Want to learn more on this topic? We've partnered with BDO Canada to present a free webinar on October 17. Click here for more information and to register.
Leaders of nonprofit organizations read the same headlines as their counterparts in the for-profit sector. The data breaches that once were rare now occur with alarming regularity — damaging bottom lines and reputations. In a data-driven world, it seems every organization is at risk.
The NPO cyber threat
Nonprofits find themselves surprisingly susceptible to a data breach. A 2016 study found that 63 percent of nonprofit organizations (NPOs) had suffered at least one breach in the previous year.
In some ways, the cybersecurity risks faced by NPOs are far greater than those faced by other organizations.
For one, NPOs rarely employ adequate in-house IT talent, mostly because so many NPOs try to keep headcount low overall. This leaves the network more vulnerable.
In addition, the data stored in a nonprofit’s systems is often especially sensitive. At a minimum, the organization will store personal information to issue tax receipts, but it may also capture private details of at-risk individuals, such as the elderly and others receiving health-care services.
Reputational damage from a breach can hit NPOs particularly hard. A for-profit company that falls victim to a cyber attack can often reclaim its reputation in the space of a few news cycles; an NPO may not recover as quickly. Donors want to know that their dollars are handled correctly — if they believe an organization lacks the cybersecurity oversight they demand, they may shift their funds to other organizations that compete for the same pool of funds.
PIPEDA and the new notification rules
Legislators have added an important reason for NPOs to get serious about cybersecurity. Effective November 1, 2018, organizations need to notify affected individuals and the Office of the Privacy Commissioner of Canada if personal information is breached. Included in the legislation is the requirement to keep records of all breaches. Organizations that fail to comply with the new rules could face fines of up to $100,000.
The so-called mandatory breach notification rules form part of a slate of changes to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s signature law on data privacy. Many of the amendments came into force in 2015 — but for the breach notification rules, legislators finalized the details during a three-year process.
Determining which breaches require notification could prove to be complicated. The rules are triggered when a breach creates a “real risk of significant harm” to the individual whose personal information was breached. The definition of harm could include bodily harm, humiliation, damage to reputation or relationships, financial loss, identity theft, negative effects on a credit record and damage to or loss of property. But assessing that harm — and the “real risk” of that harm — in practice will fall on your NPO and your advisors.
The NPO funding dilemma
The cybersecurity threat raises tough questions for NPO leaders. With budgets constantly tight, finding the funds to close security gaps can prove challenging. An NPO is guided by a mission — can its leader be expected to choose administrative costs over core programs and services that fulfill that mission?
The reality is more complex and reflects the longer term. Protecting an organization’s computer network can safeguard its ability to serve its key people networks: users of services and donors. The NPO world runs on goodwill and good intentions, but beyond its borders sit cyber criminals who exploit that trust. To help ensure their future, NPO leaders need to take care of their organization’s business interests.
Getting started with cybersecurity
Many NPOs have yet to take their first step in tackling their cybersecurity needs. To get started, your NPO should consider three key objectives:
Focus on the core — outsource the rest
To secure your network, consider outsourcing your technology needs. Many NPOs use third-party organizations to manage their technology in the cloud and monitor these systems for performance and security.
When selecting a provider, identify your technology requirements and ask if the company can provide a service auditor’s report on the controls for the services that it delivers. These reports provide assurance over the controls in place and the security of those systems. The reports help to add a level of protection and comfort for both the leadership of the organization and its stakeholders.
Test your systems
Penetration testing occurs through a series of procedures completed on a computer network to try and find openings that a cyber attacker could enter or penetrate. Many organizations do not even realize that their network is vulnerable to an attack, so testing its defences is often a simple yet important first step to improve security.
Fortunately, this type of security gap is often relatively easy to fix, by implementing passwords and authentication throughout the organization. Passwords need to be changed regularly, and protocol needs to be in place so that employees create strong passwords that include letters, numbers and characters.
After testing the system and implementing fixes, management can protect the organization by maintaining current applications and operating systems, and keeping your security measures up-to-date with controls to combat the latest strategies deployed by hackers.
The human factor
While organizations need to embrace technical solutions to prevent data breaches, they can’t ignore the human element. The vast majority of electronic breaches occur when an organization’s people allow attackers inside its walls. In the best-known example, a random email claiming to be from credible senders such as the CRA or a financial institution arrives in a user’s inbox. An employee or volunteer then clicks on a link in the email, which installs software or a virus on the machine. This breach can then quickly spread throughout the entire network.
To address the human element of cyber risk, your NPO needs to educate its people throughout the organization on best practices to keep the organization safe. Onboarding is now standard at many NPOs, supported by policies and manuals. But many organizations fail to include information on cybersecurity best practices during those first days on the job. Those best practices are essential, and impact the job responsibilities as much as the technical and social aspects of the role.
For NPOs, the human challenge carries additional subtleties. In an industry known for its many volunteers and high turnover rate, education from the start is crucial. Cyber breaches target first-day employees just as they target 10-year veterans familiar with the organization’s cybersecurity best practices.
Cybersecurity that scales
No two NPOs share the same cybersecurity needs. Some larger organizations may require a complete cybersecurity control framework that comprises an ecosystem of related solutions. For smaller NPOs, initial steps may suffice to provide a foundation of security. The challenge for an NPO leader: to protect the organization from a data breach, weigh the cost of a solution against other organizational needs, and determine the correct cybersecurity route for the organization.
BDO has extensive knowledge of cybersecurity compliance frameworks and can help your organization assess its current cybersecurity position and then establish and maintain a continuously secure environment. We can assist you with understanding your most critical cybersecurity gaps and provide recommendations and support to help your organization protect its data. Contact us today to kick-start your cybersecurity strategy with a preliminary assessment of your cybersecurity requirements. Contact your local BDO office today.