Think Twice: Nonprofits can be a high-value target for hackers


LauraHeightCommunity service is highly valued in the Upstate and we are home to thousands of local nonprofits, churches, educational institutions and local chapters of national organizations. But few of us are probably concerned with whether or not our favorite nonprofit might be victimized by a hacker. Two factors, however, should make us think twice.

First, when the National Center for Charitable Statistics was breached in February 2015, hackers got a treasure trove of information about more than 700,000 U.S. nonprofits from the exposed 990 database.

Second, in a 2015 survey of U.S. CFOs by Duke University, more than 80 percent of companies reported that they had been hacked.

But the truth is nonprofits have been a highly ranked target of opportunity for hackers all along. Why?


  • Nonprofits are often understaffed, utilize volunteers rather than paid professional staff and don’t have the expertise or the infrastructure to implement and maintain best practices for security.


  • Most nonprofits use a reputable online payment system to protect credit card information. But sensitive information that is of interest to hackers goes well beyond a credit card number: User names, email addresses, physical addresses and, potentially, passwords can all be put to use.


  • Copies of databases removed from centrally managed systems by well-meaning employees or volunteers are prevalent in nonprofits. Those shadow databases are often targeted through phishing efforts and frequently account for costly breaches and exposed data.


  • Finally, because they can. Sean Parker, co-founder of Napster and founding president of Facebook, says, “This is core to the hacker mentality: We hack systems that can be hacked and leave the rest.” Hackers embed malware into websites, gaining a foothold to push a message or to spread malicious code to your donors and constituents. Phishing schemes and ransomware often find fertile ground at nonprofits with limited IT support.

 Screen Shot 2016-08-25 at 8.37.09 AM


How can nonprofits protect themselves? 

Lock out / lock down external devices. In the vast majority of cases, staff or volunteers are not trying to damage the organization by exposing sensitive information. But the ability to plug in a USB, transfer information to hard drives or export information out of a more secure cloud-based system onto a local hard drive or laptop are all costly behaviors. According to the Verizon 2015 Data Breach Investigations Report, 45 percent of all the health care breaches were the result of stolen or compromised devices; 22 percent of those were laptops stolen from employee vehicles.

In many theft cases, the nonprofit was probably not being targeted. They were just easy. The likely scenario is that thugs saw the laptop as a target of opportunity. Once they had it, they realized they had a valuable commodity to sell. And whether the data was sold or not doesn’t change the way the nonprofit must — both legally and ethically — respond: Notify those whose records were exposed, potentially offer compensation such a fraud monitoring and take the hit. Programmatically restricting the use of external devices closes a big security hole.

Encryption, clouds and codes. Many small nonprofits have little IT support or lack the ability to effectively manage outside IT contractors. You don’t know what you don’t know. Even if you use a cloud-based storage service like Dropbox, Google for Work or Office 365, you still need to encrypt your local computer drives to protect downloaded documents and data.

Understand the human factor. A reliance on volunteers and often the passion and commitment of staff is both the core strength and the greatest vulnerability for nonprofits. And employees certainly would not knowingly do anything to damage the organization. So it is important to have written policies and procedures for both staff and volunteers to follow. Included in those should be a policy ensuring no organizational information be maintained outside of primary systems and the office location; limiting the use of mobile devices and home computers remotely to secure networks; and having an email policy that prohibits sending and receiving sensitive documents. Nonprofits need to take additional steps to protect organizational data and the loss of reputation as well as expense if it is exposed.

Taking the Hit

The hit from a cyberattack is twofold: An organization can be shut down for days, a website for weeks. That costs the organization donations that are often made online. Record loss in 2014 carried an average price tag of $145 per compromised record. A lost laptop with a 30,000-record database on it could carry a price tag of $50,750 on average.

That is a big ticket for any business, but particularly crushing for a small nonprofit. And the reputational damage can be even worse. Donors have many places they can give, and while anyone can be hacked or victimized, the perception that a hacked or defrauded nonprofit wasn’t diligent enough can turn their heads.

For that very reason the depth of nonprofit hacks and frauds may never be fully known. They are often kept as quiet as possible so as not to engender bad press, or raise doubts among its donors and major supporters. Hackers are egalitarian: Nonprofits are no safer than any other business.




Related Articles