Cybersecurity Controls for Nonprofit Organizations: Mitigating Risks and Implementing Safeguards
August 8, 2017
According to the Identity Theft Resource Center, U.S. companies and government agencies incurred a record 1,093 breaches in 2016, a 40% increase from the previous year. Breaches from widely known companies like Wendy’s and Target may grab the headlines, but the truth is, all enterprises are at risk, and nonprofit organizations are not exempt when it comes to being vulnerable to cybersecurity risks.
Why would hackers target nonprofits specifically? Think about the treasure trove of sensitive information your organization may collect from donors and volunteers; it’s likely that you have plenty of Social Security numbers, bank account information and credit card information—especially if you take online payments and/or donations. At the same time, many nonprofit leaders acknowledge they do not know enough about the risks of failing to adequately protect personal information collected from employees, volunteers, clients and donors.
According to the Ponemon Institute’s 2017 Cost of Data Breach Study, nearly half (47%) of data breaches are caused by malicious or criminal attack, while the other half is split almost evenly between human error (28%) and system glitches (25%). No matter the source of the data breach, it is essential for nonprofits to consider their specific area(s) of vulnerability.
For example, it is important to understand the potential consequences of providing employees with company laptops, tablets or even phones. If your nonprofit provides employees with these devices, it is important that should they need to access sensitive information away from the office they are connected to a secure WiFi. Permitting sensitive information to be stored on a smartphone or a laptop can be perilous if that device falls into the wrong hands.
A cyberattack can cost your nonprofit more than reputational damage. While technology has made it easy for nonprofits to accept donor contributions, the tradeoff is that the nonprofit is responsible for securely storing and managing all the data it receives. With the ever-present threat of credit card fraud, even a single incident of fraud can prove costly when your nonprofit has to repay fraudulent donations and fees related to such refunds. What can you do to better protect your organization?
Assessing Vulnerabilities. Implementing Controls.
Nonprofit organizations must strategically approach adoption of appropriate controls to ensure that sensitive, personal information is safeguarded upon collection. Policies, procedures and best practices must include detailed data handling rules, including who is allowed to view and handle the data.
Directors and officers of nonprofits do have fiduciary duties to be responsible and stay informed of decisions regarding the privacy of the information they collect. Given the degree of escalating cyber threats, it will become even more critical to put systems and controls in place to effectively manage the risk of cyberattacks, and to have a plan to execute should one occur.
Smith & Howard’s nonprofit accounting professionals recommend that you consider the following steps to better protect your organization and the data it collects.
Smith & Howard works with organizations to develop an Incident Response Plan that proactively addresses steps that should be taken in the event of a data breach. For more information, contact a member of our SOC team at 404-8746244 or fill out the form on this page for more information.
If you have any questions and would like to connect with a team member please call 404-874-6244 or contact an advisor below.CONTACT AN ADVISOR
Subscribe to our newsletters to get inside access to timely news, trends and insights from Smith + Howard.