In January 2017, Indiana-based nonprofit, Little Red Door – which provides cancer services to local patients – fell victim to a ransomware attack. After a staff member reportedly downloaded malicious software through an email, hackers were able to access the nonprofit’s server and backup drive and held it ransom for 50 bitcoin (at the time, the equivalent was about $43,000).
Due to the cyber-attack, Little Red Door spent months arduously re-entering patient information into its systems and trying to fortify its security infrastructure. It also struggled to secure grant funding in the wake of the breach due to not having complete records in place.
Why are we telling you this story? Because like Little Red Door of East Central Indiana, you’re probably thinking your nonprofit is too small or your mission won’t attract attention from hackers – or maybe you just think you’re fully prepared and couldn’t possibly be susceptible to a cyber-attack. But frankly, the problem is, you’re wrong.
Nonprofit organizations are becoming more, not less, likely to be victims of cyber threats as hackers take advantage of inadequate technology protections, limited employee security awareness and an industry generally unprepared for overcoming crippling cyber-attacks.
Weak Spots: Why Nonprofits Are ‘Easy’ Targets
Unfortunately, as focused and driven as nonprofits are to fulfill their missions and serve their communities, they often fall short when it comes to operational infrastructure. Most nonprofit grants and donations support specific charitable endeavors as well as communications and fundraising, but IT infrastructure and security controls might take a back seat.
Because many nonprofits also solicit online donations through their websites, they may open themselves up to greater potential risk. Hackers have been known to hijack “donate” buttons and redirect donors to third-party sites for payment processing. Credit card fraudsters also frequent nonprofit donation sites to test credentials from stolen cards – leaving organizations to also deal with assessing and reporting fraudulent donations.
Smart Controls: How Nonprofits Can Boost Cyber Defenses
To prevent cyber-attacks from wreaking havoc within nonprofit operations, it’s critical to invest time and resources (and yes, budget) on implementing sound controls that will safeguard sensitive organization and donor information and ward off growing external threats.
Technology. Nonprofits need to allocate budget and resources (internal or outsourced) to implementing and maintaining technology infrastructure that will safely secure data. Organizations may want to consider leveraging cloud services to store information versus maintaining onsite servers. Outsourced managed service providers can also ease the burden of managing, maintaining and updating technology infrastructure and software – something most nonprofits cannot spare time or resources for.
Backups. Whether hosting internal servers or using the cloud, nonprofits should ensure critical data is backed up to a remote, offsite location. In this case, if a hacker infiltrates an organization’s primary server, a backup would remain intact, allowing the nonprofit to restore a copy once it is operational again.
Access. Many nonprofits run light on full-time staff and rely on rotating waves of volunteers, and as such, it’s critically important to ensure the organization maintains strict data access controls. Full-time employees – particularly those who deal with donor relations, accounting or other financial matters – should be afforded access to sensitive information, however, that privilege should not be blindly extended to all those who work or volunteer for the organization. Part-time or seasonal volunteers, for example, who support fundraising or community programming, may not require full access to donor databases or company financials. Access controls should limit what information is readily available to employees and volunteers, and in some cases, nonprofits may want to consider keeping access logs or monitoring what information is accessed and by whom.
Training. Because cyber-attacks so often stem from the actions of an employee (most often unintentional but, in some cases, malicious), information security awareness training must be a priority for nonprofit organizations. At least annually, employees – and volunteers who have access to organization and donor data – should be required to complete a training course that reviews potential risk factors and best practices for maintaining secure operations. Many third-party services offer these types of courses, and they can be administered online or in-person.
With growing cybersecurity risks threatening to cripple already lean nonprofit organizations, robust security controls are essential to keeping operations running and allowing nonprofits to continue supporting their important missions. The costs associated with technology implementation and training are quickly being outweighed by those of being unprepared for a cyber-attack.
To learn more about implementing sound cyber controls at your nonprofit, please contact the team at MFA.