Who Would Want to Hack Us?
The organizations and businesses that have been hacked just keep piling up. From banks to healthcare to retail to government agencies, cyber security experts are scrambling to plug the holes.
Sadly, nonprofits are not exempt.
Nonprofit organizations handle volumes of sensitive data every day. Client records, donor information, confidential emails, and hundreds of other transactions pass through our organizations.
How concerned should nonprofits be in the face of recent cyber attacks and security threats? How can we ensure that our sensitive data is secure, and how can we convince our funders and donors that we are protected as more and more hacking scandals come to light?
Here are 8 tips for how your nonprofit can respond to cyber security threats.
1. Make it a priority.
“Why would anyone want to hack US?” or “We do good work, why would we be a target?” are really great questions. But these are questions that have very simple answers. Bad guys are bad guy and the easier “the pickings” the easier their job becomes. The hackers don’t care about your mission, values or clientele. They only care about enriching themselves and wreaking havoc. Even more relevant today is that many of these hacks are perpetrated by “face-less”, “soul-less” bots that have been designed to sniff out the weakest systems as their prime targets.
Traditionally, nonprofits don’t have the strongest cyber security platforms in place. We are just trying to do our “good work” and just don’t have the man- power, expertise, money or time to put up any kind of proactive defense against such technically savvy foes.
And as I said earlier, client records, donor information, online banking transactions, confidential emails, and hundreds of other transactions are what they are after.
This combination makes nonprofits a perfect target.
2. Upgrade your computers.
Many nonprofits I know still use Windows XP, even though it is more than a dozen years old. Did you know that Microsoft completely stopped supporting Windows XP this year?
That means that computers running the outdated software are now much more vulnerable to cyber attacks and hackers.
The older your operating system, your computers and your network, the more susceptible they are to data breaches — it’s as simple as that. No budget for new computers and secure systems? This is no longer an acceptable answer. Similarly to how you budget for staff or rent or services, so too do you need to begin to put money aside, every year, for technology upgrades. It is not an option, any longer.
3. Train and inform employees and volunteers.
You may assume that your staff and volunteers understand terms like spear-phishing, or spoofing or denial of service, and how to recognize malicious links in emails and website pop-ups. Never assume!
Nonprofits need professional training on how to protect against viruses, malware, spyware and other items that can easily be added to nonprofit computers with just the click of a button. Make sure everyone who has access to the organization’s computers is on the same page and alert to these kinds of threats.
Develop strict policies on what employees can download from the Internet; what applications are allowed on your “business” computers; and have restrictions on downloading new applications without the sign-off of an IT person or supervisor.
4. Focus on passwords.
Do not have the same password for every social network and website you access! Change it slightly and make sure to keep that information in a secure location.
What makes a great password? According to NIST, the National Institute of Standards and Technology now suggests that users create passwords with long, easy-to-remember phrases and should not be forced to change their passwords as frequently. Some studies have shown that passwords that include four words can be harder to crack than a smaller combination of characters.
5. Reputable technology is the key for nonprofit.
Do you still send PDF attachments through Outlook for your email newsletter? Is your database kept in an Excel Spreadsheet on your desktop?
It’s time to live in the now. Use an email provider like Constant Contact or MailChimp to send email blasts and fundraising appeals. Explore acquiring a reputable CRM (customer relationship manager) system that keeps information on donors, volunteers, supporters and the like. Stop using Excel, Access and Word to store your organization’s important digital assets.
Investing in reputable, dependable technology systems for your organization is a huge step in securing data and ensuring efficient processes for years to come.
6. Use a reputable online payment processor.
Many donors want to give online.
Donors will not give online if the payment process is complicated and insecure. From what I have seen online, the majority of nonprofits use PayPal. While good, I recommend giving donors other options as well. Many people (myself included and many potential donors) do not like PayPal as it has suffered serious security breaches in the past. We’ll talk more about other options, coming soon.
7. Stay calm.
Do not think that because of the recent rash of cyber attacks that you should panic and shut down all services connecting to the Internet. That would not be wise nor practical.
But passwords alone won’t do it all. Firewalls, anti-virus applications, malware detectors, penetration testing are important tools to help secure the nonprofit organization’s electronic presence.
I believe that cloud-based services have a place in our world and are becoming more popular. But using the cloud for everything or incorrectly using a cloud service can be worse then other alternatives. I will cover cloud services more in detail in future posts.
8. Stay informed.
Privacy policies are constantly changing. It is our responsibility as nonprofit professionals to be aware and informed of these changes and how they will affect our nonprofit data security. Understand that you can not do it all or know it all. Having access to qualified, dedicated IT professionals at your disposal is absolutely a necessity.
It is important to remember that this is an age of very limited privacy — if there is still any real privacy at all. Being as transparent and accessible as possible is important to build and maintain trust with your supporters, stakeholders and with the community at large. But doing so at the expense of your organization’s future and safety of your digital assets is nothing but foolish.