Throughout my career, I have seen first-hand the real world impacts that a breach in cyber security can have on customers, businesses and communities. With cyberattacks growing in number and sophistication, today security is a requirement of "doing business", however, many companies and organizations lack the knowledge and resources to secure their platforms, products and solutions. For example, Symantec's 2017 Internet Security Threat Report (ISTR) reported the number of identities exposed in 2016 was 1.1 billion and 76% of websites scanned contained malware. Additionally, 1 in 95 emails to small and medium sized businesses contained malware (significantly higher than the average) showing organizations of all sizes are targets.
Resource strapped nonprofits are often left vulnerable to cybercriminals with little to no resources allocated to cyber security. However, the very nature of their mission can require that they collect and store large amounts of vital and confidential data whether it be medical, academic, personal or professional.
As nonprofits increasingly rely on technology to drive impact, how can they be proactive and equip themselves to best deliver on their mission while protecting their communities? The following are key steps that every nonprofit can take today, with minimal resources, to leverage technology and serve their missions safely:
1. Make it a priority
With cyberattacks totaling up to hundreds of millions in damages, and jeopardizing an organization’s most prized asset – trust and reputation – cyber security is no longer an area you can afford as a weakness. Even more so, it is non-negotiable.
Cyber security should be a key component of resource allocation and strategy; a focus of the CEO with a recurring place on the board agenda. Identify who will lead and who is responsible for timely updates that highlight wins, escalations and progress. Organizations such as Board Match that connect passionate talent with open nonprofit board positions are a great resource. Consider seeking a board member that is passionate about your mission, but can also provide security expertise.
2. Make sure you are getting the basics right
While the media headlines may lead you to believe breaches are always the act of advanced cyber criminals, the most common cause of exploitation are every day weaknesses such as exposing a password, falling prey to a phishing scam, or failing to update software.
While you may cringe when the dreaded software update pops up as you are on deadline, ensuring you have addressed the bare minimum on all devices goes a huge distance in keeping your organization safe. In the end, it saves time and money – we all know what a non-functioning product, service, laptop or phone for even a day can do to our productivity and ability to operate.
So, what are the bare essentials and how can you equip yourselves? There are many resources guiding companies and nonprofits for free or minimal cost. For example, the United Kingdom’s Cyber Essentials is a government-backed, industry-supported scheme to help organizations identify and address cyber risk due to common weaknesses. Through nonprofit TechSoup’s software donation program, nonprofits can receive, free of charge, cyber security products and consultation from top providers, both at the enterprise and personal level. To date, TechSoup has donated 19 million technology products to 371K organizations in over 236 countries worldwide.
Have you tapped into the pro bono expertise and advice many leading security companies offer?
3. Make sure your data is secure
Collection of data on individuals just happens, however, there are tangible, real actions that you can implement to ensure your data is secure. My favorite resource is the five KNOWS of data security: know the value, know who has access to your data, know where your data is located, know who is protecting your data and know how well it is protected.
For example, try to limit the collection and storage of personal and financial information, and keep copies to a minimum. Know the steps involved to encrypt a document and spreadsheet, and keep a printout on your desk. Organizations such as The National Cybersecurity Alliance and The Nonprofit Technology Network provide guidance and resources.
4. Make sure you are prepared for the inevitable, a breach
What if tomorrow the FBI contacted you with the news that you have been hacked? How would your organization communicate internally and externally? How would you investigate the cause? How would you respond to media?
Identifying the basic steps you would take in the event of a breach can ensure you are not an organization that fails in its response. Running a tabletop exercise where you simulate and troubleshoot a breach in a classroom setting can be very effective. Government and academia offer a multitude of free resources and guidance on how to tabletop a cyberattack. For example, the State of Washington and State of Michigan both offer examples. This should not be a one-time activity, but an ongoing exercise as your evolving and expanding organization may become prone to new vulnerabilities.
Additionally, allocate roles and responsibilities. Who will analyze and investigate the breach, who will be your spokesperson and contact for inquiries? In an organization with little to no cyber security expertise this “team” may sit within a variety of functions such as legal/compliance, government affairs, public relations or with the CEO/Founder. While this may not be a team of experts, the key is that they are prepared.
5. Make sure you are not turning a blind eye
According to ISTR, the average cost per lost or stolen record in 2017 was $1.58, a 15% per capita increase in four years. Turning a blind eye to cybersecurity is no longer a viable answer, but don't feel that you are alone. Create connections within the cyber community, for example join a local meetup, where you will have the opportunity to meet others to understand best practice approaches. Identify and assess your cyber risks, and make a commitment to address them.
The world of hackers, cyberattacks and vulnerabilities is new territory for many, however, securing your organization is much closer than most would think. Educating and equipping your organization is a must to ensure your resources are optimized for what matters the most – making a positive impact on the lives of many across the world.