Nonprofits often tend to be targeted by cyber criminals due to a lack of resources to implement cybersecurity measures. To their disbelief, they are just as susceptible to a data breach as for-profit organizations, if not more. However, they often don’t embrace the same level of changes that other organizations are making to implement a sophisticated cybersecurity program as there is a belief that they are not a target. This is a dangerous assumption to make. The reality is, nonprofit organizations collect incredibly sensitive information about its members and donors, which can include social security numbers, credit card information, and even medical information. It’s time for nonprofits to get serious about cybersecurity because without proper measures in place, one single breach could end their entire organization and its mission.
Why they should be concerned
Nonprofit organizations tend to handle volumes of sensitive data every day. Member records, donor information, confidential emails, and hundreds of other transactions pass through their gates. Without proper cybersecurity measures, an organization can easily be breached leaving the path to this sensitive information wide open to cyber criminals.
For an organization that relies heavily on grants and donors, a cybersecurity breach can be deadly. A breach can result in lost trust and confidence if donors fear their reputation or identity could take a hit. Even if a nonprofit organization does survive the reputational loss, the costs of settlements, notifying affected parties, and monitoring breached parties are sure to put a financial strain on the organization.
Where to begin
Get a game plan together – Start with a holistic approach looking from the outside, in. Preparation involves a risk assessment of the organization’s IT environment. Nonprofits should also consider taking a complete infrastructure inventory and review any regulatory requirements. It is important to create necessary policies and enforce them. Always inform and train all volunteers and employees to properly embrace all updates. Initiate a plan to know what data is kept, where it is, how it is used, and who has access.
Secure all technology – The two best places to start with protecting technology is to always utilize multi factor authentication and always upgrade the latest patches to all software. Patches ensure that the latest security measures are deployed to software. Multi-factor authentication can prevent remote attacks even if credentials become compromised. Multi-factor authentication is an easy and effective tool to implement, yet over 70% of nonprofits do not utilize.
It takes time – Security is not a destination it’s a way of life. It can take 18 to 24 months to raise an organization’s cybersecurity maturity by just one level. Establishing a proper and mature cybersecurity posture is an ongoing effort. Patience and dedication is definitely a requirement.
Doing nothing is absolutely not an option. Even if an organization hasn’t experienced a cyber breach to date, there’s no telling what tomorrow may bring. A lack of cybersecurity measures is like driving a car without insurance; it’s a big risk. Small organizations, for-profit and not-for-profit, are attractive targets but they don’t have be easy targets. A breach is inevitable if proper security is not implemented. Proactive measures can minimize the effects and allow a clear path to an accomplished mission. As an MSSP with a mission to protect the data of small and medium sized organizations, we see the necessity first hand. Don’t become an easy target, it’s time to take cybersecurity seriously.