Hackers know that non-profits often don't have the resources to invest in expensive security systems, and that computer systems in use may be several years old and designed before non-profits were being targeted with digital attacks. Cyber-thieves understand, therefore, that such systems often contain vulnerabilities and lack cyber-defenses, making them easier to hack than many systems in the commercial sector.
The consequences of compromised security may not be small. Bad press, the breach of confidentiality and embarrassment emanating from the leakage of data about people being helped by the non-profit, fines from credit card companies for failure to confirm to security requirements, or donors suffering the anguish of identity theft and blaming anorganization's negligencecan be catastrophic.
Some cases have made the media. When the Columbia Triathlon Association website was hacked, for example, cybercriminals successfully pilfered information about over 8,000 members - including a password database in encrypted form.
So what can a non-profit do to ensure that itremains cyber-secure? While a single article is not sufficient to cover all the aspects of cybersecurity in a non-profit setting, here are several high-level pointers...
1) First and foremost, commit to actively ensuring cybersecurity. The cost - in terms of time, money, and aggravation - will likely be far less if a proactive approach is taken.
2) Create proper policies governing who has access to which resources, and implement rules and technology to enforce these policies. Access to systems and information should always be on a "need to know" basis.Systems should be used for only their intended purposes and not for others, such as reading email or accessing Facebook. Ensure that every user has her owncredentials and that all systems require a login with a password that is not easily guessable or found in the dictionary.
3) If wireless (or wired) Internet is provided for guests within a facility, implement it on its own separate network - isolated from any non-profit systems and networks.Visitors have no need to accessany internal systems. Don't let them.
4) Branch office managers should ensure that they conform to all security policies of the parent organization and should also implement security to ensure that a breach at another branch, or at the main office, does not prorogate totheir location.
5) Ensure compliance with all credit card security rules, and, unless truly necessary, do not store credit card data after processing transactions.Never store credit card security codes or debit card PIN numbers.
6) Store all sensitive data - including donor information, employee data, documents related to programs being run and beneficiaries from any charity, etc. - in encrypted formats. When in doubt, encrypt.
7) Select and implement security technology to meet functional and security requirements- and ensure that all technology is kept up to date. Keep in mindthat all major recent cybersecurity breaches have occurred to organizations running firewalls, anti-virus software, and other security products, and so...
8) Perhaps most importantly, leverage the services of a skilled cybersecurity professional to properly design your cybersecurity plan. Remember, cybercriminals have technical expertise. Shouldn't you have it to defend your organization?