While cybersecurity remains top of mind for many organizations, in recent years it has become a key concern for not-for-profit organizations and charities (NPOs). NPOs regularly collect sensitive information, including donor financial information and social insurance numbers; they often rely on volunteers as opposed to dedicated IT professionals, and they may lack the resources to invest in large-scale cybersecurity programs. That said, it is vital to note that cybersecurity is a business issue, not a technical one. All data has value and all organizations have sensitive data under their care; therefore, all organizations are targets.
In this article, NPO leader Joan Valente, a partner in our Calgary office, interviews Ryan Duquette, a partner in RSM Canada’s Security, Privacy and Risk Consulting practice in Toronto, sharing insights into specific cybersecurity considerations for NPOs.
Joan: What does cybersecurity mean for most organizations?
Ryan: Cybersecurity refers to a blend of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access.
In my experience working with NPOs, a common misconception is that NPOs are not a primary target for attackers, whether they are associations, charities or engaging in other non-profit activities. What has changed over the last couple of years and why?
I agree that it is a common misconception that charities would not be desirable targets for hackers. Importantly, many organizations still have this fundamental misconception regarding hacking – the belief that someone is "hacking in" from the outside. The larger threat is ransomware attacks such as WannaCry of 2017. These attacks impede business progress across the board. The landscape has changed dramatically and irrevocably over the last couple of years; if charities believe they are immune to hacking that is the first misconception that needs to go. Regardless of the type of data you are sitting on, it needs to be protected.
Who owns cybersecurity matters in NPOs? Are there tips you can give for smaller organizations or larger organizations alike, as their resource allocation towards IT matters and cybersecurity concerns would be different?
One thing to consider is that IT is generally not IT security. Organizations need to think about these two things differently. IT handles day-to-day systems and networks; they often don't have full security in mind. Adding managed security services as well as managed internal services is a good option for NPOs. An even more cost-effective option is to hire a company that provides a chief information security officer (CISO) or security adviser on a virtual or part-time basis.
What type of data do NPOs handle that are particularly attractive for attackers? Are there particular attacks that are more prevalent in the NPO space than in others?
One that we see a lot of in our practice is an attack that utilizes the NPO entity to legitimize the attack. For example, hackers will send phishing emails to donors and use the charity’s name to lend credibility to the ask. This may occur in response to a catastrophic event – the Australian bush fires, for example – wherein hackers will assume the identity of a legitimate NPO, such as the Red Cross or Doctors without Borders, and ask donors to support the cause through fraudulent emails or texts.
Prior to a breach, how can NPOs protect themselves? Given funding constraints, are there tips and tricks you have for NPOs that can ensure their security is effective and efficient?
There are several steps that NPOs can take to protect themselves, many of which will add minimal expense. The first thing to do is identify the crown jewels in the organization – know what data the organization has, where is it being kept and who is holding it.
Once that’s done, enable two-factor authentication on every application the organization uses and set up a password manager such as LastPass or Keeper.
The next step is to set up cyber insurance. These products don't protect the organization from security threats but they do assist greatly with a breach by helping to offset the costs involved with post-breach recovery. Policies differ between firms but most cover forensic investigation, monetary losses due to business interruption and network downtime, legal expenses, and notifications. Be sure to read the policy closely to make sure you know what's covered.
Lastly, be proactive. Manage and mitigate reputational risk by communicating with donors and other stakeholders. For example, send an email to your donor database highlighting your security measures and explain that you’ll never reach out to them asking for sensitive information via text or email. Educate employees and volunteers regarding email security best practices, offer education about phishing scams (both email and text), and develop critical thinking skills vis-à-vis security (e.g., don’t keep passwords on a sticky note beside the computer).
If we’re looking at NPOs and the risks associated with a cybersecurity breach, reputational and financial damages, as well as losses of donors and volunteers, can be critical to the survival of the organization. In your experience, what can NPOs do following a breach to manage any of these items?
Following a breach, the first call you need to make is to your legal counsel. In most cases, the firm will then assign a breach coach to the case, if your organization does not have one in place already. A breach coach is usually an attorney who specializes in responding to data breaches and other cybersecurity-related incidents. The coach will immediately get things rolling with the privacy commissioner, if needed.
The next step is to check with your insurance company and initiate the claim (if you have purchased cyber insurance).
If the NPO does not have a breach coach, check with internal counsel (or external) and ask them if they have a lawyer who deals with breaches. Do your research and get referrals. Depending on the organization, members of the board may be able to provide you with several strong referrals.
What costs are associated with a breach?
There are multiple costs involved in a data breach. These include legal costs, forensic investigation costs, systems costs, and remediation. Organizations also need to factor in the productivity hit involved in restoring system backups. There is also a long-term cost associated with possible reputational loss that could impact the willingness to donate.
Boards in NPOs have a critical role in supporting the organization’s governance and have a fiduciary duty. Does cybersecurity play a role in the board’s responsibilities?
Yes, definitely. It is imperative that the board understands that cybersecurity is no longer an IT problem. It is a board problem and something the whole organization needs to consider. The board needs to set the cybersecurity standard and make sure everyone knows they are responsible for protecting the organization.
To learn more about cybersecurity, register for our webinar here.