While cyberattacks and security breaches at major retail, financial, and technology companies might be in the headlines more often, nonprofit organizations are equally at risk from malicious hackers and innocent exposure. For nonprofits, beyond the financial impacts, which could include ransoms, settlements, notifying parties, and more, a malicious attack could deeply damage confidence in your organization brand and reputation.
Nonprofits typically handle a great volume of personally identifiable information (PII) for both donors and recipients, including credit card records; employee files; medical records; and other sensitive information, such as donor contact information (i.e., phone numbers, addresses, and email addresses) and transaction information.
The following are eight steps your nonprofit can take to help protect against a cyberattack or unintended security breaches.
1. Establish a perimeter defense.
Think of this as defending your castle (and think of your castle as being anywhere you have employees working). Determine how secure your organization is, and patch up any holes related to access and communication using the following strategies:
- Address endpoint security – protection for information accessed remotely
- Segment your network – spilt networks are typically more secure and perform better
- Monitor firewalls – monitor incoming and outgoing network traffic and decide to allow or block specific traffic based on recommended security parameters
- Invest in anti-malware – software to protect against infections caused by viruses, worms, Trojan horses, spyware, ransomware, adware, etc.
- Secure communications – encrypt email, strong password policies, and spam filtering
2. Conduct a data inventory.
Every organization has sensitive information that lives in many different places, such as network files, laptops, and mobile devices. In our increasingly electronic world, more and more sensitive information is migrating from hard copy to soft copy format, making it potentially accessible to anyone.
- Identify all data you have that is sensitive: organization financials, donors/members, employees, transactions, intellectual property, medical, legal, technical, etc.
- Identify where the data is located: hard copy, electronic, on premise/off premise, encrypted.
- Confirm why and how long you hold onto data, and keep only what you need. Consider a retention policy and process for purging unnecessary PII.
- Identify who is responsible for each data type (data governance, ownership, single source).
In our increasingly electronic world, sensitive information is migrating from hard copy to soft copy format, making it potentially accessible to anyone.
3. Meet compliance standards.
Privacy policies are constantly changing. Nonprofits must be aware and informed of changes and how they will affect data security. For example, if your organization accepts credit cards, ensure you understand the Payment Card Industry Data Security Standards (PCI DSS).
If your organization maintains patient medical records, it should be vigilant of compliance related to HIPPA. The Health Information Trust Alliance’s (HITRUST) Common Security Framework (CSF) is another compliance option to guarantee proper creation, access, storage, and exchange of sensitive and regulated data. Other compliance recommendations include:
- Install and maintain a firewall configuration to protect stored cardholder data.
- Encrypt transmission of cardholder data across open public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
4. Manage your users.
Make sure you know who, what, when, and how when it comes to user access. For nonprofits, this can include employees, volunteers, participants, and business partners.
- Who has access to what information? Review authentication/verification processes, internal or remote access, and single sign-ons.
- How and when is access decided? Examine password policies, multifactor authentication, and access management.
- What are policies for contractors, vendors, or other partners? If you don’t know what you have to protect, you can’t secure it.
5. Authenticate passwords.
Is your password policy too simple? Do you have a policy? Are there different password requirements for different systems, roles, and levels of access? Weak passwords can mean big trouble; don’t make it easy for hackers.
- Establish and implement a practical password policy (length, complexity, and scheduled changes).
- Utilize enterprise-grade password management tools.
- If using a single-sign-on strategy, make it stout.
- Concentrate authentication to core business systems.
- Consider two-factor authentication.
- Trust but verify.
6. Monitor for suspicious activity.
It can feel a little like Where’s Waldo? when it comes to protecting your infrastructure. Nonprofits must continually monitor for threats and identify suspicious network traffic. There’s an avalanche of information in system log data, so determine which tools you’ll use to detect threats:
- Advanced security analytics – a network security analytics tool that helps detect and classify network intrusions
- Managed security services – network security services outsourced to a service provider that will monitor 24/7 to help prevent breaches
7. Be resilient.
In the unfortunate event that a breach occurs, nonprofits need an overall information security strategy and ironclad cybersecurity plans in place to quickly get back on their feet. They should include:
- Backup & restore process
- Disaster recovery plan
- System patches & updates
- Breach response plan
- Definition of a breach
- Breach response teams & responsibilities
- Recovery activities
- Communicating the breach
- Dealing with the breach
- Restoring operations
- Testing & maintenance.
8. Be aware.
No business or organization leader wants to be the victim of a cyberattack, but chances are someone will fall victim of a Nigerian prince once in their lifetime.
People are the weakest link in the cybersecurity chain, so awareness training is one of the best preventative measures you can take.
This includes being mindful of more subtle ploys like:
- Phishing – may pose as your credit card company
- Spear phishing – may pose as a high-level member of your own organization with an urgent request
The risk to nonprofits for a cyberattack or security breach is real, but many of these attacks can be prevented through careful planning and thoughtful execution. Regardless of your organization’s size or type, it’s the leadership’s responsibility to ensure the peace of mind of stakeholders and keep all of its data secure by utilizing best practices. The worst possible strategy is to not seek experienced guidance for how to protect against this risk.