Cybersecurity is so often in the news that it’s hard to think it’s being ignored by any sector, however nonprofits are lagging behind.  Why?  Obviously budgets are tight, but here’s why ignoring cybersecurity can end up costing nonprofits far more.

Given that nonprofits rely on funding sources such as grants and donations, the organization’s reputation must be maintained or it is at great risk to lose funding.  Data breaches that could have been prevented, remain undetected, and expose sensitive information can damage this reputation – in some cases beyond repair.

Little Red Door, a nonprofit in Indiana, learned this lesson the hard way.  Hackers got into the network via malware downloaded by a staff member, encrypted their data, then began demanding $43,000 bitcoin as ransom to restore the files. The organization decided against paying the ransom, and didn’t feel they had any data that would be harmful if it was exposed.

Hackers took to social media, sharing private letters, including those to families who had lost loved ones to cancer.  The organization’s reputation was damaged, and they also lost some grants due to loss of the data needed to support the requests for funding.

What questions can you ask yourselves to be more proactive with your cybersecurity?  Here are our top 3:

1) What kind(s) of data do we process and store?  Consider the ramifications if this data was made public, even if it is not protected data like credit card #s, financial records, social security #s, or patient information.

2) How are we protecting our data?  From firewalls and endpoint security to keep attackers out of the network, to training staff on cybersecurity so they don’t inadvertently provide access to a hacker or download malware, to monitoring to detect unusual behavior, you need to have multiple layers of protection in place, as well as detection.

3) What is our plan should an incident occur?  Failure to plan ahead is dooming yourself to fail at minimizing the damage from a cyber attack or data breach.  A basic plan is needed, even if it is to establish a relationship with a cybersecurity firm who can assist you with reactive response as quickly as possible.