I am not a robot. Security measures are crucial when it comes to small business and nonprofit cybersecurity. We’ve all been on the website where we have to check the appropriate boxes to prove we aren’t a robot. The “check all the boxes that include a crosswalk or street sign” type of test reveals our humanity. Because nothing reveals my humanity more than my impatience in dealing with this nuisance in this additional step between me and those Taylor Swift tickets.
However, there is a reason highly trafficked websites—especially ones that utilize financial information—have multiple layers of security: cyberattacks are costly. (Even more costly than my highly sought-after Taylor Swift tickets).
There is a cyber hacking attempt every 39 seconds, equating to about 800,000 or more people being hacked yearly. Attacks range from large businesses to individuals and nonprofits, and churches are not exempt from cyberattacks. They’re even receiving special attention from hacking groups.
There was a total of $485 billion in charitable giving in 2021, meaning nonprofits are becoming prime candidates for a nonprofit cyberattack. While most would only consider the amount of money stolen during a breach, there are several other mounting costs when attempting to bounce back after a breach, like legal fees, remunerations, and any added cybersecurity deemed necessary.
However, there is more to consider regarding nonprofit cybersecurity than merely a loss of money. If you’re a victim of a nonprofit cyberattack, you’ll likely lose the trust of any client, donor, or church member who may have had their information compromised in the process.
You’ll spend hours upon hours reassuring people and crafting a statement and FAQ on how this happened and why it won’t happen again. Sadly, many institutions will have to permanently close their doors after a cyberattack because of how costly the entire process is. Unlike Ms. Swift, you won’t be able to just shake it off.
At this point, you might be asking why I keep referencing Taylor Swift, and I honestly don’t know. I do know that there are a few practical things you can do within your church or nonprofit to ensure that you shore up your defenses and have great cybersecurity.
(Also, it’s been 39 seconds, and there was another cyberattack.)
Cybersecurity aims to protect what is called the triad: confidentiality, integrity, and availability. Confidentiality is precisely what it sounds like; keeping sensitive information confidential (financial information, medical records, etc.). Integrity is about ensuring your data hasn’t been altered without your knowledge. Availability is where all your systems (networks, access points, servers, etc.) are available, ensuring they haven’t been damaged or compromised.
One of the first lines of defense regarding cybersecurity is virus protection, scanning, and removal. This can be as simple as Norton Antivirus, which can be loaded on individual computers to help protect against viruses or malware but can also be used as a firewall to protect your device from hackers, phishing, or various nonprofit cyberattacks.
Forty years ago, the motivation for hacking was street cred, like how hacking is often portrayed in movies or TV shows, but now, it’s almost exclusively financially motivated (98%). This can be done by stealing financial data but also by cybercriminals demanding a ransom. (39 seconds) When there is a breach, information is essentially held like a hostage and destroyed unless a ransom is paid.
Often, something like this won’t happen to a church or nonprofit, but it’s essential to realize that the motivation for cyberattacks is almost always for financial gains. This makes charitable institutions ripe for attack, especially considering that about 70% lack appropriate nonprofit cybersecurity measures.
Passwords should be 12 characters at a minimum with complexity like utilizing numbers and special characters. An 8-character password with no symbol or numbers can be hacked easily in minutes, so something longer with complexity is an extra layer of protection. Additionally, using two-factor authentication (TFA) is an extra layer of security, especially when accessing shared data or websites like Google Drive or Dropbox.
(Yet, again, it’s been 39 seconds.)
If you use Google Drive, Dropbox, or other cloud-based services like these, it’s essential to have a couple of good practices around using them, especially in the context of nonprofit cybersecurity. It’s important to utilize caution when downloading information from one of those websites to your computer because if it has sensitive data, like donor information, it can now be accessed by hacking your computer, which is less secure than something like Google Docs.
Within access control, it’s crucial for you to do an audit of your organization to ensure that no one has access to something they don’t need or shouldn’t see. You wouldn’t want an intern to be able to access giving statements on their personal computer, so it’s important to know who has access to what.
It’s good practice to have one Wi-Fi network that is reserved for staff that is password protected and another guest network. The reason for a strong, protected staff network is because that is where all your sensitive information lives and increased risk comes with increased access. Imagine giving anyone who has ever visited your house their very own key. This is the same idea.
Over 75% of targeted cyberattacks start with an email. It’s important to discuss it with staff and volunteers within your organization. It’s not uncommon that many volunteers at churches and nonprofits are less experienced in emails and what a suspicious email might look like. (39 seconds). This is an excellent opportunity to help educate key leaders in your church or nonprofit about how a suspicious email might look.
It’s equally important to destigmatize the shame connected to not understanding phishing or cybersecurity. It’s healthy to have open lines of communication, and simply asking a coworker is good if you want someone else to check something out.
Many people who work in cybersecurity would be willing to help; they’re just waiting for you to ask. Like most of us, we appreciate when someone asks for our help and are far more likely to chime in when asked rather than speak up on our own. Are you involved in cybersecurity and looking for people that can help out locally?
While nonprofit cybersecurity isn’t the most exciting topic, it’s become increasingly important in the last couple of years. We want to ensure you can continue your important work for years to come, and shoring up your cyber defenses and having a fresh online presence is a practical way to develop longevity in your organization.
You might not think you have the same risk of being the victim of a cyberattack as someone like Taylor Swift, but because of the nature of your work, finding donors, and dealing with sensitive information, being well-versed in nonprofit cybersecurity will have long-term payoffs. Let’s ensure you’re well protected when you might become one of the organizations that get hacked every 39 seconds.
P.S. Seven cyberattacks were attempted during the time it took to read this post; we hope none of them were harmful. Here are a few additional links for further education on cybersecurity.
