Estimated Reading Time: 4 minutes
By Rachel Sams
When a cybersecurity breach hits your organization, it’s too late to build optimal defenses. Your best opportunity to protect your nonprofit’s data exists now.
It’s tough for any nonprofit to prepare for a crisis that hasn’t happened yet. Staffs and budgets are stretched thin everywhere. But with a reasonable amount of time and effort, you can strengthen your nonprofit’s ability to deal with a breach if it happens.
That’s time well spent: Microsoft’s 2021 Digital Defense Report found that non-government organizations and think tanks were the second-most-targeted sectors by cybercriminals. And the average organizational data breach in 2021 cost $4.24 million, according to IBM.
Matthew Eshleman, Chief Technology Officer at Community IT, which provides tech support to nonprofits, urges organizations to create policies that define requirements around passwords, mobile devices, multifactor authentication and more. Nonprofits should also ask their IT providers how they manage user access to systems; providers should have a set of security practices they can share with clients. And nonprofits should make a written outline of who would respond in a breach and how.
“Be able to articulate that beforehand so organizations aren’t trying to build all of that on the fly whenever something happens,” Eshleman said. “It’s always a good idea to document that and make sure that your incident response plan is available in an offline place in case your systems are impacted.”
October is National Cybersecurity Awareness Month. Below are some tips to build resilience in advance of a cybersecurity incident. If your organization begins work on these items in October, you could have at least a rough plan to handle a breach by year’s end—and wouldn’t that help you sleep better at night?
Cyber insurance providers often have “breach coaches” who can lead an insurance response for nonprofits, Eshleman said. Put your legal counsel on the list of people to call, along with any cybersecurity law or forensic experts your counsel recommends. Your list might also include your information technology and security vendors, operations, human resources, communications, and management.
Identify what sensitive data your nonprofit collects and where it is stored. Train multiple people on your staff on how to bring any affected equipment offline right away in a breach. Create written protocols that inform staff not to turn off machines until forensic experts arrive, and not to delete or destroy anything that provides evidence of the breach. You’ll also need to update credentials and passwords of authorized system users, and document your steps to preserve evidence for forensic investigations.
If personal information gets posted on your website in a breach, remove it immediately. You’ll need to contact search engines to make sure they don’t archive any personal information posted in a breach. There are some commercial services that can automate some of this discovery and removal. You’ll also need to search for your organization’s exposed data to ensure other websites haven’t saved or published it. If they have, ask the company to remove it. If the disclosed information includes username and password data for your systems, you’ll need to reset the accounts of the impacted systems.
Determine your legal notification requirements. Every state has laws that require notification of security breaches that involve personal information. Other laws may apply as well. Outline a communications plan to inform those who will need to know about a breach: law enforcement, regulators, employees, service recipients, donors, vendors, and other close contacts of your nonprofit. Make sure your team knows not to say anything misleading about the breach or publicly share details that could put people’s personal information at further risk.
Let your team know that you’ll need to wait for forensic experts to give you the OK before you bring affected systems back online. Take any additional steps the experts advise to ensure systems are secure against future attacks.
Of course, we hope your organization doesn’t need to deploy any of these measures. But with the prevalence of cyberbreaches, at some point it probably will. Prepare now, and that day will be less unpleasant. In the meantime, you’ll know that your organization has prepared for a cyberbreach as best it could. Make sure you let your staff know what steps you’ve taken, too. It will help build their confidence in your organization.
This article is the second in a series. Check out our previous Risk eNews on basic cyberhygiene for nonprofits.
Rachel Sams is a Consultant and Staff Writer at the Nonprofit Risk Management Center. She’d love to know how your organization prepares for cyberbreaches. Reach her at 703.777.3504 or rachel@nonprofitrisk.org.
“First let me congratulate you on a conference well done. I had a great time at the Nonprofit Employee Benefits Conference and walked away with some valuable tools and questions that we’ll need to be addressing in both the short and long term. Thanks to you and your staff for all you do to provide us with quality resources in support of our missions.”
“BBYO’s engagement of the Center to conduct a risk assessment was one of the most valuable processes undertaken over the past five years. Numerous programmatic and procedural changes were recommended and have since been implemented. Additionally, dozens (literally) of insurance coverage gaps were identified that would never have been without the work of the Center. This assessment led to a broker bidding process that resulted in BBYO’s selection of a new broker that we have been extremely satisfied with. I unconditionally recommend the Center for their consultative services.
“Melanie Herman has provided expert, insightful, timely and well resourced information to our Executive Team and Board of Directors. Our corporation recently experienced massive growth through merger and the Board has been working to better integrate their expanded set of roles and responsibilities. Melanie presented at our Annual Board of Director’s Retreat and captured the interest of our Board members. As a result of her excellent presentation the Board has engaged in focused review which is having immediate effects on governance.”
“The Nonprofit Risk Management Center has been an outstanding partner for us. They are attentive to our needs, and work hard to successfully meet our requests for information. Being an Affiliate member gave us access to so many time- and money-saving resources that it easily paid for itself! Nonprofit Risk Management Center is truly a valued partner of The Community Foundation of Elkhart County and we are continuously able to optimize staff time with the support given by their team.”
“The board and staff of the Prince George’s Child Resource Center are extremely pleased with the results of the risk assessment conducted by the Nonprofit Risk Management Center. A thorough scan revealed that while we are a well run organization, we had risks that we never imagined. We are grateful to know that we have now minimized our organizational risks and we recommend the Center to other nonprofits.”
Great American Insurance Group’s Specialty Human Services is committed to protecting those who improve your communities. The Center team has committed to delivering dynamic risk management solutions tailored to nonprofit organizations. These organizations have many and varied risk issues, hence the need for specialized coverage and expert knowledge for their protection. We’ve had Melanie speak on several occasions to employees and our agents. She is always on point and delivers such great value. Thank you for the terrific partnership and allowing our nonprofits to focus on their mission!