As more of your organization’s information is digitized, Cybersecurity should be a key component of your overall Security. It’s the only way you can protect your data from unauthorized access. As a manager of a nonprofit, you’re a potential target for highly sophisticated cyber attacks. You must protect yourself and your members’ and donors’ confidential information.

Read on to learn what you need to understand and do.

Hackers love an easy target. If your nonprofit engages in any of the three activities below, it’s time to get serious about taking steps to address cybersecurity risks. Does your nonprofit:

1. Conduct commerce on your websites, such as processing donations or event registrations?
2. Store or transfer personally identifiable information in the Cloud about anyone, such as donors’ and clients’ medical information, employee records, drivers’ licenses numbers, addresses, and Social Security numbers?
3. Collect information on preferences and habits of donors, patrons, newsletter subscribers, etc.?

Cybersecurity vs. Data Security

Cybersecurity & Data Security is related concepts.

Data Security is formally defined as: “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity, and availability.

• Data security focuses on securing personal information such as names, membership information, health information, payment card details.
• Different agencies and laws regulate various types of incidents, and they often overlap.

Cybersecurity is one piece of Data Security, but a key component. It involves the protection of electronic devices and electronically stored information, with the similar goal of ensuring its availability, integrity, authentication, confidentiality, and non-repudiation.

• Cybersecurity focuses on the protection of networks, computing infrastructures, and personal information from attacks and malicious software. This includes organizational networks, communication systems, and financial management systems.

As more information becomes digitized, digitally stored, processed, and communicated, Cybersecurity is now a key component of Data Security. It’s all about protecting your data.

Why Is Your Nonprofit or Charity at Risk?

Because:

• Nonprofit organizations are the “low-hanging fruit” for less sophisticated cybercriminals.
• Cybercriminals want your confidential data and/or money.
• Cybercriminals understand your market has neither the fear nor budget to protect against this very real threat.
• The Dark Web has made it easy and affordable for hackers to come after you. It takes very little experience to do this.

You Must Know the Rules.

State lawmakers often follow the Federal Trade Commission’s (FTC) lead in enforcing local and state laws on fairness and/or deception. The following are practices the FTC has identified as factors in reasonable security:

• Minimizing the collection of personal information.
• Failure to enforce or implement password policies.
• Failure to encrypt and/or protect consumer information at rest or in transit.
• Failure to perform due diligence of, and oversights of, service providers’ cybersecurity policies.
• Failure to provide employees with adequate cybersecurity training.
• Failure to implement policies and procedures to detect and/or respond to a cyber incident or breach.

You Must Understand State Laws.

9 States require that organizations implement sufficient policies and procedures to maintain reasonable data security. This is normally based on where the person resides, not the location of your organization.

• Arizona
•  California
•  Florida
•  Connecticut
•  Indiana
•  Maryland
•  Oregon
•  Texas
• Utah

Massachusetts Standards for The Protection of Personal Information:

Massachusetts has implemented more detailed data security requirements that apply to associations and other entities. They require a written comprehensive information security program with specific items and tech requirements.

Data Disposal

30 states impose legal obligations on organizations to properly dispose of records that contain personal, financial or health information.

The Payment Card Industry (PCI) Data Security Standard (DSS) is a standard that all organizations, including nonprofits, must follow when storing, processing and transmitting credit card data. To be PCI compliant, you must use a firewall between a wireless network and the cardholder data environment, use the latest security and authentication such as WPA/WPA2, change default settings for wired privacy keys, and use a network intrusion detection system.

PCI DSS: Payment Card Industry Data Security Standards are regularly update security protocols created by the credit card industry. They were created for the protection of account holder information.

Implementation: Compliance steps depend upon how many payment cards you accept by volume. You can bring in Qualified Security Assessors (QSAs) to assist. Keep in mind that your service providers must also be PCI DSS compliant.

Enforcement: Credit card brands require merchant banks to enforce compliance. Fines imposed on banks are passed on to organizations. The states have enacted requirements similar to PCI DSS.

Cybercriminals want your data and money.

They use these attack vectors to get it.

Attack vectors are the means by which a hacker gains access to your computer or network to deliver malware that can result in:

• Damage to your information or systems;
• Regulatory fines, penalties, and legal fees;
• Decreased productivity;
• Loss of critical business information;
• Loss of trust from your clients and damage to your reputation;
• Damage to your credit so you can’t get loans;
• Loss of business income;
• Financial loss due to ransomware or wire transfer exploits.

Hackers want to steal your clients’ data to:

• Sell it on the Dark Web.
• Access financial accounts for withdrawals or set up credit card accounts.
• File fraudulent tax returns in victims’ names to collect refunds.

The information you store is at risk. It has increasingly become a target for data theft. It’s a top priority for the IRS to stop this. In 2015, the IRS implemented National Tax Security Awareness Week to educate:

• Tax return preparers,
• Software providers,
• State tax agencies,
• Payroll providers and
• Financial Institutions.

What Would the Overall Impact of an Incident Look Like?

It Could Be Devastating For Your Nonprofit.

• Damage to your information or information systems
• Regulatory fines and penalties/legal fees
• Decreased productivity
• Loss of information critical to run your organization
• An adverse reputation or loss of trust from member and donors
• Damage to your credit and inability to get loans from banks
• Loss of business income
• Financial loss due to Ransomware or Wire Transfer Exploits

Many factors contribute to the total cost of a cyber breach:

• Breach response efforts

Delivering notices, credit monitoring, legal costs, insurance costs, etc.

• Reputational costs

Member, donors, goodwill, media scrutiny

• Litigation and/or Regulatory defense

The approximate average cost of a data breach*

• 1,000 records: $52,000 to $87,000
• 100,000 records: $366,000 to $614,600
• 10 Million records: $2.1M to $5.2M

*Source: 2015 Data Breach Investigations Report, Verizon

Mitigate Your Risk.

There are many steps you can take, and they are all doable and affordable. When viewed as part of your overall business strategy and processes, information security doesn’t have to be intimidating. It’s not possible for any nonprofit to be completely secure. However, it’s possible and reasonable to implement a program that balances your security with the needs and capabilities of your organization.

Prepare for the Worst.

It’s a lot easier for the bad actors to attack your employees than well-maintained infrastructures. You must understand that the primary goal of hackers is to gain access to your network any way they can. From there, it’s exponentially easier to achieve their ultimate objectives.

Assess Your Risks.

• • Perform an organization-wide vulnerability assessment
  • Implement a comprehensive cybersecurity program that addresses any vulnerabilities.
  • Continuously review and update a cybersecurity plan or program.
  • Implement appropriate data security policies:
• Data Classification Policy
• Password Policy
• Access Control Policy
• Encryption Policy
• Data Disposal Policy
• Patch Management Policy
  • Implement an Incident Response Plan

People still:

• Click on links they shouldn’t.
• Open attachments they weren’t expecting.
• Click on buttons that promise special offers or cure a virus they don’t have.
• Enable macros on Word and Excel documents.

How To Protect Your Data and Nonprofit.

Security Awareness Training for Your Employees

Your employees may be your biggest vulnerability:

• They typically use the same passwords many times, and ones that are easily stolen by brute-force hacking tools.
• They get tricked by phishing attempts and CEO fraud, and unknowingly divulge confidential information or provide access to funds.

The Verizon 2016 Data Breach Investigations Report revealed a shocking 30% of recipients open phishing messages and 12% click on attachments.

For this reason, you should have an IT professional conduct Security Awareness Training on a regular basis.

Secure Your IT Infrastructure.

1. Your network must be well managed with patching, virus protection backup solutions and firewalls that are diligently kept up to date.
2. Use GEO IP Filtering on your Firewall whenever possible. This feature allows you to block connections to or from a geographic location. It should be a next-generation firewall with perimeter malware protection.
3. Be sure you have reliable backups, both onsite and offsite.
4. Use next-generation endpoint protection, including on any printers and copiers connected to your network.
5. Use strong spam and content filtering.
6. When using remote access 2 Factor Authentication is essential.
7. Undergo an Annual Cybersecurity Assessment.
8. Deploy a proactive effort with incremental layers of security to meet today’s new security challenges.
9. Conduct ongoing Internal Vulnerability Assessments and Remediation.
10. Provide Cybersecurity End User Training.
11. Get Cybersecurity Insurance. (Your provider should be part of your Incident-Response Team.)
12. Develop a Cybersecurity Policies and Procedures Manual.
13. Make sure you have a written (and tested) Business Continuity Plan.

Ensure Your Mobile Devices Are Secure as Well.

With the proliferation of mobile device use and BYOD (bring your own device) to work, your business needs secure mobile device solutions. Mobile Device Security ensures your employees use their devices in a secure and controlled manner. It protects your data whether it’s deployed across multiple mobile service providers or on a variety of mobile operating systems.

Your mobile device security solutions should support:

• The ability to remotely locate, wipe or lock a stolen device.
• The ability to wipe only business data from a personal device.
• Dynamic security features that continuously monitor and manage devices.
• Implementation of secure passcode policies.
• Enforced encryption policies.

Your Mobile Device Security should include your employees’ smartphones. They may contain valuable contact information and emails that cybercriminals want. Even text messages can be spoofed. And remember that Bluetooth, although convenient, isn’t secure. Viruses can be spread via Bluetooth and hackers can use it to connect and compromise your phones. Always turn off Bluetooth when it’s not needed, and disable automatic pairing. Also, set your devices to “Non-discoverable.”

WiFi Hotspots can put your business information at risk. Anything that you send over an unsecured Wifi can be intercepted. Always turn off WiFi when you’re not using it. Don’t allow your device to auto-join unfamiliar networks. And don’t send sensitive information over WiFi unless you know it’s secure.

Keep an Internet Security Mindset.

When browsing online, be sure to check the website’s security status. Make sure it begins with HTTPS before you enter any personal or financial information. You want to see a closed padlock symbol next to the URL. This means that GeoTrust has confirmed the site’s security is up to date. Simply visiting an unsecured site without clicking any links can compromise your cybersecurity.

Be Careful with The Internet of Things (IoT).

The IoT refers to the connection of devices to the Internet. Cars, appliances, medical and manufacturing devices are all being connected through the IoT— With the rapid development of the IoT, and the fact that more small devices are connected to the Internet, security is an increasing concern.

Many IoT devices have weak or no security. There are known vulnerabilities that can’t be patched or upgraded. If you use them in your organization, they should be isolated on their own network.

Take the Time to Protect Your Nonprofit

Before It’s Too Late.

As you can see, there are many things to consider when it comes to protecting your nonprofit from today’s hackers. You simply can’t do this on your own anymore with off-the-shelf software. The good news is that Krantz can not only address these potential cybersecurity threats, we can train your staff to recognize and defend against them. Security Awareness Training, coupled with our Cybersecurity Solutions, will protect your organization against today’s ever-growing forms of cybercrime.

For assistance, contact us at (212) 286-0325, or via our contact form.