Financial transactions increasingly are being conducted online — and that includes charitable donations. The Blackbaud Institute for Philanthropic Impact reports that online giving grew more than 17% between 2016 and 2018. For nonprofits without the appropriate IT infrastructure and security policies, such increased online donations can also mean greater cybercrime risk.
Many nonprofits blame budgetary constraints and insufficient in-house tech support, rather than negligence, for their systems’ vulnerabilities. But such excuses won’t fly if hackers break in and steal your donors’ identities — particularly when you consider that many security tools are cheap and easy to use.
Don’t stick your head in the sand
All organizations — all computers — are vulnerable to cyberattacks and cybercrime. But nonprofits and their networks may be more vulnerable than most. Hackers target charities because they’re widely thought to have less-robust payment security and data storage protections in place. Also, nonprofits tend to collect extensive personal information on their donors, and these detailed files can fetch a high price on the Dark Web.
If your systems are weak, chances are that criminals will find a way to exploit those weaknesses. Phishing, spoofing and other email-based scams that trick users into revealing their passwords are perennially popular. Ransomware is also on the rise. There, hackers access stored data, encrypt it and then demand a ransom for its release. Even if the ransom demand is relatively low and you agree to pay it, there’s no guarantee that additional demands won’t follow. Nor can you be assured that the data returned to you won’t be damaged or distributed to identity thieves.
Another scheme to look out for: Cybercriminals are increasingly taking advantage of nonprofits’ reliance on automated clearing house (ACH) transactions. These transactions require donors to submit their bank routing numbers. Donors like ACH payments because they’re useful for making automatic, recurring gifts — and hackers like them because they are prime targets for cybercrime by providing unfettered access to individual bank accounts.
Build a fortress
Even if your nonprofit’s tech budget is limited, you can slash the risk of cybercrime with almost no additional financial outlay. For example:
- Restrict network administration access to only those staff members who need it,
- Ensure that your payment processing system follows industry standards such as TLS (transport layer security) protocols that encrypt data and authenticate transaction parties,
- Update antivirus, antimalware and antispam software as soon as patches become available,
- Require all users to come up with complex passwords and change them frequently, and
- Educate staffers and volunteers about ways criminals might try to gain password access.
As an extra precaution, consider implementing two-factor authentication. This process shields networks with both a regular password and another challenge, such as a temporary password texted to a mobile phone.
Limit data collection
Lax cybersecurity isn’t the only threat to your nonprofit’s donors. The type and amount of data you collect and store could also put them at greater risk of identity theft. In general, collect only what you absolutely need and store what you’re certain you can keep safe and confidential.
The European Union’s recently implemented General Data Protection Regulation (GDPR) provides an excellent set of best practices. These rules are intended to protect the personal data of EU citizens and may not seem to affect your nonprofit directly. However, you could be subject to the GDPR if you receive online donations from Europeans or donations in foreign currencies. Proactively adopting the policies will help reassure donors that you take the security of their personal data seriously — and it could help head off legal trouble.
To make sure your constituents understand your policies, state on your website what data is collected, how it’s processed and how it’s stored. Provide a mechanism for donors to opt out of data collection.
Also remind them that it’s usually not safe to transmit sensitive information while using public Wi-Fi. Finally, provide a telephone number and mailing address should donors decide they’d prefer to give the old-fashioned way.
Conduct a risk assessment now
To gauge your organization’s vulnerability to data loss, visit the Nonprofit Technology Network’s site at https://www.nten.org/article/assessing-risk-protect-valuable-data. Also consider engaging an outside expert to review your nonprofit’s security safeguards and recommend improvements to guard your nonprofit from different types of cybercrime.
When worse comes to worst
You may not want to think about it, but your nonprofit should be prepared in the event cybercriminals breach your network or payment processing system. A good disaster plan outlines procedures for limiting damage, fixing vulnerabilities and communicating with those who might be affected. Specifically name the individuals who will be responsible for carrying out each task.
Time is of the essence if your system is hacked. Most states require you to immediately inform anyone whose personally identifiable information is disclosed in a security breach. Even if you aren’t subject to a mandate, don’t wait. The resulting bad publicity could do more damage to your organization than the original cyberattack. That’s why it’s important to include PR and communications specialists when responding to any incident of this kind.
Information provided on this web site “Site” by Thompson Greenspon is intended for reference only. The information contained herein is designed solely to provide guidance to the user, and is not intended to be a substitute for the user seeking personalized professional advice based on specific factual situations. This Site may contain references to certain laws and regulations which may change over time and should be interpreted only in light of particular circumstances. As such, information on this Site does NOT constitute professional accounting, tax or legal advice and should not be interpreted as such.
Although Thompson Greenspon has made every reasonable effort to ensure that the information provided is accurate, Thompson Greenspon, and its shareholders, managers and staff, make no warranties, expressed or implied, on the information provided on this Site, or about any other website which you may access through this Site. The user accepts the information as is and assumes all responsibility for the use of such information. Thompson Greenspon also does not warrant that this Site, various services provided through this Site, and any information, software or other material downloaded from this Site, will be uninterrupted, error-free, omission-free or free of viruses or other harmful components.
Information contained on this Site is protected by copyright and may not be reproduced in any form without the expressed, written consent of Thompson Greenspon. All rights are reserved.
Ready to talk to one of our specialists?
Our specialists are all seasoned professionals who have years of experience working within your industry. Reach out to us today to schedule a consultation.