The unique risk to nonprofits of a targeted cyber attack


For a charitable organization, warding off cyber attacks can mean the difference between being able to continue providing services and shutting its doors.

Although cyber attacks are becoming more of a certainty than a possibility, there are still numerous companies and organizations that are not purchasing cyber insurance. In addition, many are not taking proactive measures to protect data such as updating software programs and installing security updates in a timely manner.

Any person or organization with a computer is subject to a cyber attack. Unfortunately, most attackers don’t seem to have a conscience when it comes to an attack target. An attack can result in devastating financial loss to even the largest of companies; however, to a charitable organization it can mean the difference between being able to continue providing services and shutting its doors.

Nonprofit and charity organizations are particularly vulnerable to attack. They often operate with bare-bones hardware and software, and they have minimal staff to operate on a day-to-day basis. The chances of an attack are just as high for a nonprofit organization as they are for any other company, but nonprofits are generally unprepared to handle cyber threats.

Related: 5 ways to talk to midsize businesses about cyber liability

Sensitive data on clients and donors

Nonprofit organizations handle such sensitive data as emails and records on clients and donors, staff information, phone numbers and addresses, credit card data, and possibly other financial data. In February 2016, the Urban Institute’s National Center for Charitable Statistics was the victim of a malicious attack that compromised 600–700 organizations. Later that year, a survey of 470 nonprofit executives conducted by U.S. accounting firm CohnReznik, revealed that while 57% of respondents counted cyber security among their top 10 concerns, only 29% said that their organizations were planning to increase spending for cyber security, and a mere 11% reported that their organization had either a risk committee or an IT committee.

Even though nonprofits see cyber security as a concern, they don’t put a price on not being able to operate. Their IT budget is often spent on areas such as communications, which are considered a key to fundraising, rather than cyber security.

Few nonprofit organizations purchase cyber insurance. However, the costs of a breach are both human and financial, because without the ability to provide services the nonprofit can’t fulfill its mission to its clients, and the costs to pay a ransom or recover systems, data, and donors following a breach could lead to a cessation of these services. There also are hidden costs of a breach, including such items as forensic investigations, payment of lawyers to handle notifications, and reputational and trust issues. The total costs of a cyber attack go well beyond the amount a hacker requests as a ransom.

Related: Top cyber risks businesses should prepare for in 2018

In addition to the purchase of cyber coverage, here are eight tips you can share with clients for how a small business or nonprofit can respond to cyber security threats:

1. Prioritize Data Security

Make data security a priority for the entire organization. The more costly a breach could be to continuing services, the greater the need to prioritize data security.

2. Upgrade Computers

If computers are using Windows XP or earlier versions, these computers are running outdated software and are more vulnerable to hackers and cyber-attacks.

3. Train Employees on Cyber Threats

Train employees on how to spot malicious or suspicious emails, to not open links in emails, and to use pop-up blockers on websites. The organization should develop strict policies on the use of the internet, installing new programs and downloading documents, and prevent the use of personal computers and cell phones for organization work.

4. Inform Volunteers of Potential Threats

For anyone having access to the organization’s computer systems, they should receive the same training and adhere to the same policies as employees.

Related: If cybersecurity is ‘broken,’ could Coalition be the fix?

5. Password Management

Provide training on creating strong passwords, such as using long phrases and mixing in numbers, letters, and symbols; or use a password manager app.

6. Update Software or Technology

Understand that the organization’s data is only secure to the extent it is protected by the organization itself and its connected third parties. Handle donor information and financial data using reputable, dependable technology systems to secure data. Consider using third-party services that are especially designed for nonprofits, such as Network for Good or Razoo.

7. Secure Cloud Data

When storing data in cloud-based services and storage applications ensure that the data is secure and encrypted, such as restricting the data to authorized users only and encrypting data before entering it into the cloud. In the encryption process, data is turned into ciphertext, which is nearly impossible to figure out without decryption.

8. Keep Informed

With privacy of vital importance in nonprofit organizations, it is imperative that the organization be informed when there are changes in privacy policies and evaluate the way these changes will affect the organization’s data security.

Related: 6 ways cybersecurity changed in 2017

Karen L. Sorrell, CPCU, is an editor with FC&S Online, the recognized authority on insurance coverage interpretation and analysis for the P&C industry. It’s the resource agents, brokers, risk managers, underwriters, and adjusters rely on to research commercial and personal lines coverage issues. She can be reached at ksorrell@alm.com.