Cybersecurity for Nonprofits has become a major concern for not-for-profit leaders. Many Nonprofits collect and store sensitive digital personal information that is protected by law as confidential.
When there is a breach of the confidentiality of this data, it poses a risk for the individuals whose data was disclosed, and for the Nonprofit that will potentially be subject to liability for the breach. It makes sense for every Nonprofit to take steps to understand the risks and protect its data from unauthorized disclosure.
Understanding the Risks
Below are three key areas evaluating a Nonprofit organization’s level of risk to cyberattacks.
First Step | Risk Assessment
The Nonprofit Technology Network (NTEN) suggests that the first step in assessing a Nonprofit’s data risks is to take inventory of all the data the Nonprofit collects and identify where it is stored.
The risk assessment should take inventory of the following:
Think about the cost/benefit of maintaining all that data. It may be discovered that data the Nonprofit is currently asking for and keeping is not really needed. If so, reducing or limiting the data the Nonprofit collects, and streamlining the storage process (as well as diligently destroying data in accordance with the Nonprofit’s document retention policy) could be an easy first step towards mitigating risk.
Second Step | Is the Data the Nonprofit Maintains “Protected” or “Confidential”?
Know whether the data the Nonprofit collects and maintains is covered by federal or state regulations as “personally identifiable information.” If so, forty-seven states’ laws require Nonprofits to inform persons whose “personally identifiable information” is disclosed in a security breach, and 31 states have laws that require disposal of such data in certain ways.
Additionally, the Federal Trade Commission’s Disposal Rule also requires proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” Protecting personally identifiable information is all about training staff on how to collect/store/dispose of and generally protect this data.
Even if the data collected does not rise to the level of “personally identifiable information,” a breach of that data can be harmful to the organization’s reputation and ability to bring in donations. All data reflecting personal preferences are important to keep secure.
Third Step | Drill Down on the Actual Risks
Consider using the US National Institute of Standards and Technology (NIST) Cybersecurity Framework to help the Nonprofit identify risks and make management decisions to mitigate those risks. This framework is not intended to be a one-size-fits-all approach, but to allow organizations to manage cybersecurity risks in a cost-effective way, based on their own environment and needs.
Preparing the Nonprofit for Cyber Attack
Once risks have been assessed, there are four ways to prepare the Nonprofit to handle possible cyberattacks.
Research conducted by NTEN and others shows that Nonprofits often do not have documentation in place. Robust cybersecurity policies can lessen the likelihood of an incident in the first place, and response documentation can give teams quick paths forward to minimize damage in the event of a cyberattack.
Nearly 60% of Nonprofit organizations do not provide any sort of regular cybersecurity training to users. Training users on best practices is an impactful way of reducing risk; ignorant user action leads to far too many successful attacks.
Make Systems Redundant
Systems should be redundant, meaning that there should be multiple instances of mission-critical data and systems so that if one instance is compromised, recovery is possible. Basically, Nonprofits should diligently back things up. This greatly reduces the damage that a cyberattack can cause.
In addition to backing things up, Nonprofits should also take steps to harden systems. Doing this effectively will likely rely on the thoroughness of the risk assessment. Generally, solutions involve:
Cybersecurity for Nonprofits is not an impossible task. By carefully assessing the risks and taking common-sense preventive steps, Nonprofits can greatly reduce the chance that cyberattacks will endanger their operations.