Building a Nonprofit IT Security Plan for Data, Systems and Processes.

In Nonprofits, Security by Jesse Rink

nonprofit IT security

As if running a nonprofit organization, raising money and helping the community isn’t enough of a struggle. Every nonprofit must worry about hackers targeting their computer network. Charities are extremely vulnerable for a variety of reasons.

Volunteers rarely go through deep background screenings. Employees and volunteers use personal emails for business. A wide variety of people might have access to hundreds, if not thousands of donor and even client information databases.

Easter Seals was subject to hackers migrating direct deposit information into hacker’s accounts.
This may not seem like all that unique of a problem. What makes it so hard for a nonprofit?

Many businesses face the same challenges with employees and hackers targeting client information. The difference is that for-profit companies generally have wider margins and maintain bigger budgets for network security. A nonprofit might not have the extra resources to address this growing threat.

Look at how some big nonprofits have suffered data security breaches and have been infiltrated by hackers.

  • The Veterans of Foreign Wars had members’ names, addresses and even Social Security Numbers stolen
  • Easter Seals was subject to hackers migrating direct deposit information into hacker’s accounts
  • The hacking into the Democratic National Committee’s emails, leaking devastating blows to the press

These are just a few of the cybersecurity scandals large nonprofits have been subject to, all because of poor cybersecurity policies and network security practices. In the case of the Easter Seals hack, it was one phishing email to one employee that set off a chain of events.

This is why network and cybersecurity should be on everyone’s mind.

Business disruption.

It isn’t just large non-profits being hacked. While headlines like, “Russians hack Wisconsin Democratic Party” make everyone more conscious of their network security, they also limit the scope of the problem. Small nonprofits are actually just as at risk – maybe even more. Consider the political scandal and how it distracted everyone from the task at hand – campaigning. It becomes easy to see how any network hacking scandal can ruin a smaller organization.

For example, imagine a small nonprofit that helps train rescue dogs for autistic children in preparation for adoption. This is an admirable program that everyone can support. If a hacker grabbed the website’s controls and pointed donation links to their own pages or more disturbingly, redirected the domain to inappropriate or offensive content, demanding a ransom for the release, the site becomes useless.

People will hope they accidentally got directed to the wrong place and become confused when they keep getting redirected to it. This is damaging to the reputation of the charity, to say the least.  Potential clients or backers immediately leave the website. The nonprofit loses credibility and may lose clients and donors forever. Additionally, all resources must be diverted to damage control, fielding phone calls about the problem and using all possible resources to fixing it.

Existing parents are concerned about the problem and fearful about the program’s ability to serve their children. Forget dealing with the costs associated with dealing with the hacker, the disruption to the nonprofit’s mission is devastating, if not destroying it completely.

Risking your donor’s details.

Of course, you don’t want to upset donors by having a breach of your network security. Beyond public relations, there are laws nonprofits must comply with regarding privacy and data security.

Personal identifying information (PII) includes a person’s name, social security number, driver’s license and financial account information. Even if you aren’t collecting Social Security Numbers, you probably are collecting enough information for a hacker to target.

Beyond public relations, there are laws nonprofits must comply with regarding privacy and data security.
The law requires nonprofits to implement basic information privacy and security programs. This includes a website privacy notice, internal policy for employees and volunteers processing and sharing PII and a wireless firewall.

Further data retention requirements exist with other personal data, like medical information through the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA).

Failure to do so can result in fines, civil lawsuits and possible revocation of nonprofit status. Any one of these can also be devastating to a nonprofit. Think about the future trust the Veterans of Foreign Wars will have with new members; they will be diverted extra resources to trying to build trust with their target donor and service groups.

Officers and directors liability.

As a director or officer for a nonprofit, there are liabilities transferred to you. If you don’t keep the organization operating in a manner that meets all rules and regulations, you may be held personally liable for any legal liabilities.

Larger organizations often carry an insurance policy called a directors and officers liability insurance policy. This policy covers unintentional acts by nonprofit executives or board members that potentially lead to lawsuits.

Some smaller nonprofits may not have the funds for one of these policies. Even with it, not everything falls under the scope of a covered claim.

It’s difficult for insurance companies to wrap their underwriting around the idea of cybersecurity risks. It’s a new liability in the scope of insurance history, and the potential financial risks are huge. There are new cybersecurity liability insurance policies or riders to existing liability policies available.

Policy coverage options, limits, and costs vary but might include costs to restore systems, database notification, and even business interruption coverage. It’s worth having a conversation with a local insurance agent who understands the needs of nonprofits in today’s tech world.

How/why hackers target nonprofit IT security.

Why wouldn’t a hacker want to target your nonprofit? Your website boasts cocktail parties in Milwaukee with some of the most affluent players in the city. Hackers know you have, at the very least, a database of contact information.

With something as simple as a name and email, other phishing campaigns are easily executed. The hacker might even pose as you, requesting funds for a special new project that hasn’t even made it on the website. With the confidence your database has in your mission, it wouldn’t take much to send money to the new cause. Even if this is just a few dollars, the hacker now has financial information added to the contact information.

The problem grows.

Hackers also commonly hijack websites, stealing existing or establishing new eCommerce stores sending profits and financial information directly to the hacker. Obviously, this hurts an organization’s net funds generated along with credibility issues.

Strengthen your computer network.

Creating a nonprofit IT security plan is easy. Making sure that everyone down the line, employee or volunteer, adheres to it is usually where things go wrong. This is true for nonprofits and for-profit businesses.

Designing a security plan and committing to it is the first step. This plan should include requirements for password changes, limitations for wireless use on personal devices and establishing permissions for who can access what information and how.

Regularly update firewall and antivirus programs and maintain all required patches on operating systems so there are no backdoors for hackers to walk in through.

Request volunteer applications complete with ID verification. Keep a copy for records. Hackers often pose as contractors, employees or volunteers to access files and install virus or Trojan code directly onto the system.

Avoid Free and Cheap

Cyber security experts cite one of the top things making nonprofits vulnerable is using the least expensive resources. Everything from free software programs to cheap hosting increase the risk of a nonprofit data security breach.

It’s an easy trap for any nonprofit to fall into as they need something to work and desperately want financial resources to support the mission and client base. But, these network servers are easy targets.

Cheap hosting doesn’t provide back-end strength or support to help in a hacking endeavor. Shared networks have accessible doors that hackers love. Cheap software has many of the same issues.

IT Services Technicians

Ideally, a nonprofit has enough of a budget to hire an IT services technician or firm to keep systems running optimally. If money isn’t in the budget, consider asking an IT technician to join the board or donate a limited number of hours.

You may already have candidates for this in your existing database that support your cause and would be willing to help and train directors on best practices.

Systematic Cybersecurity Plan of Protection for Nonprofits

“The best defense is a good offense,” as the saying goes. Proactive nonprofits find themselves in a better position to keep serving their clients and remain focused on the mission.

  • Start with a risk assessment. This includes looking at the hiring of employees and screening of volunteers.
  • Look at the protocol of what information is collected and how. Don’t ignore file cabinets of intake forms and client profiles.
  • Review the wireless network security parameters. Understand the weak points that hackers target including firewalls, passwords, and email usage.
  • Develop training programs educating employees on the various ways information is at risk and how they can be the best defense of the good of the entire program.

As businesses and nonprofits get smarter, so do hackers. Remain vigilant in monitoring systems even after you’ve developed a computer network security plan.

If you feel your Milwaukee/Wisconsin nonprofit is not up-to-date with all its cyber security needs, get in touch. As local cybersecurity and tech experts, Source One Technology understands the challenges you face and can prevent malicious minded folk taking you away from the charitable mission.

 

About the Author
Jesse Rink

Jesse Rink

Twitter

Jesse is the owner of Source One Technology and has been providing IT services to schools, nonprofits and SMBs in Waukesha, Milwaukee and SE Wisconsin for over 18 years.

How can Source One Technology help?
Source One Technology implements firewall and network security for schools, businesses, churches, and nonprofits across Southeastern Wisconsin. We can provide support across Milwaukee, Waukesha, Kenosha and Racine counties.

Get in touch now to see how we can help you protect your network against vulnerabilities and attack.