As a not-for-profit or charitable organization, the threat of a cyber breach may not be top of mind. After all, why would any hacker attack a charitable organization or a non-profit (NFP)?
The truth is an NFP often invests less in IT technology, employee training and with it information security. Add that to the fact that one in five Canadian business reported a cyber breach in 2017, the need for charities and NFP organizations to take cybersecurity seriously is now.
In February 2016, the Urban Institute’s National Center for Charitable Statistics was the victim of a malicious attack that compromised 600–700 organizations. Later that year, a survey of 470 nonprofit executives conducted by U.S. accounting firm CohnReznik, revealed that while 57% of respondents counted cybersecurity among their top 10 concerns, only 29% said that their organizations were planning to increase spending for cybersecurity, and a mere 11% reported that their organization had either a risk committee or an IT committee.
Consider the following case scenarios that could negatively impact an NFP:
- A loss of a laptop, holding donor or recipient Personally Identifiable Information (PII), resulting in a reportable privacy breach.
- Access to confidential health or financial information by a volunteer
- A computer virus outbreak on systems, resulting in a ransomware attack, leaving systems and data unusable while backups are found and restored.
- A breach on the agency’s website leaves credit card data stolen and used in Identity theft and tracked back to the organization
Anyone of these could leave the organization with large costs for cleanup and repair, loss of employee and donor confidence, and a loss of donations or funding due to concerns of effective management.
Helping your NFP or Charitable organization tackle cybersecurity will help to reduce the risk of an attack and help reduce the impact of an attack should it occur.
The following minimum steps are recommended actions
1. Evaluate the cybersecurity threats and risks and then decide what should be done to improve cybersecurity in your organization. Consider a risk assessment be performed to understand where your “crown jewels” are and with it the risks
2. Develop written cybersecurity policies and standards. Ensure all staff and volunteers understand and adhere to them
3. Ensure security precautions are taken including:
- Use strong passwords. Avoid using the same password repeatedly
- Encrypt all devices that contain private, personally identifiable information (PII), including desktops, laptops and portable devices such as USB sticks
- Update system patches and malware protection software as soon as they are available
- Use secure and reputable payment processing sites
- Implement security technologies to monitor and protect your website and systems
5. Consider cyber liability insurance for your NFP or charitable organization. Insurance can often help with unexpected costs related to a cyber breach or attack.
6. Hire an expert to assist with training, and expertise needed to supplement existing personnel and capabilities. Consider security at a strategic level versus simply a technology issue.
While often overlooked, cybersecurity is just as important if not more for Not-for-Profit and charitable organizations. Cyber attacks are indiscriminate, and as such, all organization large or small need to be prepared for a cyber attack on their systems and employees. Being prepared is the best way to mitigate the likelihood and impact of such an attack.
RiskAware is a boutique Cybersecurity firm providing advisory and virtual CISO (vCISO) services.
The vCISO Service includes (but is not limited to):
- Develop or establish, maintain, and oversee agency-wide Cybersecurity program.
- Develop, maintain and oversee processes, policies, and control techniques to address all applicable Information security requirements.
- Oversee the establishment and maintenance of continuous monitoring of digital assets in the organizations inventory.
- Develop a comprehensive incident response plan including all stakeholders and interconnected systems.
- Interface with private and public organizations on behalf of the client, to develop key relationships necessary for an efficient/effective cybersecurity framework and serve as the key point of contact during an incident.
- Assisting executive level stakeholders with cybersecurity matters, press releases, and strategy.
- Evaluate, hire, and train personnel with significant information security duties
within the organization.
- Quantify risks and provide strategic decision support for IT budget allocations.
- Spearheads regular threat assessments to maintain situational awareness and conducting regular debriefs on the effectiveness of the entities information security program.
- Updating Cyber Maturity Assessment annually or when required
- Facilitating monthly cyber security calls discussing threats and questions from executives
- Evaluating third-party service provider security capabilities (supply chain due diligence)
The virtual Chief Information Security Officer (vCISO) provides organizations with:
- A trusted security expert who is available to provide cybersecurity expertise and guidance.
- A knowledgeable voice in board meetings for security advice, counselling and direction.
- An expert that can translate complex technical security details into actionable business tasks
- A partner that provides hands-on consulting for security policy, process, and procedural development.
- A specialist that provides skilled, organized and a professional review of risk assessments and security audits.
- A teacher who provides security mentorship and training to all levels of organizations
- An honest, independent voice on third-party risk management.
- A knowledgeable technologist that can help the business select security technologies to automate and helps the business manage security risks more efficiently and effectively.
- A senior executive level resource that is lower than the typical cost of an in-house CISO.