Whenever I present at a conference or event, it is always essential that I am not repeating myself and that my audience learns something new from the experience. With a topic like cybersecurity, there is always plenty to talk about, new scams, new defences, and new learnings. However, there is one line I repeat across all my presentations: “Cybersecurity is no longer a luxury, but a necessity for all organisations, no matter what their size or industry”. Not-for-profit (NFP) organisations are no exception and face their own unique challenges that necessitate a thorough understanding of cybersecurity. With Non-profit Day being in August (the 17 August, to be exact), I thought what better time to explore the importance of cybersecurity in NFPs?
Surely, not-for-profits are safe from cyber threats?
NFPs may not be the first entities that come to mind when thinking about targets for cyberattacks until you start to think about the data that NFPs hold and process. As the latest news headlines would indicate, NFPs are by no means safe from cyber threats. A recent cyber-attack on telemarketer Pareto Phone, saw the data of thousands of donors leaked online after they suffered a data breach earlier this year. It is estimated that 70 Australian charities use this firm, with three confirmed charities having had donor data leaked online.
For any NFP to survive, it is imperative that donor data is protected. Who wants to donate to an organisation that cannot guarantee the safety of your personal and financial information? NFPs also create valuable research, data sets, and content that must be protected. And this is just in general terms. Depending on the NFP will also depend on what data you are protecting.
Challenges faced by NFPs
While the need for cybersecurity in NFPs seems clear, NFPs often face specific challenges. Limited budgets, lack of expertise, dependence on volunteers, and an unrealistic perception of risk and vendor security, can all hinder the implementation of robust cybersecurity measures. As this is only a blog and not a full-blown research paper, I am only going to focus on a few of these areas. We all know the difficulties many organisations face with funding and vendor management. What is unique to NFPs however, is their reliance on volunteers and this unrealistic perception that they are not at risk of cyber threats.
Dependence on Volunteers
Dependence on volunteers is essential to many NFPs. In my spare time, I have offered advice and support to NFPs, and I will be the first to admit that the work I have agreed to undertake in my own time, has on occasion slipped down my list of priorities. When you are working for an organisation that you give your all to, coupled with a demand to meet work-related deadlines, this can often outweigh the hit of dopamine you receive from helping an organisation whose mission is to help others. Good intentions can often drag on longer than expected.
The other issue with volunteers is that they often become your weakest link regarding cybersecurity. Consider this. You are working for an organisation that takes security seriously. You have regular team updates on phishing emails, phishing simulations and frequent security awareness training. You are doing pretty well with this cybersecurity thing. But then, your organisation starts to introduce and give access to data to all these new people who have just come in to help out for the day, and who have not partaken in any of your cybersecurity awareness and training. Suddenly, you have this massive uncertainty. How much does the volunteer know about social engineering, what information will they have access to, and do they know not to use computers to Google personal interests during downtime or click on a link in an email that has come through to the volunteer’s email box?
A quick Google search informs me that most volunteers are between 25 and 39. What is that I hear you say? They are young, so they know better than to fall victim to cybercrime… Another quick Google search informed me that between July 2019 and June 2022, 25-34-year-olds were the most likely victims of cybercrime in NSW. What does all this mean? It is a marriage made in cyber. The average age of a volunteer fits within the average age of a cybercrime victim (I know there are variables and different types of cybercrime, but you get the gist). We need to extend the same cybersecurity awareness training to our volunteers as we do to our full-time employees. I know, more overheads you will need to squeeze out of your already tight budget.
Unrealistic perception of risk
Upon reading this heading, you may think that I am referring to NFPs having an unrealistic perception of risk, and I can tell you from the organisations I have dealt with, the people on the front line have a great understanding of the risk and what it would mean to their organisation if they did suffer a breach. However, this understanding does not necessarily transcend every corner of the organisation (including board rooms), nor does it always spill out into the world. This is not a stab at board members but rather a reminder that your security team should be talking to your board regularly on the issue of cybersecurity, and if you do not have anyone experienced or confident enough to do this, then email me. I will gladly have a conversation on cybersecurity with anyone ;)!
This unrealistic perception of risk, as mentioned, also spills out into the world. We hear stories in the news of hacker ethics, with the ransomware group LockBit formally apologising to a Canadian Children’s Hospital after one of their affiliates went rogue. I know, ransomware groups with morals, who would have thought? But this is not a standard thing. LockBit has drawn a line in the sand and said no to breaching certain organisations, but there are many other cybercrime groups out there who would not give two hoots that they have stolen data from an NFP, which includes donor information, or information on domestic violence victims, or children with cancer.
Moving on from that sad reality, the truth is, that without understanding the specific risks they face, NFPs may not consider implementing appropriate safeguards. In the recent case I spoke about above, concerning the breach of NFP donor data and Pareto Phone, the relationship between the telemarketer and some of the charities seems to be long-standing, a partnership that began long before all of this hoo-ha on vendor management (very important hoo-ha I might add). But going forward, how can anyone understand their risks if they are not actively looking for them? I know budgets are tight, but if you are reading this and you work for an NFP or are on the board of an NFP please make sure that you are undertaking yearly information security risk assessments. And if you are reading this and work in the cybersecurity space, that little hit of dopamine you get from volunteering is worth it!
Conclusion
Like any organisation, the unique challenges faced by NFPs in cybersecurity require tailored solutions and a deep understanding of the risks they face. Recognising these challenges is necessary to defeat the cyber menace. Like any organisation, the first step in your cyber journey is to identify the risks your organisation faces, you guessed it, through an information security risk assessment. An information security risk assessment will not only identify the most valuable assets to your organisation and their associated risks, but it will also help identify the human risk faced by your organisation—for example, lack of policy and procedure awareness, how people use your data, risky shortcuts they take, and the many places unencrypted sensitive data may reside.
Reading over this article, I will be the first to admit, there are no real waves of illumination for security professionals working with or for NFPs. Each organisation has their own journey they must take. For NFPs, this journey is often harder than most, as the more you spend on cybersecurity the less you can fulfil your mission, which is why you exist in the first place.
What I can offer you is a security awareness tool in the form of a handout/poster that you can give your volunteers, that you can download now from our Resources page. Oh, and the offer stands, if you need someone to speak to your board to help justify the expense or the urgency of investing in cybersecurity, then please reach out, and if we can help you, we will.
0 Comments