Be Prepared for Increasing Cybersecurity Challenges in your Nonprofit
Recently, a nonprofit hospital system out of San Diego lost revenue of nearly $92 million due to a cyber breach.
Scripps Health, which operates as an integrated health care delivery system, also incurred an additional $21 million of expenses for the resulting incident response and recovery. This cyber-attack created a substantial disruption in patient care at the organization relating to the reduction of volume caused by emergency room diversions and delayed elective surgeries.
Cyber-attacks are not limited to large nonprofits – they occur at organizations of all sizes. Recently, a church in South Carolina was hacked which resulted in the theft of employee data, including passport information, financial documents and more.
The reality for many nonprofits is that in an era dominated by technology, there are several challenges when assessing their technology and cybersecurity landscape. Nonprofits rely on their systems to manage operations and fulfill their missions – with limited resources to respond to the increasing threats of cyberattacks. The risks to nonprofits include the potential impact on financial resources, service capabilities, and the potential exposure of confidential information. The recent transition to increased online services and digital platforms has increased risks as well. For example, the connectivity of the growing digital world has expanded online fundraising and has allowed service delivery to take place more efficiently. At the same time, the sheer volume of increased online activity has resulted in higher susceptibility of nonprofits to cyberattacks.
Consider your Investment in Cybersecurity
When nonprofits are faced with tight budgets, the capacity to make IT investments regarding security decreases. This constraint can cause outdated systems and insufficient cybersecurity controls. According to a report by NTEN and Microsoft, 75% of nonprofits allocate less than 5% of their overall budget to technology, which is less than banking and security firms that spend around 8%. Furthermore, another study revealed that the average cost of a data breach in the nonprofit sector is $6.75 million.
Additionally, the scarcity of cybersecurity expertise is creating widespread weaker defenses and slower incident responses for nonprofit organizations. By allocating resources wisely, adhering to compliance, regulations, and fostering a security-conscious culture, nonprofits can protect their operations and stakeholder trust. Embracing cybersecurity not only shields sensitive data but also empowers these charitable organizations to focus on their core mission of making a positive impact on society.
Compliance Considerations and Types of Attacks
Nonprofits also tend to lack the legal and IT specialization required to be compliant with industry regulations. Safeguarding donor data and maintaining compliance with GDPR and CCPA is essential for smaller organizations that lack structured cybersecurity frameworks and proper training on data protection. GDPR is a European Union law which governs the way companies use, store, and transmit personal identifiable information. CCPA, similarly is a privacy act for the state of California. Being CCPA compliant refers to protecting residents in the state based on how data is collected and identifies the business purpose for selling user data. CCPA is a self-executing law, while GDPR is set for Europe, but individual member states can include their own nation’s laws.
Phishing and social engineering attacks targeting nonprofits often exploit staff and beneficiaries. These individuals can prevent unauthorized access and data breaches by staying informed on existing vulnerabilities. Verizon’s Data Breach Investigations Report states that 74% of data breaches involve human interaction, so continued training and testing is required to help staff stay vigilant.
Additionally, nonprofits should manage personal devices and prioritize secure remote connections on the network. Some of the key threats include not utilizing a VPN, lack of encryption which can enable data interception, man-in-the-middle attacks, insider threats, and credential theft. Another common exploitation occurs when employees access the nonprofit’s systems from various locations, which might require connecting to unsecured public networks.
Top 6 things Your Nonprofit Can Do Now
- Require multi-factor authentication (MFA) to access systems and use VPN for remote connections.
- Perform continuous monitoring on the network to analyze threats to the organization.
- Continuously inform and train staff involved in digital platforms and donor transactions about the cyber risk landscape.
- Require that all requests to change banking information of vendors and employees must be confirmed with a phone call or text to the requestor.
- Consider the overall adequacy of your IT and cyber security expenditures.
- Establish policies and procedures for use of personal devices.
Conclusion:
Are you worried about whether your nonprofit is adequately prepared and protected against cyber security threats? We are here to help and answer your questions. Don’t be unprepared for the attacks on your organization that will come sooner or later!
(This article was written by Mahin Rahman and Lindsay Timcke who are part of CLA’s IT & Cyber Services team. You can contact them at Mahin.Rahman@claconnect.com and Lindsay.Timcke@claconnect.com)
Jeff loves helping nonprofits achieve financial excellence through improved monthly reporting, cashflow management, strategic planning, and systems design.
Comments are closed.