Cyber thieves do not physically grab your keys or force an entry into your business, but the damage they do to your organization can be just as consequential. If your not-for-profit organization becomes the victim of cybercrime, it could suffer a blow to its reputation that is impossible to overcome.
So it is important to assess your risks of data breaches carefully and implement effective security policies and procedures. This will put you in a better position to protect valuable financial and personal data about donors and other constituents.
Are You a Sitting Duck?
Not-for-profit organizations generally have limited administrative personnel and often lack dedicated IT staff. They also typically have smaller budgets for technology solutions such as firewalls, antivirus programs and intrusion protection. It is no surprise, then, that the not-for-profit sector is one of the most frequently compromised by hackers.
Your organization’s network probably contains a wealth of data to entice hackers — for example, donor information, including names, addresses, credit card numbers and bank account information. Also coveted by cybercriminals are personnel data — such as employee Social Security numbers and direct deposit information — and accounting records related to payroll, payables, banking, investments and other financial functions.
Hospitals and other not-for-profit healthcare organizations that collect and store patient data, including medical records and insurance information, are particularly vulnerable. Colleges and universities also are popular targets because of their multiple networks and many users, including students who are more likely to participate in risky online behavior such as illegal file downloading.
Is Your Defense Strong Enough?
Most organizations are already familiar with protections such as firewalls and antivirus programs. And as long as you keep your programs current and download updates as soon as they become available, you can count on some measure of cybersecurity.
But your defense strategy should extend to include policies and procedures, such as data-handling rules. Overworked staffers may neglect to weed out old files, but it is important to provide procedures for disposing of sensitive data that is no longer needed. And key data and systems should be backed up regularly and stored in a safe offsite location. Because not-for-profit organization employees often share responsibilities, be sure to create accountability for specific jobs.
Training for staff, volunteers and board members is critical, too. For example, your network’s users should be made aware of issues such as e-mail scams and “social engineering,” where criminals manipulate people into volunteering passwords and other information. Also, educate your employees about the proper use of laptops and mobile devices.
Finally, consider taking proactive steps against an attack by hiring a “white hat” hacker. This consultant uses the latest techniques to test your network and devices for holes so that you can plug them.
Are You Up for a Fight?
Of course, a robust cybercrime-fighting program takes time and at least a small bite out of your organization’s budget. Convincing your board that such expenditures are necessary may be tough.
Increasingly, not-for-profit organizations are creating technology committees led by tech executives or other knowledgeable board members. If your board lacks tech expertise, make recruiting someone who understands the need for cybersecurity, and how to achieve it, a priority. Your tech committee might be tasked with creating policies, determining budgets, evaluating software and products such as cyber liability insurance, and planning how your organization would respond to a cyber attack.
If your tech committee plans to act as first responders to a cybersecurity incident, be sure to include a public relations expert in the group. The timing and wording of communications can significantly affect how the media and your organization’s stakeholders respond to an event.
Thwarting Cyber Thieves
Unfortunately, cybercrime will continue to threaten organizations of all types, including not-for-profit organizations, for the foreseeable future. Make sure that your organization is doing all that it can to thwart cyber thieves.
We work with different IT consulting firms that specialize in IT security and protecting organizations from cyber threats. If you have a question or concern regarding your organization’s IT security, please let us know and we would be happy to refer a firm that could assist you.
Also to this topic, the Illinois CPA Society’s Not-for-Profit Committee is hosting a roundtable on Cybercrime and Payment Fraud Trends, to be held Oct. 29 from 8:30-10:30 a.m. Check out the Illinois CPA Society’s event page for more information.
For more information on preventing cybercrime at your not-for-profit organization, contact Jim Quaid at [email protected], or call him at 312.670.7444. Visit ORBA.com to learn more about our Not-For-Profit Group.