Cybersecurity risks are just as real for small charities as they are for multinational corporations. Without the big budgets to spend on an advanced cybersecurity program, however, nonprofits face more challenges, particularly when it comes to protecting donor information. Fortunately, there are measures even small organizations can take to protect themselves which won’t break the bank. That was the message that Richard Nathan, a cybersecurity specialist, emphasized when speaking at the 39th Annual Nonprofit Conference on Jan. 12, sponsored by the Foundation for Accounting Education.
For instance, requiring employees to use complex passwords doesn’t cost any money, nor does mandating that they be changed every few months, according to Nathan. Educating workers about how to avoid phishing scams, regularly backing up company data, making sure that everyone’s software is up to date, and getting regular updates from the IT department are also measures that cost practically nothing, even for the most penurious organizations. Despite the affordability of such steps, however, Nathan said admitted that most organizations still don’t implement them.
Part of their reluctance stems from a mindset that thinks of cybersecurity solely in technological terms. But even the most sophisticated cybersecurity program in the world is useless, he said, if someone opens a bad email attachment or hands over information to a fraudster disguised as someone’s boss. He pointed out that giant companies with extremely pricy security systems have still gotten breached and their information stolen. More important than technology, he said, is culture, education and—above all else—just plain common sense.
“Common sense is what to use here. It’s not a technology thing. It’s a common sense thing,” Nathan said.
With the low-to-no-cost common sense measures he suggested, though, comes the need for real accountability in implementation. This means that cybersecurity processes and procedures must include not only the IT department, but also human resources and finance, as well. It does an organization no good, he said, to have a 50-page acceptable-use policy that new employees sign and then promptly forget about. People need to take these matters seriously, and to be held accountable if they don’t.
“HR is a major component. When I onboard people into the organization, it’s very important to train them up front [about] the culture of the organization—that we all work together to mitigate these issues and learn about what I can do and can’t do,” he said.
Every organization should have a committee that reviews IT risks—something that very few actually do, Nathan pointed out.
“Most of the time, it doesn’t exist: ‘Oh yeah, we get together every once in a while and we schmooze over coffee and know what’s going on.’ But for really relevant issues, you need actual stakeholders [there],” he said. “In my thought process, cybersecurity is an organizationwide issue. You’ll hear me say this again and again: The number one variable in cybersecurity is people.”
Nathan also said that it’s important to be strategic about where an organization puts its efforts. Protecting financial information or other personal information that could be used for identity theft is worth it. Protecting other information may not be.
“I’m looking at my financial system, my operations system, [my] subledger system. But I may not need to protect my database with the lunch menus in it. I think we have to think about which systems I’m going to protect and what dollars I will put toward it, rather than a blanket solution for everything,” he said.
If an organization can afford it, he also recommended hiring an outside consultant to evaluate its systems, but he added that the organization needs to be smart about whom exactly it hires. Before a company decides to engage a $600-an-hour consultant who proposes buying a security system costing six figures, said Nathan, perhaps it should see whether the basic, low-hanging fruit is already covered.
“The point I am trying to get across is to think and be smart, and not scared, of the word ‘cyber,’” he said.