By Ron E. Brooks, III, MBA, Business Assurance & Advisory Services Senior Associate | Not-for-Profit Industry Team
When cyber security and data breaches occur, individuals immediately assume government, financial or large business entities were affected. However, breaches in not-for-profit entities are becoming increasingly common. Recently, during February 2015, the Washington D.C. think tank, Urban Institute, was attacked and hundreds of thousands of email addresses, passwords, IP addresses and other data for not-for-profit organizations was accessed. Why are not-for-profits targeted? The answer has two components. Not-for-profits handle considerable amounts of susceptible information including donor demographic data, credit card numbers, program details, employee and payroll records, and health insurance information. All of this information is attractive to any type of cyber attack. In addition, there is the general belief that not-for-profit organizations do not spend on technology and its security so they are more susceptible.
In a 2012 study on cyber security mistakes, KPMG found that “the human factor” remains “the weakest link in relation to [cyber] security.” Hackers readily overcome firewalls and other safeguards largely by focusing their efforts on employees who are not educated on the risks. While some organizations might meet this criterion, others simply do not have the resources to invest in information security which can lead to losses not considered before.
Within the not-for-profit environment, attacks can not only be costly monetarily, but can also damage the reputation of the organization – the most valuable asset. However, there are a few ways organizations can help protect themselves in a cost effective manner:
- Technical Consultant: While most entities do not have the resources to hire full time information technology expertise, there are many third parties than can provide set services based on a customized agreement. These agreements are typically much lower in cost than hiring full or part time personnel.
- Risk Assessment: A key factor in preventing a cyber attack is understanding the type of susceptible information retained and how it is secured. Having this knowledge can help a not-for-profit entity concentrate on the risky areas of operation. Risk assessments should be performed and updated annually.
- Cyber Security Plan: Take action and create a cyber security plan. This can be as simple as a monthly checklist of when information should be updated, when to change passwords, etc. It should also address what to do if a data breach occurs.
- Run Updates: Regularly update your computer’s firewall and virus protection. A good practice is to set calendar reminders to run these updates.
- Secure Networks: While it doesn’t seem as intense, a simple encryption on a wireless network can prevent many data breaches. The more secure the password (inclusion of letters, numbers and special characters), the more secure the information.
These recommendations are only a few factors in mitigating risk with limited costs incurred. Larger entities could also consider cyber insurance as another option however the benefits versus the cost must be considered. Overall, the implementation of the above recommendations including the possibility of purchasing insurance is still going to be significantly less expensive than putting out fires after a lax security program results in a breach.
Questions on keeping your Not-for-Profit organization's data secure? Contact your Keiter representative or email@example.com | 804.747.0000
Ron is a Senior Associate in Keiter's Business Assurance & Advisory Services group. He works closely with his not-for-profit clients to assist them in meeting their compliance requirements. In addition, Ron's clients rely on him to keep them up to date on new regulations or changes that may effect their organization. Ron is a member of the Firm's Not-for-Profit team.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.