When we first heard about data hackers, they were going after a lot of records at some of the largest companies. But recently, hackers are going after smaller companies, municipalities, and nonprofits. In the first six months of 2019, it was estimated that 4.1 Billion records were compromised. Hackers have been known to hold data hostage demanding large payments for its retrieval. Even when payments are made there is no guarantee that data will be returned. There is no honor among thieves.
With smaller companies and nonprofits, the bad guys don’t get as many records, but they also know that smaller organizations do not have same level of data protection that a large company might. In 2018 one of the largest nonprofits in New York state ground to a halt when their data was scrambled.
Billions of dollars are lost every year as a result of these attacks.
Most recently many nonprofits were notified of a data breach involving a popular system that stores data. Blackbaud announced that they were hacked in July 2020. But the attack actually happed in February and wasn’t discovered until May.
How safe is the data that your organization keeps? Are your donor records safe? Who has access to them? What about your employee and financial records?
More importantly, have you done a comprehensive assessment of your network security?
Prevention is the best way of preventing cyber attacks. If your organization is attacked it will cost you more time and money to fix the problem than you probably need to spend for some simple and important proactive steps.
NTEN’s “State of Nonprofit Cybersecurity Report” in 2018 indicated that 68% of respondents don’t have any policies and procedures for when they get attacked. 59% don’t provide regular cybersecurity training to staff and only 17% of respondents have a tool in place to secure passwords.
Where should you start?
1) Assess your risks.
A tight budget is not an excuse to ignore the potential threat. There are many reputable consultants who will do an assessment of your vulnerability and make recommendations on how to protect your data. Not all of the fixes are expensive.
2) Take steps to protect your data.
At a minimum, consider conducting training of your staff so that everyone knows how they help to avoid access to your data. Does your organization have steps in place to isolate data from recently departed employees?
3) Be proactive with security controls
Your data needs to be backed up regularly. Software and hardware need to be updated when software fixes are available. Activate multi-factor authentication so that a user must take steps beside a password to access your network.
As part of the training for your employees, make sure they understand the following things they can do:
1) Don’t open email attachments and web links that you are not expecting.
An IT person I know spent many hours clearing viruses from a computer because the user opened an attachment titled, “I Love You.”
2) Don’t conduct the business of your nonprofit on personal computers. They are probably not as secure. Have separate computers, mobile devices, and accounts for personal and business use.
3) Don’t connect personal storage devices or hardware to a work computer.
4) Be careful when downloading new software. Never download from a web page you don’t know and trust.
5) Never give out user names or passwords. Your bank won’t call you seeking this information. No credible organization will.
6) Use a pop-up blocker and never respond to any that appear on your screen.
7) Use strong passwords containing a random sequence of letters (upper and lower case), numbers, and special characters. Password management systems can be of help.
Implementing these steps and seeking professional guidance will help you avoid a disaster that could cause significant hardship to your organization and reputation.