Many nonprofit leaders don’t comprehend the value of the vast databases of information contained within their organization. This highly sensitive information––from donors, employees, and other parties––is an extremely attractive target for malicious outside attackers looking to exploit individuals and organizations for financial gain.
Despite the highly confidential nature of this information, many nonprofit organizations do not take adequate measures to effectively secure their data. There are multiple reasons for this: from an under-resourced security team to a lack of understanding of the value this data holds to attackers.
When employee and donor databases are compromised, the consequences are disastrous for nonprofits. There are several examples of this: perhaps the highest profile being an attack on the International Committee of the Red Cross that saw the personal data of more than 515,000 individuals compromised by attackers. The reputational, operational, and legal consequences that come with such attacks can have a lasting impact on a nonprofit’s ability to fulfill its mission.
These dangers are not limited to for-profit corporations and large nonprofits––small and mid-sized nonprofits are at risk too. These types of organizations represent an attractive target for attackers, largely due to their limited cybersecurity infrastructure and vulnerabilities.
For concerned nonprofit executives and board members, the first step to effectively protecting employee and donor data is conducting a thorough risk assessment. In this overview, we’ll specify exactly what sorts of data leaders should be concerned about and explore the role risk assessments play in helping nonprofits secure sensitive information.
Nonprofits of all kinds, from arts and culture organizations to educational institutions, hold large volumes of sensitive data. This data is often spread out over several software platforms and may be accessible to a variety of employees and volunteers.
Generally, the data that should be protected by the highest level of security includes employee data and donor data.
To operate efficiently, nonprofit organizations must have easy access to confidential employee data. That may include information such as employees’ home addresses, phone numbers, and bank account details.
This data is known as Personally Identifiable Information (PII) and should be considered extremely sensitive. If an outside actor were to access this information, there could be all kinds of damaging consequences for employees.
With access to employees’ names and social security numbers, hackers could take out new lines of credit, open bank accounts, and undertake all kinds of nefarious activities. As an employer, nonprofits are obligated to take steps to safeguard this data.
Donor data is another form of PII. To run high-performing fundraising campaigns, many nonprofits track a range of information concerning their donors. This isn’t just limited to donors’ names and addresses––datasets may also contain information about what donors’ interests are (for example, a particular era of artwork).
If attackers gain access to donor data, the ramifications could be severe. Donors may be targeted with phishing attacks: malicious emails that appear as if they have been sent by the nonprofit but are actually sent by attackers. Alternatively, donors may be targeted by an inference attack, where attackers piece together information about individuals from various sources and use this web of information to exploit them.
It’s important to note that the threats that arise from breaches of donor data are not always advanced cyberattacks. Consider this scenario: 100 donors RSVP’d to a fundraising event hosted at your museum. If this attendee list was to be compromised, would-be attackers could target dozens of empty homes belonging to wealthy individuals.
The data used to manage employees and donors may be spread out over a variety of different systems. Employee data is typically stored in an HR management system. Access to these systems should only be given to those who need it to carry out their roles.
Donor data tends to be scattered across multiple systems and flows into the organization from a variety of sources. A system that might seem innocuous at first glance, like an email newsletter software platform, should be treated as highly confidential. The email addresses that reside within this system belong to donors who expect to receive fundraising emails from the nonprofit: an attractive phishing target.
A comprehensive audit of the locations of sensitive data such as this is a key focus of a cyber risk assessment.
This is referred to as a data impact analysis and provides an end-to-end overview of how data enters and flows through the organization. For nonprofits, there is a major focus on HR systems and donation systems, as these typically represent the most common data vulnerabilities in the organization.
Sophisticated Cyber Risk Management + Compliance consultants, including our team at Smith + Howard, use proprietary data catalogs and templates that enable nonprofits to ascertain whether the organization is fulfilling its regulatory requirements.
Risk assessments play a wider role than just securing sensitive data. They provide organizations with a comprehensive overview of the risks present in their information security infrastructure, identifying vulnerabilities across the organization.
The risk assessment process typically begins with a business impact analysis. This process quantifies the financial losses that an organization would suffer in the event of a data breach or security incident, assigning dollar values to key data assets such as donor lists and employee databases.
While many nonprofit organizations wait until after a breach to perform a risk assessment and invest in building an information security infrastructure, it’s always advisable to take a proactive approach. With the right guidance, nonprofits can map their strategic goals to their risk management framework, ensuring high-level alignment between security teams and leadership.
It’s important to note that risk assessment should be considered an ongoing process. Nonprofits should create a risk register: a living document outlining the organization’s vulnerabilities and plans to address them. This should be periodically reviewed and updated to account for emerging threats and new data management processes.
Effectively protecting employee and donor data from external attackers demands a nuanced approach that’s tailored to the needs of your nonprofit organization. If you need guidance upgrading your security infrastructure to protect your data, Smith and Howard is here to help.
Our Cyber Risk Management + Compliance team has proven experience working with a variety of nonprofits in the arts and culture space. It’s our mission to enhance data security while enabling nonprofits to continue fulfilling their strategic goals.
To learn more about how Smith and Howard can help you secure employee and donor data, contact an advisor today.
If you have any questions and would like to connect with a team member please call 404-874-6244 or contact an advisor below.
CONTACT AN ADVISOR