June 7, 2017; Milwaukee Business News
When performing a risk assessment, many organizations focus on issues such as loss of funding and reputational damage. Yet data breaches, which can cause just as much harm to the nonprofit, largely get overlooked. Nonprofits collect sensitive data, which can include donor information, health information, Social Security numbers, confidential emails, employee and volunteer records, and billing information. But, very few organizations can be confident that they do not store any of this information, so it needs to be protected.
The first wave of hacking seemed to only target large companies that stored masses of sensitive data. Stories about credit card numbers and contact information being stolen from retail stores made major news headlines. These days, unfortunately, it looks as if cybercriminals have discovered the gold mine that is nonprofit data. Back in February, NPQ featured a story about an email scam targeting nonprofit organizations for their employee W-2 information. In Muncie, Indiana, a small nonprofit organization called the Little Red Door had all their data stolen from their server and held ransom for a whopping $43,000. If the nonprofit paid, the hackers claimed, they would return the data and not publish it. Leadership considered their options and since they did not have any data that they thought was sensitive, they did not pay the ransom. Although information that the hackers could use was not stored, they did take to Twitter, posting letters that the organization wrote, and the organization was traumatized by the event. A similar scenario occurred at a Los Angeles nonprofit hospital, but, considering the highly sensitive information they stored on their server, the hospital opted to pay the hackers to the tune of $14,000 and regain access to their data.
It’s not only ransom money that organizations can lose. Cyber-crimes cause customers—or, in the case of nonprofits, donors—to lose faith in organizations. Hacking exposes vulnerabilities in nonprofits’ systems and can make some donors feel as if the organization did not value them enough to enforce proper safeguards that protect their information.
Data indicate that in the last two years, there has been a 270 percent increase in cyber-crime victims, and there are signs that hackers are targeting smaller businesses because they are less likely to have sophisticated security measures. Given this growing number of incidents, nonprofits need to invest in cybersecurity. Fortunately, this may not need to be an unrealistic cost burden, as there are organizations such as Cybrary that teach the public about cybersecurity.
Importantly, nonprofits must recognize that they are more vulnerable to cyber-crime than they think. Whether or not a nonprofit collects sensitive data that can be used by criminals, such as Social Security numbers or credit card information, the nonprofit runs the risk that its oversight will cause a breach of trust with the organization’s supporters. It is much more difficult to regain the public’s trust than it is to regain funds.—Sheela Nimishakavi