If you follow the news cyberattacks are covered on an almost daily basis. Whether the victim is a mega chain store like Target, an international banking corporation like Chase, or a small-time local main street business, cyber-attacks are now commonplace. All organizations, including non-profits, must now consider cyber risk about its governance. Why would non-profits be a viable target? Follow the money. There is no question that non-profits attract financial transactions, and for good reason. These organizations represent the funneling of help and support so that it can be focused into combined efforts toward a beneficial public cause. However, all of that transaction information can be a gold mine for a hacker as well. Donor files, employee files, and credit card information all valuable information to a hacker. The damage of a cyber-attack can be two-fold. Financially the costs of responding and recovering the data lost combined with the loss of potential donor funds represent significant risks to achieving the organizations objectives. In addition, now that the organizations security and that of its donors has been compromised, so to is its reputation.
So how should a non-profit respond to the growing digital threat? A proper cybersecurity program involves a multi-layered approach, creating multiple fences and barriers that encapsulate the organizations key files but still allow connections and daily business to occur.
It’s not the technology that is the biggest risk for cyber-attacks…
People represent the weakest link in a network’s digital defense because it only takes one person to allow an intrusion. A cyber-attack can easily hit a network from all fronts, even shutting it down, but that doesn’t mean the attack gains access. No surprise, most hackers use social engineering and tricking people to get access for an attack. It’s cheap, easy and surprisingly reliable, regardless of organization size. That’s because many entities don’t take the time to train their people on what to watch out for. People can give over access through trickery via phishing emails, or they can be convinced to let people physically or digitally into a network under the guise of seemingly appropriate roles (think janitors, official looking regulators, temporary workers, IT support etc.). Then, all a hacker needs to do is plant a program to do the damage or steal the local data.
Non-profit management has to realize the question is not if an organization will be hit, but when.
Proactive defense work and training are keys to not being a soft, easy target. A non-profit cannot prevent an attack entirely, but it can make itself an extremely troublesome choice. Most hackers will then look for something easier and less challenging, and there are plenty of alternatives to pick from. But a nonprofit that ignores this threat will lose more than immediate data and donations. It can lose its existence as a damaged reputation destroys the organization’s future. Cybersecurity needs are real; and non-profits need to move quickly to not become another damage statistic.