The cyber security disasters large companies such as Home Depot and Target face seem far afield from the concerns and issues faced by nonprofits. However, similar to major corporations, nonprofits are a feeding ground of financial and personal information on which hackers are eager to prey.
The primary difference between a major corporation and a small- to medium-sized nonprofit is the ability to effectively mediate a security problem. Target and Home Depot possess the necessary resources and funding to absorb an attack, correct the problems, and regain normalcy. How does a nonprofit respond to a major security breach in its system? What if hackers were able to access credit card information for an entire donor base, or were able to send emails to supporters that then allowed them to hack an even broader audience?
Unfortunately, not all nonprofits are equipped with the same administrative and monetary resources to effectively deal with security risks. If a nonprofit's online security is breached, not only will its records be comprised, but its reputation imploded, and possibly the entire organization destroyed. It’s vital that nonprofits take responsibility for the necessary due care to prevent potential security compromises.
Why nonprofits are targeted
Some nonprofits might think that they face fewer security threats than businesses. Why would someone target a nonprofit’s website? Unfortunately, there are a number of reasons why nonprofits are common prey for hackers:
- Personal Identifiable Information (PII) - Social Security numbers, emails, phone numbers, and addresses are used by hackers to create false identities to be sold in clandestine markets.
- Phishing Attacks - "Phishing" is using fake information as bait to lure a victim. In online security, the bait can be a false website that looks nearly identical to a legitimate site in order to obtain credit card numbers, bank account information, passwords, and usernames to be used for malicious purposes.
- Donor information - Access to a nonprofit’s donor database broadens the impact of the security breach. Beyond accessing PII, hackers can target the email accounts of nonprofits. If a hackers is able to send an email from an organization to its donors, there is a greater chance that donors will open the email and the hacker will be able to further target them.
How nonprofits are targeted
A nonprofit holds the keys to a range of information attractive to hackers, such as credit card statements, emails, identification numbers, etc. Unlocking a few password-protected portals opens the doors to a nonprofit's most important information. Here are a few of the most common areas targeted by hackers:
- Website - Whether your website is hosted internally or through another server, there is a constant risk of it being attacked.
- Staff - Access to one staff member's personal information, such as an email account, can lead to further exposure of other staff members. Remember, the majority of online security attacks are the result of human error (like falling for a phishing attack).
- Social Media - Accounts on networks like Facebook and Twitter are targeted in a similar fashion as emails. If a hacker can post on a nonprofit’s social media account, the nonprofit's followers are exposed to further attack.
- CRM - Accessing the CRM is the ultimate goal for a hacker. For the director of a nonprofit, this could mean the end of the organization. A security breach that involves access to a CRM compromises the trust and reputation of an entire organization.
How to prevent a security breach
Nonprofits can be strategic in addressing future security risks. A combination of low-cost fixes and using the correct hosting software will ensure that a nonprofit's private information is protected.
- Low-cost fixes - It will pay off in the future to invest funds into online security. This includes employing corrective patches to software, using anti-virus protection, creating backups and protecting administrative passwords, among other strategies. These affordable fixes eliminate the majority of attack routes taken by hackers.
- Rules and Regulations - Staff, volunteers, vendors, and even CRM and cloud providers should adhere to the rules and regulations that apply to nonprofits. Compliance is becoming more complex and far-reaching for nonprofits because governments are now requiring more controls. If an organization doesn't adhere to required regulations, it will be unable to access many third-party tools and could result in denied grant funding.
- Staff - Equipping your staff with necessary tools to recognize, assess, and take action in a potential security breach will limit the damage. Encourage staff to change passwords every 6 months, create a step-by-step process of what to do in case of a CRM hack, and use well-established email providers such as Mailchimp to cut down on your nonprofit's exposure during an online attack.
- Ask a Hacker - Hackers for Charity seeks to help nonprofit’s assess and improve their online security. These organizations, primarily composed of hackers, are sought out by various organizations to assess their online security from the point of view of a typical hacker.
- CSM - Wordpress, Drupal, Joomla, and the like are large, trusted names. These providers come with the necessary security barriers and consistent testing that your nonprofit needs to ensure that its information is safe.
While nonprofits may be tempted to think that they are not subject to the same security issues as major corporations, their risk is equally high. Taking the necessary precautions to safeguard against potential security breaches is a worthwhile investment for any nonprofit.
If you would like more information regarding your nonprofit's online security, contact one of our web experts today to discuss the various ways our products and solutions will ensure that your website is protected.
This article is an update from the original published in 2015.