How Data Breaches at Nonprofit Organizations Impact the Communities They Serve, and the Steps Leaders Can Take to Mitigate Cyber Risks

May 1, 2018

Guest Blog by Ronnie Kurlander, Senior IT Advisor, Hartman Executive Advisors

Nonprofit organizations are particularly vulnerable to breaches, mainly due to inconsistent security policies and the large amounts of sensitive data they collect and use in their daily operations. Often considered “soft targets,” cybercriminals increasingly go after nonprofits and other small businesses, which makes the situation even worse for these organizations.  Hyper-focused on their missions, nonprofits often direct their limited funds toward serving their constituents. Unfortunately, this sometimes means that cybersecurity takes a back seat, and employees and volunteers are left in the dark about cyber best practices. This lack of knowledge opens the door to a range of attacks that could include rerouted donations, extortion by holding data hostage, stolen personal information or hacked websites.

These days, you don’t need to be a cybersecurity expert to understand the business consequences of a data breach, including decreased revenue, damaged reputations and even closure. Yet, when it comes to nonprofit organizations, a slowdown or shutdown of operations due to a breach not only affects the organization, but also the population that relies on its services. The after effects of a breach could mean the need to reduce or suspend essential services, including shelter, meal delivery, healthcare and disaster relief. As a result, the organization may face additional consequences as donors, members and other funders lose confidence in the organization. 

Nonprofit leaders can take basic steps to protect their network and their data, allowing them to continue to provide vital services to communities in need.

Step 1: Assess your current cybersecurity posture

The first step to improve cybersecurity is to understand the organization’s current risks and vulnerabilities through a comprehensive security assessment completed either internally or by a third-party advisor. An assessment will reveal the type of data the nonprofit collects, as well as how it’s stored, used, backed up and retained. It will also help identify missing or weak protocols regarding passwords, software updates, and firewalls. For organizations that collect and maintain personally identifiable information (PII), or data covered by requirements such as HIPAA or NIST, an assessment will determine adherence to those regulations, and what the financial risks are to the organization based on their current environment.

Step 2: Manage your level of risk

An assessment provides information about an organization’s vulnerabilities, but unless action is taken, the risks will continue at the same level. At this stage, it’s crucial for nonprofits to work to analyze the results, comprehend the threats, and prioritize them so they can be managed effectively through various risk management strategies.

It’s not always possible to fully eliminate a risk. However, there are usually several options for mitigation. In many situations, nonprofits can: 

  • Change or stop the activity causing the risk
  • Implement measures to continue the activity but decrease the risk associated with it
  • Outsource the risk activity and transfer the risk to a third party, such as a cyber insurance provider
  • Develop a longer-term plan to reduce these risks over time, based on a relative risk-to-cost analysis

Step 3: Prepare for the worst

Regardless of the source, nonprofit leaders need to be prepared to respond to both internal and external stakeholders following a breach. A documented, flexible, incident response plan is critical to this preparation, and may even be required depending on the governing regulations the organization is subject to, including Payment Card Industry Data Security Standard (“PCI DSS”) to which most nonprofits are subject. Equally important is a competent and practiced incident response team who can put the plan into action. The best plans clearly outline responsibilities and guide organizations through specific steps to follow in the event of a breach or other cyber incident. As

and public scrutiny are critical to most nonprofits, the ability to quickly respond to a negative situation in a competent manner is crucial, increasing the likelihood that services for those in need can continue without interruption.

Step 4: Prioritize training and education

While attackers continue to find innovative ways inside organizations, the majority of breaches are the result of negligent employees or contractors. Too often, these individuals, and also volunteers, are unaware that certain actions – opening attachments, using weak passwords – could expose sensitive information and have an irreversible and detrimental effect on the organization. Comprehensive, ongoing education and training are crucial to risk mitigation, and direction should always come from the top. Read more about how to establish a culture of cybersecurity.

Nonprofits need to be vigilant about cybersecurity to protect not only their assets and

but the individuals who rely on their operations. Leaders who recognize the reality of a potential breach can take steps to mitigate risks and stay ahead of threats through proactive cyber risk management.

If you’re a nonprofit executive who is ready to get serious about cybersecurity, contact Hartman today to start a conversation about your unique situation.