Just like all other organizations today, nonprofits and associations rely increasingly on digital technology to accomplish their mission and provide services and benefits to their members.
But unlike many other organizations, nonprofits and associations often fail to realize that there are many serious risks associated with operating online—risks that could severely compromise their ability to provide services and even force them to shut their doors.
The gap between the cybersecurity risks that nonprofits and associations face today and the actions required to address them invites opportunistic cybercriminals with no conscience.
Nonprofits and Associations Don’t Fly Under the Radar
Many nonprofits and associations still believe that cybersecurity concerns only for-profit organizations with deep pockets, but that’s simply not the case anymore, and there have been many high-profile cybersecurity incidents in the last few years alone that support this claim:
- 2014 – The Texas chapter of The Girl Scouts announced on its Facebook page that its website had been hacked and defaced.
- 2015 – More than 10,000 people who donated to Utah Food Bank lost their personal information after the organization’s website was hacked.
- 2016 – The Urban Institute’s National Center for Charitable Statistics became the victim of a cyber-attack that compromised 600–700 organizations.
- 2017 – A hacker successfully launched a phishing attack on the Save the Children fund, scamming it of nearly $1 million by posing as a staff member.
In general, cybercriminals target nonprofits and associations because they want to steal money from them, obtain sensitive information about their members and donors, or get their hands on their mailing lists to bombard those who are on them with phishing attempts and other unwanted email messages.
In some cases, cybercriminals target a nonprofit or association because they oppose its advocacy or mission and want to make it as difficult as possible for it to operate.
Regardless of their motives, cybercriminals can easily research their targets online because nonprofits and associations publish their tax fillings, staff names, emails, and other potentially exploitable information online.
Lack of Investment in Cybersecurity
Because so many nonprofits and associations wrongly believe that they fly under the radar of cybercriminals, they don’t invest nearly as much money in their cybersecurity defenses and policies as they should.
A survey of 470 nonprofit executives conducted in 2016 by the US-based accounting company CohnReznik revealed that only 29 percent were planning to increase their spending on cybersecurity measures, which is an abysmally low number considering that the cost of a data breach has risen 12 percent over the past 5 years.
As if that wasn’t bad enough, NTEN’s State of Nonprofit Cybersecurity report states that only 20.5 percent of nonprofits have documented policies and procedures in case of a cyberattack. The remaining nonprofits either don’t have any policies and procedures at all or are not sure if they have them.
It’s understandable why cash-strapped nonprofits might be reluctant to increase their cybersecurity budgets, but ignoring cybersecurity threats can only cause financial burdens down the road since it’s always more expensive to recover from a cyberattack than it is to prevent it from happening in the first place.
It’s Time for Nonprofits and Associations to Change Their Mindset
Even with their limited budgets, there are certain steps they can take right now to make life just a bit harder for cybercriminals:
- Keep software updated: Outdated software allows cybercriminals to exploit known vulnerabilities and slip past cybersecurity defenses. Frequent software updates can paradoxically minimize the downtime associated with them since things are less likely to break with smaller, incremental updates.
- Create strong passwords: Employees must be trained to use unique passwords and avoid password reuse. A password manager app can help achieve this goal, and it also enables secure password sharing between employees.
- Restrict privileges: There’s absolutely no reason to give regular employees—let alone temporary volunteers—administrative privileges and allow them to make changes to critical systems.
- Train employees: Employees should be taught to recognize phishing emails and avoid malicious websites. It’s best to demonstrate the tactics and techniques used by cybercriminals with real-world examples and mock attacks.
- Outsource cybersecurity: Nonprofits and associations with a small or non-existent IT department should consider outsourcing their cybersecurity to experts instead of burdening their team with even more responsibilities.
Nonprofits and associations provide some of the most vital services despite operating on limited budgets. Because they often believe that cybercriminals don’t see them as lucrative targets, they don’t invest nearly as much money in cybersecurity as they should to defend themselves against dangerous cyber threats. Unfortunately, this mindset doesn’t correspond with reality, and all nonprofits and associations should change it as soon as possible to avoid a potentially disastrous cyberattack.