Cyber-security and Non-profits

Non-profit organizations walk a tightrope when managing administrative overhead. Every hard-won dollar must be accounted for and wielded as effectively as possible. As donors, we want our donations to get directly to the people in need, and not to “red tape” or administrative overhead. In light of this, how to address cybersecurity risk?

However, with that being said, we need to recognize that the staff that run the non-profit perform an extremely valuable role in the organization, making connections, putting together programs, and monitoring and tweaking said programs. One area that has not received enough focus in the information security and cyber-security side of things at non-profits.

Cybersecurity is a topic that is starting to rise in the public’s perception. For those of you who aren’t directly involved in the space - it’s a situation of “you don’t know what you don’t know”. Training and education is the first step.

Cybersecurity often takes a back seat as it isn’t a problem until it’s a PROBLEM, which is typically too late. In the context of non-profits, however, this can be catastrophic on both your fund-raising efforts and your clients.

Think on this:

IF a cyber-incident or data breach were to occur in the fund-raising side of things, how would that affect your:

• Brand?
• Donor base and the loss of trust?
• Administrative overhead in dealing with the breach as it happens?
• Administrative overhead in properly protecting after the event?
• Legal situation?

We can assume that the donor base would like to ensure that their financial and personal information remain confidential. If you work with or for a non-profit, and have have never thought of these questions, or are worried about even asking the question, let me help you with some basics.

Cyber-security should be thought of as an element of your risk management strategy. In the same way that you have strategies for dealing with fire, theft, flooding or other risk events, you need a strategy to deal with cyber-security issues. As with these other risks, it pays to be prepared to deal with the risk, rather than being caught flat-footed when the event happens, as when it happens, reaction time and actions are critical.

• How are you protecting donor information?
• Who has access to this information?
• How is access controlled?

You may think you are safe if you subcontract donor collections, but this also brings with it a different set of problems:

• How assured are you that the subcontractor is properly protecting this information?
• Does your contract with the subcontractor cover data breach conditions?
• How long do they have before they must notify you?
• Are there penalties?

To manage this risk, define what you need to protect, and determine it’s value. Ensure someone is accountable for information security at your organization. Once these crucial preliminary steps are done, you can assess your current situation on protection, and create/update policies on improvements that need to come into place, starting the process to become proactive and managing your risk.

If you or your organization needs help, please feel free to contact me.