In the not-too-distant past, nonprofit organizations believed they didn’t need to worry about cybercrime. They thought that cybercrime was an issue that only impacted large for-profit businesses. Nonprofits are the perfect target for today’s savvy cybercriminals for a variety of reasons. First, they often have access to sensitive and confidential donor financial data. Second, due to budgetary constraints, their IT infrastructure often isn’t as up to date as that of their counterparts in the for-profit world. And finally, they historically have not invested in cybercrime prevention as heavily as other sectors.
The lack of cyber security among nonprofits has made organizations like your prime targets for cybercriminals. Consider these 2022 statistics: Only 26% of nonprofits actively monitor their environment for threats, 59% do not provide cyber threat training to staff, more than 70% have not run a single threat analysis to evaluate their risks, and only 20% have a policy in place to deal with a cyberattack.
One of the primary reasons why might come down to budget. Many nonprofits struggle with tight fiscal constraints and would rather invest their limited funds in the mission instead of a seemingly intangible factor like cybersecurity and infrastructure. Unfortunately, that might be short-sighted, since the costs of not making wise investments in your online security can prove overwhelming.
How can a nonprofit executive convince a board that investing operating funds into a robust cybersecurity budget makes sense? Sharing the scale and omnipresence of the potential risks are ways to help key decision-makers come to grips with this necessary budgetary shift.
The Rise of the Machines
The Internet of Things (IoT) has evolved from a science fiction concept to how many nonprofits conduct business daily. The interconnected devices that we find in our offices, vehicles, and persons make it simple to do the business of nonprofit work from anywhere and get the answers you need quickly and efficiently. Unfortunately, hackers continually discover new ways to infiltrate sensitive networks and data centers using these devices.
What kind of devices are we talking about? It could be anything from the watch you wear to the smart speakers you hook your laptop to for donor presentations or even the latest gadget that a volunteer brings in while they are working a shift at your front desk. All are potential points of attack for a savvy hacker. The good news is that IoT vulnerabilities are mostly preventable. If your internal IT experts are actively managing endpoints and connectivity within your organization’s networks, IoT devices should be safe from external threats. However, securing these networks requires some form of active IT support, whether that is outsourced or in-house, so you’ll want to emphasize the importance of this to board members in your cybersecurity budget.
The Rise of Ransomware
One of the biggest financial threats to nonprofits and businesses alike is ransomware. This malicious software blocks access to your network and data until a ransom is paid. This potentially devastating malware can cost an organization millions, with the average cost of a ransomware attack growing to $1.85 million in early 2023. Because it is so potentially lucrative, these attacks have risen by approximately 13% in the past five years, reaching an astounding 1.7 million ransomware attacks every single day worldwide. From the high cost of the ransom itself to downtime and repair expenses to the more intangible but potentially more devastating toll an attack takes on public trust, many nonprofits can’t afford the recovery from such an attack.
Fortunately, you can invest in a few cybersecurity safeguards that can help your organization prevent a ransomware attack or bounce back quickly and efficiently in case of an attack, which can greatly reduce its cost. How? Since ransomware is often spread by malicious emails or downloading infected files, a strong firewall, email protection, and staff training can go a long way toward prevention. If your nonprofit implements robust backup and disaster recovery solutions, you can be back up and running quickly after an attack.
By investing in these key technology pieces before an attack occurs, your board can ensure that your organization can live through a ransomware scare.
The Primary Target
As we just mentioned, one technology essential to doing business is also one of the things that can leave your organization most vulnerable to an attack: email. Google blocks about 100 million phishing emails daily, as of April 2023. However, many still get through. The most advanced take the time to mine information about individuals in your organization from social media, the news, or your organization’s website and then use those details to design a custom attack. Most often, these types of more sophisticated attacks target employees with access to sensitive or financial data, making anyone who handles donations or finances a primary target.
Unfortunately, the remote nature of today’s volunteers and employees makes this type of attack more effective. Since they are not in the office and might be transferring funds from remote locations, emails asking them to do just that don’t seem as out of place as they would have a few years ago.
The best way for organizations to combat phishing emails and malicious sites is by implementing an ongoing education program for staff members and key volunteers, particularly anyone who deals with finances. They also should invest in software that rejects phishing emails, reducing or eliminating suspicious emails before they hit your inbox.
The Predominance of Mobile
Not too long ago, the worst thing you had to worry about losing due to mobile apps was valuable time. Unfortunately, if an infected mobile device connects to your network, attackers can access your data directly, causing your organization to lose far more.
The most infamous app hack targeted the popular health app, MyFitnessPal, in 2018. More than 150 million users of the app were impacted by a data breach. These were not just individual consumers but also organizations that had integrated the app into HR systems to track corporate wellness programs.
The way for your IT team to combat these attacks is to protect all devices that connect to your network and to protect your network from those devices. One solution many organizations favor is mobile application management software. This software lets your IT team secure specific, work-related applications on users’ devices.
When Good Machines Go Bad
Machine learning (ML) has many wonderful applications for nonprofits. IT engineers can “train” systems to identify the hallmarks of an attack, which then triggers an action or notification. However, hackers are now creating adversarial machine learning to combat the work of these smart programs.
As even more advanced learning tools – like ChatGPT and AI – become part of our daily lexicons, it’s only a matter of time before they too are used for both good and evil purposes. Because of the rapid advance, organizations need to invest in IT talent who stay current on the latest ML, which means you have to hire and retain those employees internally or budget to outsource them.
Organizations Need a Cybersecurity Budget
This brings us back to where we started – advocating for a robust cybersecurity budget that is flexible enough to meet evolving threats and responsive enough to address the needs of various staff members and volunteers.
Remember, nonprofits are no longer considered too small to be valuable. Hackers are now targeting nonprofits of all sizes because they see them as easier marks. Effective cybersecurity doesn’t have to break the bank. By working with an organization that understands the unique needs of nonprofits – like us! – you can rest assured that you will get the technology you need, provided by an organization that understands your budgetary challenges and your mission.
Ready to learn more about protecting your organization from cybersecurity threats,reach out to us!