Focus on what counts
Insights

Understanding Cybersecurity Risks at Not-For-Profit Organizations

January 15, 2019

John Eusanio, CPA, CGMA
David Rosenbaum, MBA

view all archive

From the largest, multinational corporations to the smallest, not-for-profit organizations, nobody is immune from a cyber-attack or breach. The best that an organization can do is to understand the risk, then take steps to manage the risk and mitigate the potential impact of a breach. In order to manage cybersecurity risk, it is important to first understand what cybersecurity is and the specific impact it can have on a not-for-profit.

What is Cybersecurity?

In essence, cybersecurity is the protection of:

  • Computers – All of the devices used to access data, including desktop computers, laptops, tablets and smartphones
  • Networks – Collections of devices used to connect computers and share information, including file servers, firewalls, peripheral devices like printers and scanners, and Internet-connected appliances (IoT – the Internet of Things)
  • Data at Rest – Data that is stored on file servers, on computer hard drives, on backups or removable media, and in the Cloud
  • Data in Motion – Data that’s moving between computers and between networks, including email, websites, portals, networks, Wi-Fi, faxes and phones

While data privacy is most commonly understood as the focus of cybersecurity, cybersecurity actually has the following three objectives:

  • Confidentiality – Ensuring that data can only be seen, accessed and used by authorized individuals
  • Integrity – Ensuring that data cannot be modified by unauthorized individuals, and that it is not inadvertently modified by authorized individuals
  • Availability – Ensuring that data is accessible when needed (n.b. ransomware that encrypts data disrupts availability)

All companies and organizations are subject to specific cybersecurity-related compliance requirements including state privacy laws. Organizations that accept credit cards for donations and program-related revenues are subject to PCI DSS requirements. Not-for-profit healthcare organizations face mandatory HIPAA security and privacy regulations. Organizations with donors or constituents in the European Union are required to comply with new GDPR privacy rules. Enactment of regulations under the Single Audit Act and potentially new compliance requirements for testing are being deliberated. Unfortunately, the list goes on and on.  

The costs of a cyber-breach are significant, and may include: fines and penalties; technology expenditures; forensics and legal costs; constituent notification requirements; operational downtime; and, distraction from mission.  

One of the most significant costs to a not-for-profit is the reputational damage that can result from a breach. Donors and constituents are entrusting your organization with their assets, and in certain instances, with personal and confidential information. If you can’t protect this information or need to dedicate resources to respond to a breach instead of staying focused on mission-advancing programs, your donors and constituents will find another organization that can.

What can a not-for-profit do to protect itself?

Although there is no way to fully protect your organization’s data, there are best practices that will help to manage risk and mitigate losses in the event of a breach. We suggest the following:

  • Make cybersecurity awareness a part of your organization’s culture. One best practice may involve having a policy that every meeting starts with a reminder about cybersecurity, even if it’s as simple as asking each attendee at the meeting when they last changed their password or if they locked their computer screen before coming to the meeting.
  • Understand what information you have, where the data is stored, who has access to it, how it’s protected, and what regulations and standards apply to the data and to your organization.
  • Develop and enforce written cybersecurity policies and procedures.
  • Enforce the use of complex passwords, firewalls, antivirus and antispam software, data encryption, and comprehensive data backups.
  • Understand and evaluate the cybersecurity controls of your vendors and service providers – remember that they often have access to your information.
  • Don’t collect or retain more data than necessary, and limit access to that data.
  • Social engineering techniques are very effective at tricking people into opening attachments, clicking on links, and otherwise disclosing confidential information, including network credentials. Users are the weakest link in cybersecurity. Train your staff and volunteers to be aware and alert.
  • Audit and test your cybersecurity controls, repeatedly, to ensure that they are being followed.

Managing cybersecurity risk is an iterative process, especially in the not-for-profit sector; budget and resources are always constrained and optimally dedicated to mission-supporting programs and activities. However, by understanding the importance of cybersecurity, leveraging the use of expert advisors, and focusing on continuous incremental improvement, significant risk reduction is possible.

How we can help

Citrin Cooperman’s Information Technology and Not-for-Profit practice professionals can assist you in further understanding cyber security and information technology risks at your organization, review your current IT environment, and provide best practices and right-sized solutions to meet your needs.