With so much on their plates, it’s not surprising that cybersecurity isn’t at the top of some nonprofits’ to-do lists.

But cyber risks are real and can prove costly in terms of both finances and reputation. Fortunately, you can take some proactive steps to reduce your risks without breaking the bank.

Why your nonprofit is vulnerable

Cybersecurity isn’t just for the Targets, Home Depots or Citibanks of the world. Nonprofits are increasingly threatened by data breaches, partly because they generally have less sophisticated protections and fewer resources to fight the danger than larger or for-profit organizations. Client records, donor information and credit card data all could be targeted for theft.

Cybercriminals might access information by attacking your organization’s servers, of course, but that’s not the only risk. Many not-for-profits outsource services such as bookkeeping, payroll and donation processing to third parties. Your information could be vulnerable if these providers have inadequate data security. And it’s not only cyber attacks that you should worry about. Data also can be exposed if, for example, an employee loses a laptop, smartphone or flash drive containing sensitive information.

The potential costs are high, according to NetDiligence, a cyber risk assessment and data breach services company. Its 2016 Cyber Claims Study, which examined 176 cyber liability insurance claims, found that “Non-Profit” was the fourth most affected sector with 19 claims, more than both “Financial Services” (18 claims) and “Retail” (17). The mean cost of a nonprofit claim was $208,015.

What you can do about it

To keep a lid on cyber risks, you should consider:

• Prioritizing cybersecurity. When data breaches or hacks hit the headlines, they usually involve familiar for-profit companies, so your employees might not worry too much about your not-for-profit’s security. To counter this mindset, management must prioritize cybersecurity and clearly communicate its importance, both internally and externally. A not-for-profit that takes its security seriously is less likely to be targeted.
• Conducting appropriate training. Demonstrate the importance of cybersecurity by training your employees extensively on their roles in preventing it. Your employees — as well as volunteers and board members who use your computers — need to know about the risks they may encounter: for example, phishing emails with malicious links. They also should be aware of the policies and procedures you’ve created to address those risks.
• Familiarizing yourself with the law. Federal and state rules and regulations may impose certain cybersecurity obligations on your organization. Hospitals, for example, must comply with the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules and the HITECH Act. Almost every state has a law requiring organizations to notify affected individuals of data breaches involving personally identifiable information. And the Federal Trade Commission’s disposal rule requires proper disposal of information in consumer reports and records to prevent unauthorized access to the information.
• Performing a risk assessment. A team composed of representatives from across the organization should assess its cyber risks so you can implement appropriate internal controls. A risk assessment typically begins by taking an inventory of systems and data and ranking them by importance and sensitivity. The team can then devise measures to mitigate the various risks, deploying the available resources according to the level of risk. The team also could develop incident response plans so the organization can move quickly in the event of a breach.
• Upgrading your computers. It’s not unusual for nonprofits to have older computers or software, which are much more vulnerable. The risk is even greater when the manufacturer no longer provides technical support or security updates, as with Microsoft’s Windows XP. The costs of a breach down the road could far outweigh the upfront costs of new hardware and software.

Stay on top of things

Technological advances are coming at us fast and furious, and cyber risks are evolving at a similar pace. You can’t afford to ignore technology that might help you accomplish your mission. But you also should take steps to address the associated risks and protect your organization and its stakeholders.

For more information, please contact MCM Principal Theresa Batliner, CPA via e-mail or phone (502.882.4457).