Protecting Your Nonprofit from a CyberattackBy Richard Nathan | February 2, 2018
2017 was predicted to be the “year of cyber warfare” by Forbes.com. Sure enough, by mid-year, cyberattacks had already doubled the previous year’s totals. Given that an estimated 63% of nonprofits experienced a data breach in 20161, we are likely facing even more devastating statistics for the industry as the results of 2017 are realized.
From local food banks and hospitals to major government think tanks and hospitals, not-for-profits of all types and sizes have been targeted by cyber criminals, and the frequency of the attacks will only increase as technology advances.
Along with the government, retail and technology sectors, the not-for-profit industry is a popular target due to the substantial amount of personal and financial information they collect, especially in the areas of healthcare and education. Therefore, it is essential for these organizations to implement resources that will enable them to recover quickly and effectively.
When any organization is attempting to understand its cybersecurity needs, the first step is to determine its digital asset risk profile. Digital asset types include HIPAA, PII, legal, financial and other confidential and sensitive data.
Risk level varies by organization and depends on the type of technology used, connection types, delivery channels and mobile device usage. Typically, nonprofits have an inherently high risk level. Due to limited funding and resources, they may have inadequate IT staff, limited cybersecurity defenses, and fewer restrictions on employee access to data.
Once the risk profile is determined, it is important to develop clear and concise digital security policies that address all identified risks. The policies should apply to all employees and be readily available for employee review. Additionally, having clearly defined data backup and data retention policies, as part of an overall Disaster Recovery Policy, is critical to your organization’s ability to recover from an attack. (See Responsibilities and Roles below.)
Since 60% of all cyberattacks are carried out unintentionally by someone within the organization2, it is imperative to administer cybersecurity prevention training and tools that teach employees how to responsibly navigate the cyber environment. Prevention methods can be as simple as requiring complex passwords (including dual factor authentication) that need to be updated regularly and implementing web filtering to close windows of vulnerability.
More sophisticated security management tools, such as anti-malware and next generation firewalls, are used to prevent and detect attacks before they happen. These well-known and trusted security tools are needed to assist in the mitigation and prevention of cybersecurity issues, but education of your end-users is equally important in the fight against cybercrimes.
Responsibilities and Roles
Traditionally, an IT department or vendor was the only line of defense against cyberattacks, but today it is everyone’s job to protect an organization’s cyber environment. Keeping the lines of communication open between IT and other staff members is essential to an effective cybersecurity program. When employees report suspicious emails, they are essentially helping to keep security measures up to date.
Regardless of the size of your nonprofit organization, you should have a designated disaster recovery team that works hand-in-hand with the IT department or vendor. The goal of disaster recovery is to ensure that an organization will be able to continue its mission following a cyberattack or natural disaster. IT can work with this team to plan and test data security processes, determine critical data to be backed up and retained, and, in many cases, establish a cloud-based or other failover site to aid in restoration of your operations. The data backup process involves copying or archiving files to restore them after a loss of data. When creating a data backup plan, your IT department or vendor will help you determine what critical data should be backed up, how many iterations of the backup should be retained, how best to store the data, and who in the organization has the ability to restore data during a business interruption.
Another role of the IT professional is to implement periodic internal and external penetration testing. This scheduled and systematic verification process ensures that applications, networks and systems are not at risk.
An added measure of protection that some organizations may consider to further protect their digital environments is cyber insurance. In the event of a cyberattack, general policies typically reimburse legal fees and expenses, notify individuals (i.e. donors, patients, students) of a breach, repair damaged operating systems, recover stolen and compromised data, and restore the personal identities of those affected. Other available forms of cyber insurance include multimedia, extortion, and network liability coverage. Consult with your insurance provider to determine if coverage is appropriate for your not-for-profit organization.
Bringing in an outside vendor to assess a not-for-profit organization’s cyber risk is a standard practice, but it’s always wise to ask first: “Who can I trust?” Ideally, the cybersecurity consultant should have expertise in your specific sub-sector of the not-for-profit industry in order to determine the most effective way to safeguard your organization’s computers, data, networks and software. A consultant should also have the capability to provide technical support and supervision, update security systems, research security standards and deliver technical reports.4 When choosing a vendor, proceed knowledgeably and employ common sense.
Prevention is always better than finding a cure, so precautionary cybersecurity measures are key. The right level of prevention will also make it easier to control damages in the event of a network breach. Remember, it is not a question of if your nonprofit will become a victim of a cyberattack, but rather when.
About Richard Nathan
Richard Nathan is a Senior Consultant at Marks Paneth LLP. His areas of expertise encompass management consulting, including financial and operational software selection, business process improvement, technology assessment and project management. He also provides IT advisory services and business continuity planning. Additionally, he counts the nonprofit sector and the real estate industry as areas of specialty. Mr. Nathan has presented before many associations and professional organizations, including the New York Association of Association Executives, the... READ MORE +