Regardless of size or resources, nonprofits must keep cybersecurity top of mind.
The assumption may be that a relatively small public image and a lack of disposable assets would make nonprofits less appealing to hackers than most corporations. However, every business and organization is a potential target, according to Ann Puckett, information technology manager for the Grand Rapids Community Foundation.
“It’s not a matter of ‘if’ anymore,” she said. “It’s a matter of ‘when.’ It doesn’t matter what size you are, you should always have security at the forefront of your thoughts.”
Puckett has made cybersecurity a top priority for the foundation. One of a nonprofit’s biggest risk areas is “reputation,” she said, and a breach of any kind can seriously compromise the trust a community places in an organization.
The foundation has put multiple safeguards in place to protect every aspect of the organization’s data and resources. When it comes to money, Puckett said that most of the donations come in through checks, which avoids any concern from a cybersecurity standpoint. All online donations go through a different site, but the foundation first “did our due diligence to ensure that they had the best security practices in place,” she said.
This is something Puckett is adamant about, that nonprofits only trust the safest outside organizations with their information. Whether it’s cloud-based providers, payment services or other I.T. vendors, nonprofits should research an outside company’s practices and protocols.
“Nonprofits rely extremely heavily on their I.T. vendors,” she said. “ I know why — because they don’t know what they don’t know — but nonprofits need to become informed with some of the basics so that they at least know the questions to ask. If they don’t know those questions, they need to reach out to resources that are available all over.”
One of those resources is the West Michigan Cyber Security Consortium (WMCSC), a free-to-join group of more than 250 local businesses and organizations sharing best practices for remaining secure. WMCSC is working with Trivalent Group Inc., the Better Business Bureau and the Michigan Small Business Development Center to host the third annual Michigan Cyber Security Conference on Oct. 5.
Jill Wallace, chief marketing officer at Goodwill Industries of Greater Grand Rapids, also encourages other nonprofits to come to her organization for assistance.
“It might be harder for much smaller nonprofits in terms of trying to figure all of it out,” she said. “I think that’s the great part about Grand Rapids though. We’re all here to share that type of information with each other, in terms of procedures, documentation and what steps might need to be put into place.”
PRIMED TO REACT
Goodwill Industries International Inc. experienced a data breach in 2014 when hackers gained access to an estimated 868,000 debit cards and credit cards by using the same technology that infiltrated retailers Target and Home Depot.
Wallace said none of the Michigan locations were affected, but her organization immediately reached out to the greater Grands Rapids community with information on the breach, as “that’s the most important thing: transparency.”
In the same vein, the Grand Rapids Community Foundation has begun working with the Council of Michigan Foundations to put together incident-response plans. While it’s impossible to be perfectly prepared for every scenario, Puckett said that having a process for responding quickly and communicating with the community is key, especially in terms of maintaining reputation. She hopes that working with other foundations in the state to create a template will lead to “a more robust plan than if we worked on it individually.”
The Grand Rapids Community Foundation, Goodwill and many other nonprofits are being proactive to prevent those incident-response plans from ever becoming necessary.
Puckett said her organization performs multiple security audits throughout the year. One audit reviews the foundation’s internal controls, such as password requirements, lockout policies, firewalls, two-factor authentication, etc. Another audit involves a penetration test, in which a third-party consultant attempts to hack into the network to look for any weaknesses the foundation could patch up.
The single most important issue to address, however, is employee education, sources said. Considering how effective most of the modern security systems are, an uninformed or careless employee is actually the most likely cause of infiltration, according to Puckett. That’s why she sends out monthly security awareness letters, as well as occasional phishing tests to see if employees will fall for the common password-stealing scam. Even going to the wrong website can have disastrous results.
“You can have all the security in place you want, but if you click that link, it’s for nothing,” she said. “If you’re not educating your employees and constantly updating them on the biggest and greatest new thing, you’re not really doing a good job.”
The foundation’s employees have since started asking others if they should open certain emails or links, a behavior that inspires confidence in Puckett that the education is working.
For Goodwill, protecting the information of “the people we serve” is top priority, Wallace said. Through various programs, such as career and health care services, Goodwill has access to many of its participants’ personal information. As such, the Health Insurance Portability and Accountability Act (HIPAA) plays a large part in the organization’s security policies. As one “very small example,” Wallace said that neither job coaches nor any other employees are allowed in any way to interact on social media with program participants.
Having previously worked at for-profit retail businesses, Wallace said that there’s “not even a comparison” in terms of how much more important it is for nonprofits to keep their information private. That’s why nonprofits have to comply with strict laws in order to receive various accreditations, while most for-profits “can just kind of make up their own system.”
But in the end, even accreditation and reputation aren’t the most important issues, sources said. Rather, it’s protecting the information of those who trust your nonprofit to keep it safe.
“It doesn’t matter what size you are,” Wallace said. “It’s important for any nonprofit that has private information about individuals. You owe it to the people you’re serving.”