations need to manage cyber risks by implementing various controls. Security experts need to understand the vulnerabilities of their assets and use organizationally acceptable tolerances in controlling them. This process includes taking the lead on risk events, updating key risk indicators (KRIs) and implementing controls that affect people, processes, and technology. This is the area that led to the People Inc. data breach.
The second line of defense is risk management. Many things fall under risk management including looking at aggregate risks at the enterprise level and ensuring legal and compliance standards, as well as setting up quality controls and financial controls. This defense also covers control frameworks, defines the metrics for KRIs, and performs risk assessments. Risk management teams should be tracking the actions of the first line of defense and analyzing the impact of the actions to assess how effective they are in mitigating cyber risks. The second line of defense, which is often overseen by the board or management, can challenge the first line of defense.
The third line of defense is the internal audit. This part of a cyber risk management program often includes input from external auditors and regulators. This line evaluates the overall processes of cyber risk management across the entire organization. Internal control frameworks must be strong enough to deal with the risks that the organization faces. The third line of defense should be able to successfully challenge the second and third lines of defense.
According to Identity Force, over 70 organizations have been victimized by recent data breaches so far in 2019. The list includes businesses and nonprofit organizations from nearly every industry and the list spans most states across the country. The data that nonprofits collect in the course of their charitable activities has value for sale and identity theft, which makes them common targets for cybercrime.
One of the best investments that nonprofits can make is an investment in BoardEffect, an industry leader in modern governance. BoardEffect offers board management software solutions with state-of-the-art security measures to protect nonprofits and other entities from unscrupulous cybersecurity attacks. The software supports all three lines of cybersecurity defense. According to Ernst & Young, “Cybersecurity is no longer just about deflecting attackers. Today, it’s about figuring out how to manage and stay ahead of intruders who are already inside the organization.”
Board directors have to look at taking cybersecurity measures that will be a staple of the organization now and into the future. Innovation and staying ahead of the needs of board governance is what makes BoardEffect the best choice in board management software systems. Don’t leave your organization’s security to chance. You won’t want to see your name added to the list of recent data breaches.