Cyber attacks haunt our headlines so often these days, even major hacks around the world don’t always make the evening news.
The toll of the 9 largest hacks last year added up to $1 billion and 480 million leaked records. These numbers are obviously staggering, but as you read them, do you consider these facts to be a removed reality or a direct threat?
With the media spotlighting these international, colossal attacks, it leaves smaller entities such as associations, nonprofits and small businesses with the false sense of security that they are too low-profile to be vulnerable. The harsh reality is no one can fly under the radar in our connected world. Apathy towards cyber security can lead to irreversible consequences, and merciless hackers are counting on you to assume you are immune.
Internet-connected technology is ubiquitous in today’s workplace. This holds true in the nonprofit sector as much as any other industry. Paired with this rapidly changing landscape comes an onslaught of security vulnerabilities to harass your association’s under-resourced IT department.
- In 2014, nonprofits experienced an 8.9% increase in online donations.
- In 2015, 10% of donations occurred via mobile devices with 16.6% of donors who decided to support from an email communication doing so from their device.
- 76% of all websites scanned by Symantec in 2014 were identified as vulnerable, 20% of these vulnerabilities were identified as critical.
- In 2014, we saw more than 317 million new pieces of malware released, that’s nearly 1 million a day.
Further complicating the situation is the increase in personal device usage and the Internet of Things. Staff and customers are bringing multiple internet-connected devices into the workplace, which severely increases the complexity required to combat intrusion. With so many exploitation vectors available to hackers, most associations are likely to be probed in one manner or another sometime this week. For associations maintaining forward-deployed applications and websites (available to the public via the Internet), they are likely to be probed in at least some automated fashion sometime today. With all of the chaotic activity involved in maintaining an association’s IT infrastructure, it can become easy to fall into some insecure patterns of thinking.
Misconception #1: “My association is too small or unknown to be a target.”
An association is as likely a victim to hacking as any other business in any other industry. A few high profile examples from 2015:
- In February of 2015, the National Center for Charitable Statistics’ Form 990 / 990-EZ / 990-N filing system was breached. Hackers absconded with up to 740,000 records that included usernames, passwords, IP addresses and other account information.
- In July of 2015, the Utah Food Bank was breached, with donor information for 10,385 individuals exposed.
- In October of 2015, the American Bankers Association was breached, with 6,400 username and passwords for their online store application being released publicly.
Reviewing just this list, it’s easy to assume this issue is more of a problem for large organizations with huge data sets and lots of public exposure. Unfortunately, smaller and less visible associations are as likely, if not more likely to be targeted as any other organization. A large percentage of associations and nonprofits:
- Have smaller IT budgets, allowing for fewer resources to be spent on security audits, expertise, hardware and software.
- Use fewer formalized security procedures and protocols.
- Often have “all hands on deck” operational events, pulling resources from across the organization. This results in loss of focus on security procedures and a tendency to “just get it done” as quickly as possible.
Without the proper protocols, associations wind up deploying untested applications, fail to keep assets properly patched and updated, and have slower response times to breaches and vulnerabilities. Associations are used to being stretched thin and making the most of their resources, but the consequences of spotty cyber security (or complete lack of it) can spell disaster for your operations, reputations, and member safety. No association, organization or nonprofit is too small to fall prey.
Misconception #2: “Hackers would not be interested in our data.”
This is a common misconception that is absolutely not true. Hackers frequently breach victims without a specific data set target in mind. This is to say, they break in because they can, not because they have to. During the identification phase of an attack, a great deal of the probing against the victim network (or email/social network) is automated. The attacker then reviews results after the attack to identify easy exploits en masse. The very presence of a vulnerability in your infrastructure is quite often enough temptation to inspire an attack.
Your members care a great deal about the data they house with you. Regardless of whether or not it’s personally identifiable, it’s their information that they have entrusted to your association. Because of this trust, they are willing to share information with you that they quite possibly are not willing to share with others. Regardless of the ultimate culprit, if you are breached and data is stolen, not only does your customer have to deal with the repercussions of their lost data, but your association has lost the customer’s trust, possibly for good.
During a non-automated, undirected (ie. a “just because I can” or “look what I can do”) attack, any data set may ultimately be compromised. (And any of it may be useful in future attacks)! Here is a standard list of possible targets:
- Usernames and/or passwords
- Email addresses
- Customer information (financial, identifiable, medical/insurance)
- Financial documents pertaining to the organization
There is also an ever-growing list of other targets that have an equal or greater potential for damage:
- Network documentation
- Procedural documentation
- Contractual documentation
- Inter-company communications
- Human resource information
- Vendor communications
- Press information (pre-/post-release)
- Intellectual property (ie. source code, design documents, diagrams, etc.)
These lists are by no means complete. Any data regarding your customers, staff or operations may ultimately wind up being used against you.
Misconception #3: “My association can’t afford to make the required security investment.”
This is a high-level discussion that must take into account the overall goals of the association. All of your goals and purposes as an organization are built on the foundation of member trust, participation and engagement — three things that go down the drain once the privacy and safety of your assets are compromised.
Is your goal to ultimately provide support to your members? Are you providing a charitable giving venue for the general public? In order to meet these goals in today’s world, information and network security must be part of your association’s modus operandi. The costs of not allocating the appropriate level of security investment far exceed the initial capital saved by pinching budgetary pennies. The loss of public confidence, the damage to the association brand, plus the possible legal implications of a data breach can be a nightmare.
Of course, those of us in association leadership positions are frequently tasked with making more happen with less money, so there are always going to be decisions to be made. As a decision maker, are you prepared to explain to your customers and donors why you did not make the necessary security investment to protect the personal data they in good faith provided you?