The period between Christmas and New Year’s Day has long been the time people give to charities the most, making the charities themselves attractive targets for cyber criminals. Because the events of 2020 will likely boost existing trends, nonprofit cybersecurity challenges may be greater than ever this year — even as groups find themselves with fewer resources to devote to cutting down on this risk.
It will be important for nonprofit cybersecurity leaders to emphasize cost-effective defenses, which include careful scrutiny of vendors, if you are to avoid the increased threats to nonprofits that this holiday season will bring.
Financial Woes Add to Nonprofit Cybersecurity Risks
In a typical year, charities collect more than one-third of their annual donation revenues during Q4, with as much as 21% of giving occurring during December alone. However, 2020 has impacted the overall charity landscape.
The economic downturn’s effect on giving has been uneven, with some sectors seeing growth and others seeing major losses, with the most dramatic shrinkage occurring midway through the year. A report published by Fidelity Charitable in June 2020 showed that charitable giving actually increased by 16% over the first four months of 2020, with the human services sector — particularly food banks — seeing very large gains. In a pattern similar to what’s seen after natural disasters, however, that initial surge in donations was followed by a major drop-off.
“What we are anticipating is for the remainder of this year, our donations will be significantly down. The very people who have been most economically harmed by COVID-19 are United Way’s donors,” says Steve Taylor, a senior vice president and counsel for public policy at the United Way.
In the face of disruption and ongoing financial flux, nonprofits and charities are now looking to holiday season donations to make up shortfalls from much of the rest of the year. The goodwill this season often brings will be of the utmost importance to the nonprofit cybersecurity world this year.
Today’s Nonprofit Cybersecurity Landscape
The ways charities cultivate donor partnerships have undergone a major shift. With in-person fundraising events canceled for the near future, donor retention and stewardship — even moreso through online and technology-enabled means — have become the most popular and effective avenues for fundraising.
At the very moment when maintaining the confidence of longtime supporters has become more important, charities are being challenged to conduct these partnerships only online. In this climate, the potential fallout of a breach — including loss of donors’ trust – is huge.
Threat actors have long tried to capitalize on the annual holiday giving surge by creating fake charities that attempt to fundraise on false pretenses. It’s only logical that they’d extend their schemes to include real charities as well, especially since they’re known to hold donors’ personally identifiable information (PII) and payment card data and often lack robust controls and defenses.
Nonprofit cybersecurity challenges are made worse by slender budgets and the fact that inadequate attention is paid to risk reduction by many boards and donors, who tend to be critical of spending that doesn’t appear to contribute directly to the front-line mission.
Data Protection for Charities
While it’s always been important to keep an eye on nonprofit cybersecurity needs to protect the privacy and security of donor information, this year’s budgetary constraints make it even more important that they focus on the technologies, policies and process improvements likely to do the most good at the lowest cost.
- Awareness training for nonprofit cybersecurity. These programs range widely. Some can be informal training sessions developed in-house using open-source tools and materials freely available to the public. Others are formal programs that are custom built by a third-party vendor. Even the most elaborate paid offerings are relatively inexpensive, yet their use can have a major impact on organizational culture by encouraging employees to become more risk-aware and helping them cultivate better habits.
- Strengthen authentication procedures. Nonprofits and charities are moving larger portions of their IT work to the cloud than ever before. Therefore, maintaining secure remote access procedures for all user accounts and admin resources has grown in importance. Multifactor authentication (MFA) is relatively simple and not expensive to use. It’s even possible to build your own solution at no cost by combining open source tools and an API backend. Teach strong password hygiene to employees, and recommend the use of a password manager tool. Open-source password managers that help with nonprofit cybersecurity can also be found for free.
- Promptly install all software updates and patches. Even moreso across larger charities, automation is key for speeding up the deployment of critical software updates. Look for solutions that can improve the efficiency of your content delivery infrastructure. This step can save money and bolster your defenses at the same time.
Find a Sample Data Protection Policy for Charities
Nonprofits and charities frequently outsource a lot of their day-to-day IT work or make use of cloud-hosted solutions, such as software-as-a-service (SaaS) options. However, there’s a growing trend among threat actors to exploit third-party providers in order to gain access to their customers’ data assets. As the past year’s high-profile breach of Blackbaud should remind us, nonprofits may be at extra risk from these types of attacks.
It’s vital to examine the data privacy and security policies that your provider has in place, as well as to check that all relevant compliance audits are up to date. Cloud use has grown across industries over the course of 2020. This, in turn, puts increased pressure on managed service providers, who are challenged to find the talent they need to manage their data in the cloud. (Cloud environments require more specialized skills because they’re so complex.)
Finally, it may be worthwhile to purchase cybersecurity insurance if you don’t already carry it. A well-chosen policy can absorb many of the financial risks that come with collecting donations online. Keeping ahead of nonprofit cybersecurity risks provides valuable protection for your reputation, and helps ensure that it’ll be healthy, robust and able to work toward achieving its mission — for many holiday seasons to come.