Loading...

Cybersecurity – A Brave New Data World
Cybersecurity – A Brave New Data World

From fundraising and organizational management to tax filing, the digital revolution has helped virtually every nonprofit advance a core directive: accomplish as much as possible with the (often insufficient) resources available. 

But just as every coin has two sides, the digital era has introduced some headaches alongside its many advantages. The foremost headache concerns cybercrime. 

Managing sensitive information, whether personal data or details for payment processing, has always been a major concern for nonprofit managers who retain donor and transactional details. But saving data on internet-connected devices requires security measures that can be much more complex — and expensive — than a lock on a filing cabinet or storage room door.

Cybersecurity best practices have matured as the nonprofit community has continued to embrace digital tools and systems. Below are seven steps to effective cybersecurity compliance monitoring that every nonprofit can take to bolster digital security.

But first, let’s reflect on what might be at stake for your nonprofit if proper cybersecurity measures are not taken. 

 

The Cost of Noncompliance  

We’re all used to seeing headlines reporting major breaches. From the 2005 breach of DSW Shoe Warehouse, resulting in the theft of more than 1.4 million credit card details, to the announcement by American Airlines this past fall that employee accounts were compromised by a malicious actor, digital crime has become an unfortunate fact of life. And it’s important to understand that the trend of increasing digital malfeasance is projected to continue well into the future. 

Cybersecurity Ventures, a research and publishing company dedicated to analyzing the digital economy, recently predicted that the annual cost of global cybercrime will reach approximately $10.5 trillion by the year 2025. To put that number in context, that’s nearly half of the United States’ $23 trillion GDP for 2021, supporting a new criminal class. 

Furthermore, the longstanding myth that nonprofits aren’t targeted by cyber-criminals has been well and truly shattered. In fact, according to a survey conducted by the UK Department for Digital, Culture, Media and Sport, 26% of charities experienced some form of cyber breach or attack during 2020, with breaches of nonprofits increasing by 300%. One Treasure Island, PeopleInc, and OXFAM Australia are just a few of the prominent nonprofits that have fallen prey to cyber criminals since 2019. 

 

Creating an Effective Compliance Monitoring Program

Just like the burglars in “the real world,” cyber-criminals leave evidence at the scene of the crime, though recognizing the fingerprints of a cybercriminal requires specialized tools or training. Because the timeline of this type of crime can often be measured in days, weeks, or months, every organization should emphasize monitoring as a core component of cybersecurity strategy. Compliance monitoring offers the best chance of catching would-be thieves in the act, preventing a theft in progress, and patching vulnerabilities.

To put together an effective compliance monitoring program, ensure the following seven areas of focus receive careful consideration. 

  1. Always On: A strong cybersecurity monitoring program is consistent in its vigilance. Any measures that are so burdensome on staff or such a drain on your budget that they aren’t enforced around the clock are, by definition, insufficient. Many phases of the cybersecurity process can be automated, from vulnerability scans to patch management. Design a system that manages routine events independently, records all actions taken, and alerts a professional when necessary. 
  2. Regulator Approved: Certain laws and regulations that apply to your organization and its operations will need to be accommodated by your cybersecurity program. The Health Insurance Portability and Accountability Act (HIPAA) and the European Union General Data Protection Regulation (GDRP) are two potentially onerous regulations that affect organizations managing health information and those receiving personal information of European citizens, respectively. Ensure you have undertaken a thorough accounting of the regulations affecting your organization, including any training, registration, or compliance efforts that may be necessary. 
  3. Fit-For-Purpose: By conducting a risk assessment, you can identify security gaps and create and enforce protocols that will streamline your organization’s reaction in the event of a suspected data breach. Creating a plan of action informed by a risk assessment will help you preemptively assign responsibilities to team members, enabling them to manage, control, and mitigate cybersecurity risks as they arise. Risk assessments can be conducted in-house or by contracting outside help from experienced cyber professionals. Those running a risk assessment without specialized guidance may want to make use of a risk assessment template.
  1. Team Effort: Your cybersecurity program isn’t just the responsibility of your technology teams. Legal, finance, operations, and administrative professionals will all need to contribute their insights to create a successful program. Conduct a compliance review to assess the ways in which proposed aspects of your program will impact each department and consider outsourcing this assessment if your team doesn’t already include those with cybersecurity or compliance experience.
  2. Mandatory Training: Meeting regulatory requirements might require your organization to roll out mandatory training programs. Even if not, enforcing training is a good idea. Strong training programs can reveal poor cyber hygiene practices within your organization. Starting with testing — for example, sending a “phishing” email and seeing who clicks — might help you target your training program. 
  3. Policies & Procedures: Creating, documenting, and regularly updating the policies and procedures that govern your nonprofit’s cybersecurity response will give your team confidence if, and when, a cyberattack occurs. Strong policies will set crucial guidelines that will help ensure rules governing access to information are followed and that essential training is completed.  In a world increasingly accommodating of remote work, endpoint security policies ensure that every employee or executive accessing potentially sensitive digital information or systems be authenticated. It’s also a good idea to require that endpoint security practices be regularly re-examined to account for new methods of intrusion, and employees trained (or re-trained) on an annual basis. 
  1. Targeted Monitoring: A thorough audit should help you identify critical risk areas. Bad actors often attempt to exploit misconfigured systems, unpatched software vulnerabilities, viruses, social engineering opportunities, or stolen user credentials. Cybersecurity professionals can conduct audits that account for these and other potential risk vectors, pinpointing the unique risks within your environment that need attention. 

 

The Company You Keep

Improving the security stature within your organization is tough enough but remember that you might also be exposed to cyber risks through your vendors and third-party partners. Take extra care with any third parties with which you share data (note the nature of the data; is it personal information or sensitive in any way?) and understand where that data may be processed (so any regulations enforced within that jurisdiction are respected). 

Ensure that any cookies served by your website are adequately disclosed to users and that everyone your organization contacts consented to receive messages from you. Finally, clarify how your organization’s data will be treated if and when your relationship with a third party ends. 

 

Implementing Cyber Safeguards

Cyberattacks share many fundamental similarities. Knowing what to look out for can be a significant advantage. Keep in mind that most cyberattacks are the result of:

  1. Unsecured or improperly accessed data;
  2. Ransomware.
  3. Insider threats; 
  4. Business fraud; or,
  5. Disruptions to internet-connected systems. 

Knowing where and how attacks happen should help you prepare to prevent and respond to them. To best protect sensitive data, first understand the nature and volume of data your organization manages and its value. Then, design methods of prioritizing and controlling access to that data. 

To prevent the impersonation of your employees, require multifactor authentication when logging into internal platforms and systems. To strengthen your organization’s resolve when facing social engineering attacks, train employees in how to recognize and respond to any seemingly innocuous requests that could ultimately prove malicious. 

 

Confidence in Knowledge

Digital systems and tools benefit virtually every aspect of a nonprofit organization’s operations, from administration to marketing and fundraising, to program enrollment and community outreach. The risks that follow like a shadow are relatively narrow and shrink in proportion to the light that shines on them. Pay particular attention to the seven areas of focus outlined above and move forward in the digital era confident in your ability to fend off or respond effectively to any setbacks. 

Frederick Johnson is vice president of cybersecurity and digital forensics at Marcum Technology LLC, a division of accounting and advisory firm Marcum LLP. Based in Costa Mesa, California. His email is [email protected]