If nothing else the recent election cycle has once again pointed the spotlight on hacking and the threat of cybersecurity vulnerabilities. The list of organizations and businesses that are becoming targets for hackers and cybercriminals just keeps growing and growing. Non-profits are no exception. In fact, since non-profits keep a lot of sensitive data; from client and donor personally identifiable information (PII) to confidential emails, they can be particularly enticing targets.
Given that non-profits historically have had to face limited operating budgets, cybersecurity may have had to take a backseat to other priorities. However, in today’s climate, it is incumbent upon any non-profit organization, big or small, to take the threat of cybersecurity seriously.
Here are some tips to lessen your vulnerabilities to cyberattack.
- Risk Assessment – In order to better protect your data, you must identify vulnerabilities and accurately evaluate risks. Risk assessment should include input from all critical departments handling vulnerable data; including Development, IT, Human Resources and Accounting. Forensic accounting should also figure into your risk assessment to analyze your data for potential threats, as well as compliance issues.
- Upgrade Your Computers – Due to the aforementioned budget constraints, a significant number of non-profits may be running outdated or unsupported operating systems. Simply put, the older an OS is, the more vulnerable to hacks and breaches it is.
- Training and Personal – Cybersecurity must become part of your culture and all employees and personnel need to take it seriously. You may need to periodically bring in outside consultants to train your people on how to recognize and avoid common phishing scams, viruses, malware, and ransomware. A note about passwords: make sure employees have to change their internal password periodically, know how to create strong passwords, and know not to use the same password for every site or software application.
- Create a Responsible Party – If you do not already, you should create a specific team, or committee that is specifically responsible to address and mitigate your cybersecurity concerns and vulnerabilities. The committee should meet regularly to assess risks, review any past incidents and improve both proactive and reactive countermeasures.
- Practice and Drills – Once you have developed a cybersecurity plan, it is important to test and evaluate it through the use of drills and simulated attacks. These kinds of incidence response exercise should indicate the strengths of your mitigation solutions, as well as expose weaknesses and gaps that need to be addressed through the organization.
- Proper Insurance – Cyber-crime is rampant and there are no guarantees to prevent an incident; even if you are taking all of the appropriate steps to protect your organization. Since each state has different requirements when a breach occurs, compliance after an incident can be extremely costly. Most general business insurance does not include coverage for cyber-crimes so it is important to reach out to your insurance agent to review your current policy and consider purchasing a separate cyber policy.
What Should Your Organization Do Now?
The bottom line is, NPOs can no longer take a “who would want to hack us,” approach, and must make cybersecurity a priority. Organizations need to understand that they are targets, and the threats are real. The IT and system specialists with MBAF and WhiteOwl can help you asses your risk and implement mitigation solutions compatible with your needs and budget.
Cybersecurity concerns surrounding non-profit entities, can be quite complex. If you would like to benefit from our expertise in these areas or if you have further questions on this Advisory, do not hesitate to contact our Non-profit specialists, or call us at 1-800-239-1474.