Nonprofits often an unprotected target for hackers and data breaches

By Laura Haight

Community service is highly valued in the Upstate and we are home to thousands of local nonprofits, churches, educational institutions and local chapters of national organizations.

But community members aren’t the only ones who highly value nonprofits.

Hackers do too.

Nonprofits are often understaffed, utilize volunteers rather than paid professional staff, and don't have the expertise or the infrastructure to implement and maintain best practices for security. Most also labor under the comforting delusion that they fly below the radar of hackers.

But hackers are opportunistic. They hack what they can in pursuit of a stepping stone to something bigger. Hackers embed malware into unprotected and unmonitored websites (as most nonprofits are), gaining a foothold to push a message or to spread malicious code to donors and constituents. Phishing schemes and ransomware often find fertile ground at nonprofits with limited IT support.

Many nonprofits are linked to the healthcare industry. Coincidentally, the 2018 Verizon Data Breach report finds healthcare is the only sector that suffers with a greater risk from inside than out. Nearly 60 percent of all healthcare breaches are the result of staff human error (35 percent) or abuse of access or system authority (24 percent).

The human factor has always been the greatest exposure. All businesses want to believe they can trust their employees. For nonprofits reliance on volunteers and the passion and commitment of staff is both the core strength and the greatest vulnerability. Although NPs often resist trying to rein in volunteers it is important to have written policies and procedures about security and data protection that both staff and volunteers to follow.

Significant technical issues surround protecting data. But what may be less obvious is the many ways in which otherwise careful, well-funded, and technically astute organizations expose sensitive data.

First, ensure that everyone in your organization knows what Personally Identifiable Information (PII) is. It does not have to include passwords and credit card numbers, and can be as mundane as name, address, email and/or phone numbers. A donor database – even with credit card numbers obscured – is still a treasure trove of PII.

Now ask yourself if you always know where your data is? Does a willing volunteer take home a list of donors to handwrite thank you notes? Does a fundraising volunteer make calls from a list of previous donors that’s printed out and then either taken home or left unsecured in the office. Possibly even paid staff members take shadow databases home on a laptop. In 2015, Verizon reported that nearly half of all healthcare breaches were the result of compromised devices. Twenty-two percent of those were laptops stolen from employee vehicles.

In many cases, those thefts were probably not targeting PII. Most likely thieves saw a laptop in a car and grabbed it with no regard or interest about what was on the hard drive. But that doesn’t matter.

While that might not qualify as an attack, it is a data breach. And legally in all but three states, organizations are required to report the breach to both law enforcement and to the individuals whose data was exposed.

What’s the hit? According to a survey conducted by IBM and the Ponemon Institute, the cost of a data breach last year was $148 per compromised record. A lost laptop with a 1,000-record database would carry a potential cost of $148,000.

That is a big ticket for any business, but particularly crushing for a small nonprofit. And the reputational damage can be even worse. Donors have many places they can give and, while anyone can be hacked or victimized, the perception that a hacked or defrauded nonprofit wasn't diligent enough can turn their heads.

For that very reason the depth of nonprofit hacks and frauds may never be fully known. They are often kept as quiet as possible so as not to engender bad press, or raise doubts among its donors and major supporters.

What we do know is that hackers are egalitarian: Nonprofits are no safer than any other business. And, in many ways, far more exposed.