How to Right-Size Cybersecurity to Fit the Small Nonprofit
Organizations rely on technology for communicating, managing our work, assisting us in making accurate and timely decisions, assisting customers, and staying in the know wherever we go. But along with this comes a mounting risk of data breach. Particularly susceptible are small nonprofit organizations with fewer technical safeguards, outdated security protocols, and modest IT budgets.
Understand your risk.
Cyber threats have become increasingly sophisticated. Compounding this is a recent surge in remote work, Bring Your Own Device (BYOD) flexibility, and online transaction processing, all of which collide to create a broadened threat landscape. Organizations that store electronic patient data, personally identifiable information, and banking and credit card records stand to face even greater upheaval should they fall prey to ransomware, viruses, social engineering attack, third-party or employee data breach. The smaller an organization is, the greater the impact due to lack of resources.
Let’s consider the risk.
Financial and Reputation Loss. Small nonprofit organizations store sensitive information about donors, clients, and employees. But cybercriminals are intent on stealing that data to conduct phishing scams, launch extortion or ransomware attacks, and open credit. Should confidential data be compromised, it could damage your ability to fundraise. It could also trigger costly litigation.
Insurance Terms. Insurance companies often require that baseline security standards be in place to uphold cybersecurity coverage. Yet many nonprofit organizations lack the in-house expertise needed to properly evaluate policy language and terms. This could result in a coverage lapse should a breach occur. There are cases where an organization thought they were covered but the coverage was denied because the policy required adequate IT controls.
Regulatory Compliance. Some small nonprofit organizations are subject to cybersecurity laws and regulations such as HIPAA and the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply with those could result in costly fines and litigation.
Constituent Trust. When constituent data is compromised or when essential services are lost, this can cause permanent damage to that relationship.
Take preventive measures.
Even the smallest investment in time, training, and vigilance can make a big impact in bolstering your cybersecurity profile.
AAFCPAs advises small nonprofit clients to start by conducting an IT general controls assessment to pinpoint areas of risk along with opportunities for improvement. In doing so, consider the types of data exposures you face including specific threats within your industry, such as those related to fundraising platforms or volunteer workforces.
We recommend organizations designate one individual within the organization to act as security manager responsible for planning, software upgrade, backup, patching, and incident response. Then document procedures, plans, and policies to clearly define acceptable use and response protocols. Consider remote work and BYOD exposures when drafting policies. Define authentication and access control including how and when access will be revoked once it is no longer needed. Should access and privileges be limited to a need-to-know basis? What are password protocols? How is sensitive data handled? What is mandated from a compliance standpoint? Then revisit, assess, revise, disseminate, and train all employees and volunteers to ensure ongoing awareness.
Constituent trust is critical. If resource enhancements are needed, AAFCPAs provides a right-sized approach to security. We help small nonprofit organizations under heightened risk conduct IT security assessments to better understand their strengths and vulnerabilities.
If you have questions, please contact James Jumes, MBA, M.Ed., Partner, Business Process & IT Consulting at 774.512.4062 or firstname.lastname@example.org—or your AAFCPAs Partner.