By Jeff Ward, CPA, CGMA, CITP, CISA, CISSP, CEH
Many nonprofits consider themselves unlikely targets for cybercrime, however this couldn’t be further from the truth. The reality is that your organization is a treasure trove of data and often has fewer resources and less cyber expertise to put protections in place. In short, you may be the perfect target for bad actors.
Ignoring or underestimating cyber threats could result in an attach that could cripple your ability to pursue your mission. The average cost of a data breach in the U.S. is $7.91M, according to Forbes and Statista. For many nonprofits, even a fraction of those costs could make it impossible to keep the lights on. Assessing your cyber risk is literally mission critical, and it goes far beyond a compliance audit.
What steps can you take to thoroughly test your systems for cyber risk?
Take a look at the functions of your nonprofit that contain the most valuable assets—and this doesn’t just include sensitive donor or organizational data. Consider your operations and where disruption would be damaging. For instance, not all hackers are financially motivated. Some may be politically opposed to your mission. Once you’ve laid out all areas of risks—from financial to operational and reputational—you can begin to tackle them one by one based on your organizational goals.
Do you know where your network infrastructure and information systems exposures are? To safeguard your cyber systems, you have to find the hacker’s way in. If a hacker can locate a single means of entry or bypass security features, your entire system is vulnerable. Simulate attacks against your network to discover unknown weaknesses, both internally and externally. However, keep in mind this test ends once a single point of entry is found, leaving the possibility open for other unknown exposures.
At a bank, the vault may be the main prize, but physical vulnerabilities that can be leveraged by hackers may be less obvious at a nonprofit. The level of physical security needed for systems, access to buildings and secure areas and protection for your employees will vary depending on the type of nonprofit organization. You need to be strategic about security guard placement, entrance surveillance and physical access to office space and sensitive areas. A comprehensive vulnerability scan is critical to allow you to zoom out to view the full layout of your organization’s physical infrastructure and test each potential access point and weakness. Then, you can pinpoint the right fix.
Two of the most notable cyberattacks in recent history, WannaCry and NotPetya, were launched via malicious email. Given the dramatic growth of cyberattacks that take place through email, an in-depth, advanced diagnostic assessment of an organization’s email system is essential. These separate tests can detect complex, persistent threat malware, which may otherwise go undetected.
Have you ever received a frantic late-night email from your boss or board member? Now imagine a hacker is actually behind that email, posing as these individuals. Spear-phishing attacks are highly targeted attempts to secure sensitive information and have proven effective. It’s vital to assess the level of cyber awareness of your organization’s employees at all levels to reduce instances of human vulnerabilities.
Even if your organization’s systems are protected, all of your outside vendors—from maintenance vendors and catering services to corporate partners or software providers—are also access points. Third-party relationships should be viewed as an extension of your organization and held to the same standards you have internally. Make sure each vendor has the appropriate level of access to your data and that their data privacy policies and compliance practices are examined.
Cyber risks change and mature as quickly as technology does. To maintain secure systems, it’s critical that you continually assess cybersecurity controls and conduct these tests on an annual basis—and this is not a project strictly for the IT function. Protecting your nonprofit from catastrophe is a shared responsibility. It’s contingent upon proper communication of cybersecurity strategies and plans, and an in-depth understanding by the board, management and any organizational leaders charged with oversight.
Thorough cyber systems testing is a substantial undertaking, and many nonprofits don’t have the internal resources to go it alone.
A System and Organization Controls (SOC) attestation can help you find and close gaps in cybersecurity controls and add credibility to your risk management program.
Article reprinted from Nonprofit Standard blog.