These days, it seems as though news outlets are reporting daily about new cyberattacks on individuals, businesses, the government and others, and unfortunately there does not appear to be an end in sight. A report from Ponemon Institute forecasts an 82% net increase in cybercrime over the next six years.
All businesses, including not-for-profits (NFPs), need to proactively address the threat of cyberattack. The issue spans across all sectors of our economy and touches every industry.
The stakes are especially high in NFPs. Aside from the financial impact, the risk a security breach poses to an organization’s name and reputation can be devastating. If donors and constituents lose confidence and trust in the organization, the NFP’s ability to raise funds and fulfill its mission may be in jeopardy.
Recently, the higher education community sounded the alarm bells after one nationally ranked educational institution announced it experienced not one, but two data breaches resulting from advanced malware. Nearly 18,000 usernames and passwords, as far back as September 2012, were compromised. According to the Identity Theft Resource Center (ITRC), data breaches in educational institutions make up 7.3 percent of all data breaches. These organizations are prime targets, as they not only store thousands of financial and personal records on their students, faculty and employees, but also may maintain valuable scientific and medical research and studies. In the past, many colleges and universities might not have been strongly focused on their data security, but now the risk is too severe to be ignored.
With the proliferation of cybercrimes in recent years, smart organizations are taking a proactive approach in response to these risks. One of the biggest issues is mobility. Smartphones and other mobile devices are easy targets for hackers.
All NFPs should consider updating their policies and processes to manage their information security. When doing so, the entire IT environment, including data that does not reside within the organization (as is the case in mobile and cloud-based systems), needs to be considered by taking a full infrastructure inventory and reviewing regulatory requirements (for example, Payment Card Industry [PCI], HIPAA, and so on). NFPs should also assess the adequacy of their insurance policies to cover theft, electronic data loss and interruption of operations.
The financial and reputational costs of dealing with loss of data can be quite high. Should an incident occur, NFPs caught without these policies and procedures may waste valuable time trying to determine what happened and the appropriate response needed. Before this happens, NFPs should perform a risk assessment of their organization and implement the necessary steps to address those risks.
Additional Resources
IT controls for not-for-profit entities
This is a list of common controls that are typically considered as part of an NFP's overall IT risk management strategy.
Sample IT security policy
This downloadable tool contains sample elements that can be used by small and mid-sized NFPs in the creation of an IT Security Policy.
Discounted pricing for managed technology services
Learn about how members of the AICPA's Not-for-Profit Section can get an exclusive discount on managed technology services, including IT strategy and business technology support services.