Regardless of size or assets, your nonprofit is either being hacked right now or an attempt is being made to hack it. Attacks aimed at taking over networked systems, gathering data or both are a constant reality.
If your organization has a website, a computer, a phone or tablet connected to the internet, you are vulnerable. Your technology systems are under attack daily at a minimum. The attackers are looking for any weakness that can be exploited and they don’t care who you are. In under 2 years, software that helps to protect my website has blocked 66,091 malicious login attempts.
For a long time, nonprofits have believed they are not a target for being hacked because they are too small, have too few assets or too little data. That reasoning assumes that a human is involved, making choices about who is a good target. Today, it is pieces of software, robots or “bots” that do the work. They spend every second of every day searching for any vulnerabilities to exploit. These robots don’t care if you are a nonprofit or how much money or data you have, their only task is to try breaking into your systems. Any data is valuable, any access is able to be exploited for some type of gain.
Criminals who make money from spam gladly pay for any valid email address, they don’t care where it’s from. Others who make money from scams can break into your website – since many folks don’t update their website software regularly. Once the have broken into your website, they can get names and passwords that they can use to break into your email server. They can then pretend to be anyone – including your Executive Director or Director of Finance and send fake invoices or requests for money to all of your vendors, partners, even your donors. Disgruntled employees who want to strike out may not even be looking for financial gain but with a few well placed disruptions to an unprotected network, they can bring your entire organization to it’s knees in hours. Recovery can take weeks as you try to recover data, rebuild networks, replace equipment and repair lost confidence.
I see many nonprofits in denial that they are the targets of hackers and then I see them paying a huge price when their systems are compromised. Every week I hear from a new nonprofit dealing with disaster from being hacked. Recent news of large organizations being held hostage by ransom ware that requires organizations to pay a ransom to get access to their data is just the tip of the iceberg. If large companies like Sony and Fedex, who spend millions on cybersecurity are vulnerable, how can you think you are secure if you have not done an audit and put protections in place? Regrettably, most nonprofits have limited cyber security measures in place.
Its Happening Already
A San Francisco Bay Area nonprofit was recently hacked by an ex-employee. This is a medium sized organization, approximately two million dollar budget and eight staff. Their systems were compromised and all of their servers hard to be taken offline. No email, no file access, no database access, no website access. For almost two weeks. Think about the impact it would have on your organization to shut down for two weeks.
The nonprofit’s entire technology system had to be taken off line and rebuilt from the ground up. Every part of the network was compromised and had to be repaired or replaced. This meant rebuilding the network, the database server, the file server, the email server, re-configuring the internet access, changing all of the usernames and passwords for everything, setting up new password requirements to force them to be changed more often. While all of this was happening, practically no work could be done by anyone in the organization. Thousands of dollars in revenue were lost from programs that couldn’t run. Many thousands were spent on new equipment, cybersecurity experts, lawyers, and cybersecurity insurance. Thousands more dollars were lost in staff time while staff spent several weeks trying to rebuild all of their systems, just to bring things back to the way they were the day before the attack started. It’s estimated that they spent over $40,000 on repairs and had $65,000 in lost revenue during the attack and recovery phases. The legal costs will continue.
This is real threat, it is happening every day, and a good defense is the best protection.
The best cyber-defense is a cyber-offense. While no system is perfectly secure, there is a lot that even smaller nonprofits can do to greatly reduce the risk of being impacted by being hacked. Buying Cybersecurity insurance can be expensive and is not always needed by smaller organizations, depending on their data and security needs. Talk to your technology provider about what they are doing to protect you. Educate staff or hire someone who is educated on the subject. Cindy Leonard has a good list of posts on the topic on her blog here.
Prevention is much less expensive than repairing damage. Nonprofit technology professionals like myself and others can guide your organization through a security audit to assess where you are most vulnerable. An audit provides the knowledge needed to create thoughtful action plans that improve cybersecurity. Depending on the size and complexity of your organization, audits can range from $6,000 for a small nonprofit to $100,000 and up for the largest organizations.
A good audit will begin with staff working with a consultant to assess all of your current security practices and needs. From that audit, recommendations to improve security in many areas of your operations will emerge. Beyond tools to monitor your systems and to help secure your networks, policies and procedures are an important part of keeping your organization as secure as possible.
Training employees on excellent security practices and ensuring those practices are followed is one of the most important parts of a security plan. Look for a cybersecurity audit plan that includes the follow up work necessary to make sure the needed changes become ingrained into your culture. Only the correct alignment of people and technology can ensure the best possible protection of your organization and its data.