What can you do to protect yourself against cyber ­criminals if you're a nonprofit?

Do you think nonprofits are likely targets for cybercrime? Many nonprofits consider themselves unlikely targets, however this couldn't be further from the truth. The reality is that your organization is filled with data and often has fewer resources and less cyber expertise to put protections in place. In short, you may be the perfect target for these criminals. Pursuing your mission could become crippled if you ignore or underestimate cyber threats which could result in an attack. The average cost of a data breach in the U.S. is $7.91 million, according to Forbes and Statista. For many nonprofits, even a fraction of those costs could make it impossible to keep the lights on. Assessing your cyber risk is literally mission critical, and it goes far beyond a compliance audit. So, what can you do, especially with limited resources? Below are some steps you can consider which will help you identify areas of cyber risk within your organization so you can focus your efforts on the higher-risk areas. ----- Assess your risk Take a look at the functions of your nonprofit that contain the most valuable assets. Keep in mind that this doesn't just include sensitive donor or organizational data. Consider your operations and where disruption would be damaging. For instance, not all hackers are financially motivated. Some may be politically opposed to your mission. Once you've laid out all areas of risks - from financial to operational and reputational - you can begin to tackle them one by one based on your organizational goals. ----- Perform some testing Do you know where your network infrastructure and information systems exposures are? To safeguard your cyber systems, you have to find the hacker's way in. If a hacker can locate a single means of entry or bypass security features, your entire system is vulnerable. Simulate attacks against your network to discover unknown weaknesses, both internally and externally. ----- See where you may be vulnerable The level of physical security needed for systems, access to buildings and secure areas and protection for your employees will vary depending on the type of nonprofit organization. Physical vulnerabilities that can be leveraged by hackers may be less obvious at a nonprofit. You need to be strategic about security guard placement, entrance surveillance and physical access to office space and sensitive areas. A comprehensive vulnerability scan is critical to allow you to zoom out to view the full layout of your organization's physical infrastructure and test each potential access point and weakness. Then, you can pinpoint the right fix. ----- Perform an email system cyber-attack assessment Some of the most notable cyberattacks in recent history were launched via malicious email. Given the dramatic growth of cyberattacks that take place through email, an in-depth, advanced diagnostic assessment of an organization's email system is essential. These separate tests can detect complex, persistent threat malware, which may otherwise go undetected. ----- Implement security training Have you ever received a frantic email from your boss or board member asking you to take action immediately? Now imagine a hacker is actually behind that email, posing as these individuals. Spear-phishing attacks are highly targeted attempts to secure sensitive information and have proven effective. It's vital to assess the level of cyber awareness of your organization's employees at all levels to reduce instances of human vulnerabilities. Consider implementing some training sessions to be sure your employees understand what to look out for so they can recognize these attacks. In addition to e-mails, these training sessions can shed some light on some other ways hackers try to get to your sensitive information. These hackers are becoming more and more creative, so be sure to bring awareness to your employees through some security training. ----- Consider your vendors' access to your information Even if your organization's systems are protected, all of your outside vendors - from maintenance vendors and catering services to corporate partners or software providers - are also access points. Third-party relationships should be viewed as an extension of your organization and held to the same standards you have internally. Make sure each vendor has the appropriate level of access to your data and that their data privacy policies and compliance practices are examined. ----- Reassess on a regular basis Cyber risks change and mature as quickly as technology does. To maintain secure systems, it's critical that you continually assess cybersecurity controls and conduct these tests on an annual basis - and this is not a project strictly for the IT function. Protecting your nonprofit from catastrophe is a shared responsibility. It's contingent upon proper communication of cybersecurity strategies and plans, and an in-depth understanding by the board, management and any organizational leaders charged with oversight. Thorough cyber systems testing is a substantial undertaking and many nonprofits don't have the internal resources to go at it alone. Hopefully, these steps will help focus the resources you do have on the higher-risk areas to keep the cyber criminals at bay. ----- Michelle M. Cain, a Certified Public Accountant, is a Partner with Mengel, Metzger, Barr & Co. LLP. She may be reached at Mcain@mmb-co.com. Published: Fri, Feb 21, 2020