Cybersecurity Controls for Nonprofit Organizations: Mitigating Risks and Implementing Safeguards

According to the Identity Theft Resource Center, U.S. companies and government agencies incurred a record 1,093 breaches in 2016, a 40% increase from the previous year. Breaches from widely known companies like Wendy’s and Target may grab the headlines, but the truth is, all enterprises are at risk, and nonprofit organizations are not exempt when it comes to being vulnerable to cybersecurity risks.

Why would hackers target nonprofits specifically? Think about the treasure trove of sensitive information your organization may collect from donors and volunteers; it’s likely that you have plenty of Social Security numbers, bank account information and credit card information—especially if you take online payments and/or donations. At the same time, many nonprofit leaders acknowledge they do not know enough about the risks of failing to adequately protect personal information collected from employees, volunteers, clients and donors.

According to the Ponemon Institute’s 2017 Cost of Data Breach Study, nearly half (47%) of data breaches are caused by malicious or criminal attack, while the other half is split almost evenly between human error (28%) and system glitches (25%). No matter the source of the data breach, it is essential for nonprofits to consider their specific area(s) of vulnerability.

For example, it is important to understand the potential consequences of providing employees with company laptops, tablets or even phones. If your nonprofit provides employees with these devices, it is important that should they need to access sensitive information away from the office they are connected to a secure WiFi. Permitting sensitive information to be stored on a smartphone or a laptop can be perilous if that device falls into the wrong hands.

A cyberattack can cost your nonprofit more than reputational damage. While technology has made it easy for nonprofits to accept donor contributions, the tradeoff is that the nonprofit is responsible for securely storing and managing all the data it receives. With the ever-present threat of credit card fraud, even a single incident of fraud can prove costly when your nonprofit has to repay fraudulent donations and fees related to such refunds. What can you do to better protect your organization?

Assessing Vulnerabilities. Implementing Controls.

Nonprofit organizations must strategically approach adoption of appropriate controls to ensure that sensitive, personal information is safeguarded upon collection. Policies, procedures and best practices must include detailed data handling rules, including who is allowed to view and handle the data.

Directors and officers of nonprofits do have fiduciary duties to be responsible and stay informed of decisions regarding the privacy of the information they collect. Given the degree of escalating cyber threats, it will become even more critical to put systems and controls in place to effectively manage the risk of cyberattacks, and to have a plan to execute should one occur.

Smith and Howard’s nonprofit accounting professionals recommend that you consider the following steps to better protect your organization and the data it collects.

1. Conduct annual privacy audits to determine exactly what information is stored, where it’s stored and how it’s transmitted.
2. Become familiar with applicable state and federal laws, rules and regulations that may govern cybersecurity practices for the organization or its industry
3. Implement policies, procedures and best practices about who is allowed to handle the data, including third-party vendors.
4. Delete or securely dispose of files that are no longer necessary, but contain sensitive data.
5. Classify data according to low, medium and high risk so that the proper controls can be applied to the data.
6. Make sure your directors, officers and employees are aware of the controls and understand the potential consequences associated with breaches of privacy.
7. Retain outside experts as necessary and as resources permit.
8. In the event data does get compromised, have a response plan in place. This should include a notification process that will maintain or restore faith in your nonprofit, as well as an internal and external communication plan.

Smith and Howard works with organizations to develop an Incident Response Plan that proactively addresses steps that should be taken in the event of a data breach. For more information, contact a member of our SOC team at 404-874-6244 or fill out the form on this page for more information.