Cyber Security and Non Profits
Running a non-profit is much like running a small business, and it also has many unique challenges. In a small business, it is easy to justify overhead spending on IT equipment as a necessity to running the business even during times of fiscal struggle. In a non-profit, when you have to weigh spending money on IT infrastructure against helping a young mother care for her child the decision is much different. Cyber security is much more than IT and should be at the forefront of all board conversations.
Not all decisions are made this way, nor should they be, but often times a non-profit is raising funds for a specific purpose and not to support their IT infrastructure. Sure if the organization is running off of large grants and has a steady cash-flow, decisions like this are much easier, but many non-profits I have worked with are limiting their administrative spending and are also not actively raising funds for their administration.
The first question I am often asked is why should I care about Cyber Security as a non-profit?
This is not exactly a straightforward answer. The easy answer is because your constituents, your donors and those you serve have a level of expectation for their privacy and the security of their information. The longer answer is multi-faceted and situational. I hope to at least start the discussion as to why this is important, but more importantly how can we address it.
Example: Lost Phone
Let’s take a scenario where an organization is not well-off by any means, but they have a steady flow of funds where they are operating comfortably. This would only be possible with a good core base of donors. This could be a few large and a number of moderate donors, or it could be a number of smaller grassroots type donors. Either way, there is a group of people regularly supporting the non-profit.
Now let’s say that the Executive Director is a fairly busy person (those of you who are in the NPO world can hear my sarcasm here) and doesn’t have time to remember a complex password for email or doesn’t have time to change it every 90 days. Then let’s say because the non-profit also doesn’t have any type of mobile device management solution, that the ED loses her phone. Someone finds the phone, and is able to gain access to the email. It wouldn’t take me long to surmise the role of the person and then let’s say contact some regular donors with an emergency need for funds. This could be a special circumstance that requires money to be sent to a special bank account. I could ask donors to send money to my bank account because they would think it was the ED contacting them for funds. You get the picture.
What items here would an enterprise be talking about that aren’t even a topic of discussion for the NPO? Mobile Device Management, User Account management (passwords), device encryption, multi-step financial fraud procedures, etc. These are all things that require people and technology, which require investments and resources, to design, implement and manage processes and systems.
Example: HIPAA Breach
I have worked with a number of non-profits who deal with medical information on a regular basis. Just dealing with medical information does not make an organization a covered entity under HIPAA regulations. This is a topic for another day, but ultimately it is a risky proposition to decide not to protect health information according to some standard.
In this example, the non profit is using easily accessible tools and resources, as most are, and uses something like Google Docs to store their electronic information. One of the administrators accidentally loads a large number of medical records into a folder that is actually used to distribute documents to a large number of donor constituents. If this were a covered entity, this could be constituted as a breach. This not only can have reputational damage, but it can also have fiscal penalties related to it as well.
What’s different about this example and the first? This isn’t dependent on any particular role or technology. This is a process problem. Most cyber security issues can be mitigated with proper training and processes.
I can give example after example of why cyber security should be a major focus of non-profits. I want to use this blog to not only highlight that this should be the case, but I also want to focus on practical solutions to this problem. There is a shortage of cyber security talent in the well paying job market, not to mention in a cash strapped non-profit world. There is a big gap in the knowledge and skills needed to properly secure and manage an NPO and the ability to retain that talent. I hope to bring together my passion to serve those who need a voice, cyber security, and for developing practical solutions for small businesses and non-profits.
Please feel free to reach out to me if you or your non-profit are looking for someone to bounce some ideas off of or if your in need of more formal advisory services around operations, finances, or cyber security. If I can’t help, I may have a network of resources that can.