U.S. nonprofits, like small and large businesses, boast risk factors for cyber crimes such as hacking, phishing, and other types of data breaches. Yet, nonprofit organizations have been slow to adapt to cyber strategies and security protocols. In a survey conducted by U.S. accounting firm CohnReznick, almost half of the nonprofit organizations polled said they had not completed a cyber-risk assessment in the past year and 66% had no plan to increase their spending on data security.
Despite financial and reputational risks, nonprofits are failing to invest the time and resources to protect themselves, and the consequences can be dire.
The Ponemon Institute’s annual Cost of a Data Breach Study reports that the average cost of a lost record is $148 and the total cost of a data breach averages $3.86M. Those are losses that would sting most organizations but that are especially devastating for nonprofits whose budgets are often narrow and restricted.
In our upcoming webinar on Thursday, May 9th, ShareVault will host Graham-Pelton and its partner, The National CyberSecurity Society, as they explore the cybersecurity risks that nonprofits face, the reasons nonprofits are particularly vulnerable, and some best practices for shoring up their defenses.
In advance of the webinar, we sat down with Jennifer Harris, Senior Vice President at Graham-Pelton, to explore some of the topics attendees of the webinar can expect to learn about.
ShareVault: Why are nonprofits especially vulnerable to cybersecurity attacks?
Jennifer Harris: I think there’s a general perception that banks and hospitals are more typically the focus of cyber criminals and that, in general, other types of institutions, such as nonprofits, are less attractive targets.
Also, and importantly, nonprofits still tend to view cybersecurity as an IT issue and not as an organizational issue that’s related to human behavior.
SV: What are some of the costs and consequences for nonprofits suffering a data breach?
JH: The cost of data breaches and the volume of records stolen are steadily rising. Organizations suffering a breach will spend millions in remediation, depending on the size of the breach. Reputational costs can also be devastating for nonprofits. Understandably, donors are not happy when their altruism results in their personal information being stolen by hackers because the nonprofit was careless with that information.
SV: What are some of the steps nonprofits should be taking to secure that data?
JH: Nonprofits should consider doing an assessment and then developing a plan of action. Data security protocols should be created. Most nonprofits simply don’t make cybersecurity a priority. It needs to be a priority. This is not a horizon issue; it’s very real, it’s growing, and it can have a significant and destabilizing impact, both financially and reputationally.
SV: Employee errors are one of the leading causes of data breaches. How important is it for nonprofits to train staff on the risks and consequences of data breaches?
JH: This is one of the most critical issues. Human behavior! Nonprofits must learn how to change their behavioral habits. Obviously, training is a critical part of that.
SV: Do you recommend that nonprofits store constituent data in the cloud? What are the benefits and risks?
JH: It doesn’t matter if it’s cloud-based or hard copy – there’s always risk – whether you’re a nonprofit or a for profit, for that matter. But the priority needs to be ensuring all systems are secure. Security should be addressed at every step of the way and again, people need to understand and change their behaviors.
SV: What is your number one piece of advice for nonprofits regarding cybersecurity?
JH: Budget for it and implement a plan. Train your people. It’s an eventuality.
ABOUT | JENNIFER HARRIS, PhD, Senior Vice President, Graham-Pelton
Jennifer Harris leads Graham-Pelton’s association and social change practice group and is a dynamic fundraising professional who focuses on major gifts and grants to achieve organizational growth. She has a proven record of developing and harnessing strategic plans, community partnerships, board networks, strong teams, and relationships to drive fundraising outcomes.
Ally van den Herik is Director of Marketing at ShareVault. She holds an MBA from UC Berkeley and an undergraduate degree in Biology from Stanford. She has more than twenty years' experience in online media, after having taught herself HTML in 1994 while in business school. Her first job was as the Product Manager for Family Tree Maker Online, now Ancestry.com. Prior to ShareVault, she has worked for Websense, an online filtering company, BidPal, a wireless silent auction fundraising tool, The Cambridge School, and her own Internet Marketing consulting firm.