Wired magazine recently reported on the months-long struggles of a large East Coast animal shelter that had its Facebook page hacked. Using social engineering and phishing links, the hacker repeatedly accessed the account of the organization’s director, wreaking havoc on the organization.
Despite exhaustive efforts to control access by implementing two-factor authentication, new antivirus software, and complex passwords, the hacker kept reappearing as an administrator. Bogus posts and even fraudulent fundraisers would appear, and the shelter was forced to return gifts to donors. The harassment didn’t stop until the director transferred $1,500 to the hacker through an anonymous PayPal account.
According to Giving USA, Americans donated $410 billion to nonprofits in 2017. Most of this money is collected online through nonprofit websites, while major platforms such as Google and Facebook have added a “donate” button to make it easier to give. Websites that end in .org tend to rank highly on Google, giving these organizations more visibility to donors – and hackers.
Not only are nonprofits collecting large sums of money, but they also collect sensitive data, including donor addresses, phone numbers, employer information, and a variety of data about family members, friends and interests. Bank and credit card numbers are often stored for donors who contribute recurring gifts on a monthly or yearly basis. Even donors who give by phone or mail checks usually have their data entered into Excel spreadsheets or a donor management system.
Most cybercrime continues to be financially motivated, and small to midsize nonprofits are attractive targets for hackers because they typically have relatively weak cybersecurity defenses. Nonprofits rely heavily upon trust and confidence to exist, so a single data breach could very well be fatal.
If your nonprofit processes online donations, event registrations and newsletter subscriptions and/or stores data about donors and supporters, you need to assess the risk involved and develop an effective cybersecurity plan.
The first step is to take inventory of all the data you have, all the data you collect, where that data is stored, and how long that data is stored. You can instantly reduce risk by only collecting and storing data that you truly need. Next, you need to classify your data. Determine which data is personally identifiable information and, therefore, subject to federal and/or state regulations. Finally, determine the likelihood and consequences of a breach. What data would be exposed? Are your data, applications and systems backed up? How long would it take to restore critical systems and disclose the breach to those affected?
Once risks have been identified and prioritized, it’s time to take steps to minimize those risks. If in-house security expertise is limited, consider working with an outside consultant to assess risk, implement robust security tools and payment processors, develop an incident response plan, and train staff and volunteers. Training should cover best practices for collecting, storing and sharing data, password management, and how to recognize social engineering, phishing and other threats.
Don’t let hackers get in the way of the great work your nonprofit is doing. SSD has helped a number of nonprofits maintain the trust and confidence of donors and supporters by identifying vulnerabilities, improving their defenses, and satisfying compliance requirements. Let’s sit down and discuss the current state of cybersecurity at your nonprofit and develop a plan to reduce risk.