By Robert Evans and Bryan Schwartzman
The recent data theft from the infamous cheating website AshleyMadison.com is the latest in a string of high profile cyber attacks that have also ensnared huge corporations like Sony Pictures and Target, and government agencies including the United States Office of Personnel Management.
Security breaches in the nonprofit sector have not generated the same kind of headlines, but equally disturbing incidents are occurring. This past February, the Urban Institute’s National Center for Charitable Statistics was the victim of a malicious attack, compromising data for 600 to 700 organizations.
“There has been a general perception in the nonprofit world that this is not an issue for us,” explained Sean Williams, a program consultant at TechBridge, “an Atlanta-based nonprofit that provides IT consulting services to other nonprofits, including a comprehensive IT Strategy & Assessment with recommendations related to IT Security issues.”
“There is a sense that, ‘we serve a very benevolent mission. Who in their right mind would come after us? We are just a small organization trying to better the world.’ ”
But Williams argued that nonprofits have begun to take the issue more seriously. A recently released survey offers a mixed assessment. “Managing Risk in a Riskier World,” a survey of 470 nonprofit executives, was released in July by CohnReznick, a national accounting and tax advisory firm with a large nonprofit clientele. We highly recommend that all nonprofit leaders, both lay and professional, review the survey. It offers great insight into current attitudes and practices regarding nonprofit governance policies and board accountability. The report persuasively argues that oversight of cyber security should now be considered a fundamental board responsibility.
Kelly Frank, a co-author of the report, CPA, and CohnReznick partner, said that her firm conducted the survey “to provide meaningful insight to help our clients and contacts to make the necessary adjustments within their governance practices, using information from peer organizations.”
Close to 25 percent of the respondents counted cyber security among their top three concerns or risks and 57 percent said that it was one of their top 10 risks. Furthermore, 29 percent of respondents said their organization would spend more money on cyber security this year than last year, while 45 percent said they expected their organization to spend the same amount.
On the other hand, just 11 percent reported that their organizations have either a risk committee or an IT committee.
Frank said that “If a breach occurred, confidence in the organization would be shattered, affecting the ability to raise funds or even continue operations – not to mention the host of lawsuits and legal penalties. It’s always better to have a sound cyber security program in place. Doing so will lessen the likelihood of a breach and also demonstrate that the nonprofit upheld its fiduciary duty to protect information, even if a breach did occur.”
There’s a widespread sense this is a problem, but also a feeling that the threat is so ominous, and nonprofit resources so limited, that there is little that can be done. One refrain we have started to hear from nonprofit leaders is, if the United States government can’t protect their data, how can we? And it’s true that that most nonprofits are extremely limited in the resources they can devote to cyber security.
CohnReznick Advisory Group Managing Director Jim Ambrosini said that “It’s true that when a dedicated group of hackers are well-funded and highly motivated to obtain a company’s data, it’s only a matter of time before they get in. But, that doesn’t mean that company should make it easy for them. And, non-state-sponsored or opportunistic hackers would typically bypass a company’s network, if they have the proper protection in place, and move on to an easier target.”
The report made some key recommendations regarding cyber security. We second these recommendations and urge nonprofits of all types to take immediate and appropriate steps to protect themselves, their donors, and the wider nonprofit and Jewish communities.
- Nonprofits should create an IT committee, making sure to include IT professionals.
- The committee should have “clearly established objectives and monitoring responsibilities.”
- Updates on risk management and cyber security issues should be regular board meeting agenda items.
“Ultimately,” said Ambrosini, “cyber security is really a business risk decision that involves making appropriate investments based on the relative risks the organization faces, its risk tolerance, and the value of digital assets.” Boards can help ask the appropriate questions regarding the organization’s cyber security capabilities and help align resources and provide governance to ensure that the cyber program is functioning as planned.
Our firm makes no claims on being IT experts, but we know there are steps that nonprofits can take and that it costs a lot more to repair things after an attack or loss of data than to prevent an incident.
TechBridge offers a free, nonprofit checklist that is worth consulting. The Jewish Community Relations Council of New York has also compiled a useful “Best Practices 101” related to websites, computer systems, systems intrusion, and mobile devices. These resources can help you get a clearer view of where your organization stacks up.
Williams, of TechBridge, argues that by investing relatively small dollar amounts in training employees – all employees, not just those related to IT – nonprofits can potentially save themselves a lot of time, money, aggravation and even embarrassment following a malicious cyber attack. He noted that nearly all nonprofits can and should train staff on effective password uses, create awareness of wireless security, and ensure adequate firewall protection.
One of the most important things nonprofits can do is instill a sense that everyone, not just IT professionals, are responsible, noted Williams. After all, a nonprofit is only as secure as the mobile devices and laptops on which sensitive information is stored.
It is essential, he noted, that nonprofits produce written cyber security guidelines and policies.
“Thinking about governance rather than a really expensive security tool is a nice place to start,” he said. “A lot of nonprofits haven’t even had the discussion about security.”
Ambrosini said that basic protection includes “an industry standard firewall to protect the perimeter, keeping systems well patched, paring down access to critical data and keeping it segmented from the rest of the network.”
He went on to say that “in order to respond to a breach effectively, it’s important that nonprofits have a formalized breach response plan in place because there are simply too many things happening when a breach occurs to effectively deal with it unless it is thought out ahead of time.”
Nonprofits often fail to reach their full potential because of a lack of good governance and a failure to fully embrace technology. Just as nonprofits cannot ignore the upsides of technology, nor can they ignore the very real threats. Good governance should not just be the purview of executive staff, but should be the concern of board members and all who care about the future of their organization. Technological advances have neither brought us a utopia or dystopia, but a new reality that we must all negotiate together.
Robert Evans is President of the Evans Consulting Group, a firm that helps nonprofits meet and exceed their strategic and fundraising goals. The Evans Consulting Group advises nonprofits, manages fundraising campaigns, facilitates strategic planning processes, engages in donor research and cultivation, coaches nonprofit leaders and performs a number of other development-related services. Mr. Evans is a member of the Giving USA editorial review board and is also a board member of the Giving Institute. A regular contributor to eJewishPhilanthropy.com, he can be reached at email@example.com.
Bryan Schwartzman, an award-winning journalist, is manager of marketing and communications at the Evans Consulting Group. He can be reached at firstname.lastname@example.org.