Nonprofit organizations should be just as concerned about cybersecurity as small businesses are, in part because they face many of the same challenges.
Like small businesses, nonprofits often have small IT teams, often without a dedicated IT security specialist. Nonprofits also collect a wealth of payment and donor information that malicious actors may look to steal via a phishing attack that gives them a staff members’ credentials — and access to sensitive information.
Sometimes, attackers may attempt to fraudulently impersonate the nonprofit and go straight to donors for their information. Such was the case at the Harry and Jeanette Weinberg Foundation, which warned in June about an email sent to supporters that was crafted to appear as though the foundation had sent it, according to the Nonprofit Times.
Meanwhile, in 2015, an email phishing scam reportedly lured an employee of the American Museum of Natural History into making an erroneous wire transfer of almost $3 million.
Fortunately for nonprofits, though the threats are real, so are the defenses they can employ. Nonprofits can look to state governments and nonprofit associations for aid, can conduct risk assessments and tackle cybersecurity basics, and can use online toolkits like the Digital Impact Toolkit to bolster their security.
1. Nonprofits Can Work with State Partners to Boost Cybersecurity
As Paul D’Alessandro, a lawyer and a tax law specialist for nonprofits, notes in an article on Nonprofit Pro, “States can be a good place for nonprofits to seek information and even get financial assistance to help them protect information.”
For example, Massachusetts allows nonprofits to apply for grants from the Department of Homeland Security, and although the grants primarily focus on target hardening and physical security to defend against terrorist attacks, they also support cybersecurity training.
The National Council of Nonprofits notes that nonprofit organizations need to know whether the data they collect and maintain is covered by federal or state regulations as personally identifiable information. If so, 47 states’ laws require nonprofits to inform those whose PII is disclosed in a data breach, and 31 states have laws that require disposal of such data in certain ways.
The council adds that some nonprofits may want to purchase cybersecurity insurance to cover a range of costs, including notifying donors whose information may have been comprised in a breach, repairs to a hacked website, or even public relations help after a breach. Organizations can turn to their state association of nonprofits, which may help identify insurance professionals, brokers or companies that can provide cybersecurity insurance for nonprofits.
2. Nonprofits Should Practice Good Cyber Hygiene
In addition to becoming informed about and following data security regulations, nonprofits need to practice the basic blocking and tackling of cybersecurity.
First, they need to perform an enterprisewide vulnerability assessment to assess their cybersecurity risks, which can often be handled by a trusted IT services partner. Those assessments can run the gamut from penetration testing to rapid vulnerability assessments, white hat hacker assessments, data loss prevention risk assessments, WLAN capacity evaluation, tailored comprehensive security assessments, and remote PEN testing.
The law firm Venable, LLP, held a conference in 2017 on nonprofit cybersecurity risks, and in its presentation, it notes that nonprofits should implement a comprehensive information security program that addresses any identified vulnerabilities and periodically review and update the program.
Nonprofits should also implement policies around data classification, password strength, access control, encryption, data disposal and patch management. Additionally, nonprofits need to put in place and practice a cybersecurity incident response plan.
3. Nonprofits Can Use Online Guides and Resources for IT Security
Nonprofits can also turn to online resources to enhance their security. D’Allesandro notes that the Digital Impact Toolkit is available for free from DigitalImpact.io, an organization that was created to help nonprofits to boost security in the digital era.
“The toolkit provides easy-to-use forms that will help you assess your digital security,” he says. “If you complete the kit, you will know your data inventory sources, and you’ll have a clear — and easy to follow –– understanding of who is responsible for your data policy.” And it can even help you “with developing (or assessing) a grant for data security.”
There are other resources nonprofits can turn to. Google offers nonprofits a cybersecurity tutorial, and the National Council of Nonprofits offers a fairly comprehensive guide as well. Nonprofit IT leaders should also regularly consult leading nonprofit tech blogs for cybersecurity news and advice.