Cybercrime: Nonprofits in the Crosshairs

Nonprofit | June 10, 2019 | Holtzman Partners

Online attacks have nearly tripled in three years, according
to the FBI, and hackers are increasingly targeting nonprofits alongside private-sector
companies. In this threatening environment, every organization must understand
its online risks and basic security requirements.

Who’s at Risk?

Your organization is courting cyberattack if it:

  • conducts financial transactions online.
  • collects anonymous personal information.
  • stores any personally identifiable information.

It’s a broad list: Most nonprofits do all three routinely,
as do most businesses. The value of financial and personal data is
self-evident, but anonymous data is valuable too. Its collection is less
obvious, and its use is less transparent, but it’s the coin of the realm in
online marketing. All of this information attracts thieves.

Meanwhile, your .org domain designation raises your visibility. Most search engines add a lift in their rankings for nonprofits, so your site may show up high on a searcher’s screen. That’s all well and good—unless the searcher is a cybercrook looking for marks. If so, the miscreant probably knows that nonprofits lag behind for-profit companies in security.

The civilized mind recoils at robbing a charity or any worthy cause. But cybercriminals are interested in your data, not your mission.

What’s at Risk?

For as long as churches, charities, and nonprofits have
received and spent money, fraudsters have tried to capture their revenues and
steal their property.

Nowadays even the old standby scams usually rely on some
online access—the internet can help kite a check, fake a paid invoice, or print
surplus tickets to a big event. A sophisticated cyberattack can reach deeper
into your organization and steal larger assets.

Ransomware is a specific kind of attack. It invades your
systems, blocks your access to your own data, and demands a ransom to lift the
block. Ransomware can paralyze your activity, drain your bank account, or both.

Another set of data can be even more valuable to thieves: financial
and personal information about your donors, board members, employees,
volunteers, vendors, and visitors to your site. How much information about
credit cards, bank accounts, social security, and other business—even passwords—lies
somewhere in your computer systems? A sophisticated ring that traffics in this stolen
data can use it to defraud the people who trust you.

Any of these cyberattacks, if successful, would likely
tarnish your brand and your organization. Insurance may cover some damages, but
it can’t protect trust, and trust lost is hard to regain. For some nonprofits,
such cyberfraud can be fatal.

Lowering Your Risks

  • Calculate your potential loss from
    data theft. Segment your data—donors, employees, etc.—and estimate the damage
    your nonprofit might sustain if that data were stolen and sold to bad actors. Estimate
    a range for each constituency, and stress objectivity.

  • Identify weak spots. Aging operating
    systems or financial software should especially stand out. Consult with a
    reputable cybersecurity company for a vulnerability scan and penetration test
    to detect weaknesses. Don’t neglect mobile in these reviews.

  • Upgrade your systems. Nonprofit tech
    staffs have patched older systems for years, heroically in many cases. But
    upgrading is a standard business requirement today, and nonprofits can’t avoid
    it. Your decision on systems, software, and hardware upgrades—which, when, and how—can
    have significant consequences.

  • Invest in technology. What are the most tedious and unnecessary tasks? Could some parts of your nonprofit machine contribute more to the overall mission if you automated or combined some tasks? Software abounds in the nonprofit industry, so you should weigh reputation and reviews along with cost. Don’t skimp on a vigorous antivirus defense or a strong, well-regarded payment processor.

  • Upgrade
    Most cybercrooks hack people, not systems—it’s
    easier. Making it harder takes clear protocols and rules—automatic software
    updates, strong passwords changed regularly, two-factor authentication, and
    others. But it mainly takes a culture. Do phishing emails get bites? If you
    don’t know, test. Most of all, train. Formally, informally, lunch and learn—security
    can be interesting.

  • Maintain and back up. When hiring a new IT professional, nonprofit experience is a plus, but focus on tech skills. Putting your people and investments to work calls for well-oiled IT, from software updates to onboarding and a help desk.

Meanwhile, robust data backup plans and systems are becoming a requirement. To approach 100 percent effectiveness, a backup system must be real-time, 24/7, automatic, offsite, redundant, and secure.


Should you
insure your data? It depends on what’s at stake, how confident you are in your
systems, and how you want to balance the two. As the price of data protection
drops with new products and services, more nonprofits are likely to cover their
potential liability with insurance.

Maintaining best practices
in data security will ease a nonprofit’s insurance cost. With or without
insurance, use these principles to protect your assets and reputation today.

European Privacy Law
Affects U.S. Nonprofits

The General Data Protection Regulation (GDPR), which took effect May 25, 2018, is the European Union’s new data privacy law. It governs any digital information that can be linked to an individual.

It applies to any organization that collects personal data from any person in the EU, with or
without payment. Violators of the GDPR’s data security requirements will be
fined, regardless of a company’s location. Meanwhile, other countries are signaling
they may use the GDPR as a model for their own regulations.

So, if your nonprofit sells so much as a coffee mug to a Berliner,
you’ll need to review the GDPR.

Our nonprofit team is here to help! Contact us at 512.610.7200 or send us a message.

Our team provides the technical experience and industry depth that your team can trust.