Protecting Your Nonprofit from Data Breaches

December 13, 2022 HoganTaylor

By now, all organizations — for-profit and nonprofit — know about the risk of cyber attacks. Why then, would any nonprofit fail to secure its network and digital assets? One reason is cost. Cybersecurity can be expensive. Yet according to IBM’s “2022 Cost of a Data Breach Report,” a data breach in the United States leads to an average $9.44 million loss. Obviously, the average is skewed by cyberattacks on large companies. But it’s possible for nonprofits to lose more than they can afford.

Phishing evolves

Most attacks are made via phishing schemes, where cyber criminals use email to dupe victims into providing personal information, including login credentials. Phishing emails generally include links or attachments that, when clicked, infect computers with malware that enables fraudsters to access your systems.

Increasingly, cyber criminals are using phishing emails to perpetrate ransomware attacks. They gain control of an organization’s network and data and lock legitimate users out. They then hold the data hostage until the victim organization pays a ransom. The criminals might leak some confidential information to the public or on the “dark web” to show they’re serious and to encourage quick payment. Ransomware perpetrators usually release the data after they receive a ransom — but not always.

Acting proactively

Criminals have hacked everything from government agencies to hospitals to large charities, so it’s critical that all nonprofits act defensively and provide training to staffers. Training should cover various phishing schemes and include testing so employees can see how easy it is to fall for scams. Other ways to contain potential cyber threats are:

Look for emails flying red flags. Everyone in your organization should look out for suspicious emails, including messages with a sense of urgency, such as a subject line that says, “Respond ASAP.” Phishing subject lines might also include references to upcoming meeting agendas, payroll questions and password verification. They may appear to come from HR, tech support or your executive director.

Phishing messages frequently are peppered with bad grammar and misspelled words. They may use numbers and special characters that look like letters to dodge anti-phishing software and include URLs that are close, but not identical, to the addresses of legitimate sites.

Use password managers. Your organization should consider using password managers. A surprising number of employees still use easily hacked passwords such as 1234 and PASSWORD. Password managers generate complex passwords and store them for users. At the very least, require employees to come up with difficult passwords and change them frequently. For greater security, implement two-factor authentication. This requires users to log in normally and then confirm their identity via text or phone.

Stay current. Implement hardware and software updates on a timely basis and stop using programs that are no longer updated and supported by their makers.

No excuse

There are plenty of affordable (if not free) cybersecurity tools available to nonprofits. So there’s no excuse for you to simply hope your organization won’t be hacked. Contact us for more information about protecting your assets.

How HoganTaylor Can Help

The HoganTaylor Nonprofit team of business advisors and CPAs is comprised of former CFOs, controllers, and industry experts with extensive experience providing the guidance organizations need to lean forward again in their leadership. If you have any questions about this content, or if you would like more information about HoganTaylor’s Nonprofit practice, please contact Jack Murray, CPA, Nonprofit Practice Lead.

Talk To An Expert

INFORMATIONAL PURPOSE ONLY. This content is for informational purposes only. This content does not constitute professional advice and should not be relied upon by you or any third party, including to operate or promote your business, secure financing or capital in any form, obtain any regulatory or governmental approvals, or otherwise be used in connection with procuring services or other benefits from any entity. Before making any decision or taking any action, you should consult with professional advisors.

Share This: