Financial transactions and charitable donations are increasingly being conducted online. The Blackbaud Institute for Philanthropic Impact reports that online giving grew more than 17% between 2016 and 2018. For nonprofits without the appropriate IT infrastructure and security policies, such increased online donations can also mean greater cybercrime risk.
Many nonprofits blame budgetary constraints and insufficient in-house tech support, rather than negligence, for their systems’ vulnerabilities. But such excuses won’t fly if hackers break in and steal your donors’ identities — particularly when you consider that many security tools are cheap and easy to use.
Don’t stick your head in the sand
All organizations and all computers are vulnerable to cyberattacks. But nonprofits and their networks may be more vulnerable than most. Hackers target charities because they’re widely thought to have less-robust payment security and data storage protections in place. Also, nonprofits tend to collect extensive personal information on their donors, and these detailed files can fetch a high price on the Dark Web.
If your systems are weak, chances are that criminals will find a way to exploit those weaknesses. Phishing, spoofing and other email-based scams that trick users into revealing their passwords are perennially popular. Ransomware is also on the rise. There, hackers access stored data, encrypt it and then demand a ransom for its release. Even if the ransom demand is relatively low and you agree to pay it, there’s no guarantee that additional demands won’t follow. Nor can you be assured that the data returned to you won’t be damaged or distributed to identity thieves.
Another scheme to look out for: Cybercriminals are increasingly taking advantage of nonprofits’ reliance on automated clearing house (ACH) transactions. These transactions require donors to submit their bank routing numbers. Donors like ACH payments because they’re useful for making automatic, recurring gifts — and hackers like them because they can provide unfettered access to individual bank accounts.
Build a fortress
Even if your nonprofit’s tech budget is limited, you can slash the risk of cyberattack with almost no additional financial outlay. For example:
As an extra precaution, consider implementing two-factor authentication. This process shields networks with both a regular password and another challenge, such as a temporary password texted to a mobile phone.
Limit data collection
Lax cybersecurity isn’t the only threat to your nonprofit’s donors. The type and amount of data you collect and store could also put them at greater risk of identity theft. In general, collect only what you absolutely need and store what you’re certain you can keep safe and confidential.
The European Union’s recently implemented General Data Protection Regulation (GDPR) provides an excellent set of best practices. These rules are intended to protect the personal data of EU citizens and may not seem to affect your nonprofit directly. However, you could be subject to the GDPR if you receive online donations from Europeans or donations in foreign currencies. Proactively adopting the policies will help reassure donors that you take the security of their personal data seriously — and it could help head off legal trouble.
To make sure your constituents understand your policies, state on your website what data is collected, how it’s processed and how it’s stored. Provide a mechanism for donors to opt out of data collection.
Also remind them that it’s usually not safe to transmit sensitive information while using public Wi-Fi. Finally, provide a telephone number and mailing address should donors decide they’d prefer to give the old-fashioned way.
Conduct a risk assessment now
To gauge your organization’s vulnerability to data loss, visit the Nonprofit Technology Network’s site at https://www.nten.org/article/assessing-risk-protect-valuable-data. Also consider engaging an outside expert to review your nonprofit’s security safeguards and recommend improvements.
When worse comes to worst
You may not want to think about it, but your nonprofit should be prepared in the event cybercriminals breach your network or payment processing system. A good disaster plan outlines procedures for limiting damage, fixing vulnerabilities and communicating with those who might be affected. Specifically name the individuals who will be responsible for carrying out each task.
Time is of the essence if your system is hacked. Most states require you to immediately inform anyone whose personally identifiable information is disclosed in a security breach. Even if you aren’t subject to a mandate, don’t wait. The resulting bad publicity could do more damage to your organization than the original cyberattack. That’s why it’s important to include PR and communications specialists when responding to any incident of this kind.
We are here to help
Maxwell Locke & Ritter has a local team of Certified Public Accountants and Information Security Auditors with extensive experience in IT audit and compliance. Our team of advisors are available to help your organization navigate today’s complex regulatory environment. Please feel free to contact us and see how we can help you.