Nonprofit organizations are usually tax-exempted or charitable entities which pays no income tax on the money they make. They operate religious, scientific research, charitable or educational institutions and here in the United States, public media or religious broadcast stations. Their revenue model is built mostly on donations and grants to fund their annual goals and objectives. Many of these organizations usually do not consider themselves targets for cyber-security breach, partly because they think that as a non-profit company, hackers understand that they do not have large amounts of disposable income to pay for a cyber ransom, and therefore might not be worth hacking. However, a 2016 Cyber Claims Study conducted by NetDiligence – a cyber risk assessment data breach service company, ranked nonprofit organizations among the top-five affected industry.
The reason for this is quite evident. Nonprofit are usually not expecting an attack. Therefore their “guards are down”, which makes them an easy target. Also, some nonprofits have the tendency to undervalue their most valuable asset – their donors list, which is priceless for cyber hackers. Sometimes even when nonprofits are alerted of their own vulnerability, there is usually the underlying thought – it will never happen to us.
Today as we move on full speed towards the new digital economy, nonprofits are becoming more dependent on technology. As such dependency grow, they will become more vulnerable than for-profit businesses which have a lot more resources to allocate to cyber-security. Many nonprofit business models rely on collecting and sharing data. Such data is usually stored elsewhere by cloud services and are accessible everywhere either by employees, consultants or call centers.
Whenever data is made available to multiple access point, cyber threats are usually not very far behind. One primary source for such threats is usually internal – someone very familiar with the organization such as a disgruntled employee. Such a person may delete or destroy data or programs; crash systems or even illegally sell data to a third party.
However, the major sources of data breach that nonprofits have to worry about are usually comes from outside attackers or hackers. These sometimes come from nations outside our own borders such as Eastern Europe, Africa, India or China. Their mode of attacks usually take the form of hacking, DDoS attack, social engineering (phishing), email hacking, website hack, cyber blackmail or simple old fashion virus/malware attack on email servers, laptop and desk top computers – all with the intent of extortion as the end game. Some hackers are sophisticated enough to hack into trusted third party vendors/partners, such as website hosting companies, cloud storage vendors or call centers that manage/use the nonprofit’s database.
The NetDiligence study (published January 2017) titled “Cyber-security Outlook and Key Considerations for Nonprofits” goes into details on the Cyber risk landscape and alert us to some of technical weak spots that nonprofits should constantly be aware of. They advise that nonprofits implement an effective cyber-security strategy which includes assessment of their readiness. “Employees should understand applicable regulations such as state privacy regulations, payment card industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA) guidelines”. Mark Greisiger, president of NetDiligence, advise that “It’s important to show that your organization has made a good faith effort to safeguard information assets. It is well understood that achieving 100 percent effectiveness in cyber-security is not realistic. What’s key is demonstrating that your organization is proactive in mitigating its cyber risk.”
Finally, it is a worthwhile expenditure to have ongoing training for employees, and where possible, add someone with some level of cyber-security expertise to the staff. That person must be able to perform periodic risk assessment – including examination of network systems, applications and be able to develop incident response plans as needed. He/she should understand encryption, patch management and be able to manage outsourced projects.