An information security overview.
Written for nonprofit executives and their Boards.
-
A cybersecurity disruption can significantly impact a nonprofit financially. The costs of recovery, lost productivity, and reputation damage can threaten the organization's viability.
The disruption can also impair the nonprofit's ability to serve its constituents. With systems down and operations disrupted, the organization may struggle to meet client needs, eroding trust.
Constituent confidence may be damaged, as they lose faith. The impact on the nonprofit's mission can be severe with its inability to serve constituents.
Staff may feel their trust has been compromised.
The incident can undermine relationships with key stakeholders. Donors may question leadership, vendors may worry about stability, and funders may reconsider support. These strained relationships can impact the organization's foundations.
-
According to FBI and other studies, the frequency and cost of cybercrime is growing rapidly.
Smaller businesses and nonprofits are the victims in 60 - 70% of cybercrime
The consequences of cybercrime can be devastating for smaller organizations.
Smaller businesses lose 20% of their revenue in the six months following a breach because of reputational damage.
60% of companies suffering a second breach go out of business.
A cybercrime can be fatal to a smaller nonprofit. Even when not fatal, cybercrime can significantly disrupt your ability to meet your mission and serve your community.
This is not an attempt to frighten you but an attempt to alert you to the reality of our times.
-
Immediate Losses.
Direct loss of revenue.
Inability to serve constituents
Harm to others
Implications.
Inability to achieve mission goals.
Falloff in donations
Grants become less likely
Staff depression.
Fines and penalties.
Higher insurance costs.
-
Ransomware
Cybercriminals take control of your computer and information systems.
You lose access to your information and cannot work.
Cybercriminals demand you pay them to regain access to your information.
If you have good backups, you may be able to get your information back. But the cybercriminals are experts at finding backups and rendering them unusable.
Even when you pay them, you often do not get your information.
Ransomware & Extortion
Like ransomware but the cybercriminals also copy all of your information.
They then threaten to release the information publicly unless you pay them.
When this happened to a therapist, the cybercriminals also went after the therapist's patients.
Business email compromise
Accounts Payable receives a fraudulent invoice from a vendor after the vendor's email has been hacked.
Your Administrative Assistant receives a fraudulent email from you requesting that he wire $50,000.
Espionage, Theft of Intellectual Property.
-
Here are six common "attack vectors"
Phishing attacks. (email, text, other)
Social engineering attacks. (Employees are misled by cybercriminals. This problem is worsened by Deepfakes and other AI applications.)
Network attacks. (Cybercrimals exploit vulnerabilities in your IT network. These are often misconfigurations or inadequate IT maintenance.)
Supply chain attacks. (Cybercriminals attack your IT service provider or their technology.)
Insider threats. (These can be purposeful attacks from rogue employees. They can also be the result of a cybercriminal taking control of a staff member's computer.)
Drive-by-compromise. (A computer gets infected by clicking on an ad that the cybercrimals have booby-trapped or a rogue website.
-
You may have security and privacy responsibilities. Talk to a cyber-attorney to understand these.
If you need a referral, please reach out to us.
Examples
If you collect Personally Identifiable Information, there are numerous privacy laws to which you may be subject. These include HIPAA and state Breach Disclosure Laws.
If you offer services to children you may be subject to the Children's Online Privacy Protection Act (COPPA).
Once you know the laws and regulations to which you are subject, you can integrate these into your Information Security Management Program. (see below).
-
A cyber crime or other incident is no longer a matter of "if" but of "when."
The more prepared you are the less disruption there is, the quicker you get back to "business as usual" and the less costly it will be.
To prepare for a disruption you need to be able to detect possible incursions and analyze them to see if they are security incidents that put you at risk.
This requires planning and preparation. You don't want to be caught flat-footed in the middle of a breach.
Knows who's in charge and who's on your team.
Document how your network is set-up, where your information is stored, who your vendors are and how you can reach them in an emergency. Know the people you need to contact if there's a breach.
If you have an IT service provider, make sure your plans fit together so that things don't slip through the cracks.
Part of preparation includes protecting your information from attack. This includes making sure IT is doing its job to secure the network and training your people to do their job..
The more thorough your planning and preparation, the less often your nonprofit will be disrupted by a cyber-event and the more quickly you will recover from a disruption.
Part of planning and preparation for the next disruption is ask yourself "how do we do better next time."
-
Your IT service provider may be managing much of your IT security needs.
We rarely if ever see an IT service provider managing an entire program, including, e.g., staff awareness training.
Given the importance of your information and your IT network to your business, it's prudent for you to ensure your IT service provider is doing the right things.
Regardless of how much of your program they are managing, you still have legal responsibility for your Program.
-
Central to your Information Security Management Program is the question of "what's reasonable?"
It's clearly not reasonable to spend $10,000 to protect something worth only $1,000.
Nor is it reasonable to spend $10,000 to protect something worth $100,000 if the likelihood of loss is 5%.
But it's absolutely reasonable to spend $10,000 to protect something worth $100,000 if the likelihood of loss is 50%.
There is an evolving body of law defining what security controls are reasonable when protecting the information of 3rd-parties.
Some of this evolving law is proscriptive: if you don't do this, then you are not reasonable.
Some of it is rewarding: if you do this, then you are prima facie reasonable.
At the 2024 RSA Conference, the Center for Internet Security released “A Guide to Defining Reasonable Cybersecurity.”
The Guide includes a review of current State laws providing "get out of jail free cards" to businesses following the CIS, NIST and other frameworks should they be sued following a security incident.
SecureTheVillage understands this and makes it a key element of our program.
Since 2019, we have had an annual seminar on reasonableness every October.
-
Join LA Cybersecure ™, SecureTheVillage's unique learn-by-doing, team-based information security program that meets the special circumstances of smaller nonprofits.
-
Congratulations ... And thank you for helping keep cybercrime at bay.
Please consider joining our Cyber Resilience Program.
The Program is based on the National Institute of Standards Cyber Security Framework 2.0
Included are regular educational sessions on cyber-law and cyber-insurance.
Keep your program up-to-date.