Data security breaches and ransomware attacks are an increasingly common experience for organizations worldwide. This trend may be a concern identified in the Boardroom, but for many organizations the priority allocated to cyber security is still a ‘should do’ rather than a ‘must do’.
How prepared an organization is to detect, respond and recover from a cyber attack will determine its resilience following the inevitable data or security breach it will suffer some day.
Many Boardrooms, in Australia and abroad, are still stuck in a state of inaction. This could be because they don’t believe an emphasis on cyber security and security awareness is relevant to them.
As it turns out, this belief is one of many myths (“A cyber-attack won’t, can’t, will not happen to us”) that is holding down the brake pedal on what should otherwise be a high priority.
Consider three myths that are causing a similar inertia in organizations and the steps needed to become cyber-ready.
Myth #1 “My nonprofit has nothing of value to a hacker”
It may come as a surprise that nearly all nonprofits, irrespective of their size, turnover, geographic reach or mission, handle valuable information every day. With this in mind, a coherent cyber security strategy is required.
In fact, many nonprofits and charities are at an even higher risk of a security or data breach because they often rely on free software, inexpensive website hosting and, in many cases, lack the expertise to adequately protect themselves.
Data worth protecting may include:
Client, donor or trustee data
Client email addresses
Physical addresses
Passwords
Bank information or financial records
Healthcare information
Confidential email threads
What’s more, you don’t need to be on a hacker’s radar to be attacked: the vast majority of cyber attacks are carried out autonomously and automatically.
Roaming waves of malicious software can find your organization – and thousands just like it – without a person on the other end making a conscious effort to do so. In other words, you could find yourself a victim of a cyber attack without any direct motivation from the hacker. Always consider yourself a likely target and remain on high alert.
For example, in 2015, The Red Barn, a Christian nonprofit in Alabama, reportedly had its website hacked by an individual linked to terror group ISIS. The Red Barn offers equine therapy and recreational activities for disabled children and veterans. It was among a group of over 4000 similar nonprofits who also woke to find their websites full of ISIS propaganda which took advantage of poor security.
If you accept checks or credit cards payments in the mail, information that can be used to identify someone (sometimes even driver license numbers) can be intercepted or mishandled.
If staff or volunteers work from home, it’s likely they are transporting sensitive organizational and donor information home with them on unsecured USBs, laptops or mobile devices.
When one of these devices is lost or stolen it becomes a valuable commodity – it may even result in identity theft. One simple mistake, like misplacing a hard drive, can create a chain reaction of legal and ethical consequences and responsibilities.
In the event of a data or security breach, public confidence in your organization could be shattered. Public notoriety could affect your organization’s image, its ability to raise funds in the future and, in extreme cases, its continued operation.
ACTION ITEM
Nearly all nonprofits, regardless of size, handle valuable information. Ensure you have:
(1) an anti-fraud policy in place to manage internal risk
(2) formal management review of security procedures and
(3) anti-fraud/ cyber security training for staff members and volunteers.
Your organization is required to exercise fiduciary responsibility in cyber governance, regardless of its size or level of technology sophistication.
Understanding the cyber security legislation in Australia and other jurisdictions
What are the Payment Card Industry Data Security Standards (PCI-DSS)?
PCI-DSS are a set of security standards structured to help protect customers’ card data and information. The PCI DSS were developed by major credit card schemes Amex, Visa, MasterCard, Discover and JCB to limit credit card fraud.
It outlines the business requirements for the secure management of card data — including procedures, policies, networks, software design, architecture, and other security protective measures.
The 12 standards of PCI compliance are now mandatory for all organizations that store, process or transmit cardholder information.
What is the mandatory data breach notification bill?
As an example of the global changes in legislative requirements, in Australia the Privacy Amendment (Notifiable Data Breaches) Act 2016 has introduced a mandatory data breach notification regime.
This new law applies to all entities that are currently subject to the Australian Privacy Principles under the Privacy Act 1988.
Under the new law, unless an exception applies, entities must notify eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.
This should occur after the entity becomes aware that “there are reasonable grounds to believe that there has been an eligible data breach of the entity.”
In summary, an ‘eligible data breach’ occurs where there has been:
(a) unauthorized access or disclosure, or loss of information where unauthorized access or disclosure is likely; and
(b) a reasonable person would conclude that the access or disclosure would likely result in serious harm to the individuals to whom the information relates.
These requirements should form the basis of a cyber security policy and procedures, which in turn need to be embedded into your governance framework.
Myth #2 "The cyber challenge is too new, too vast and too difficult for us to do anything about"
After seeing a high-profile data breach, you may be tempted to think ‘if a multi-national company cannot stop a cyber-attack from taking place, there’s no way we can…'
HBO, Equifax, Sony, LinkedIn, Dropbox, Oracle and Yahoo! are just a handful of examples from the long list of companies that have been hacked recently.
In light of these high-profile breaches, it can be tempting to think there is nothing you can do, especially in the case of limited resources or infrastructure. What’s more, in many cases, nonprofits are understaffed and heavily reliant on volunteers rather than paid professional staff.
However, those who choose to do nothing more than ‘wait and watch’ are putting themselves at risk of significant financial, competitive, and reputational damages when a data breach finally occurs.
Reasonable diligence, not perfection, is required by all organizations that are faced with cyber threats.
With a tide of new regulation, Directors face significant repercussions if they are found negligent in their duties. High profile attacks may even spawn lawsuits on the ground of organizational mismanagement, wasting of corporate assets and abuse of control.
Despite having finite resources, your Boardroom has the same fiduciary responsibility to protect the sensitive information of its stakeholders. Approaching cyber security in an intelligent and cost-effective way is achievable.
ACTION ITEM:
The most prepared nonprofits move beyond acknowledgement to commitment. The task then becomes understanding the many risks related to cyber security and implement systems and procedures that make incremental improvements to your digital defense.
When resource capabilities are limited, consider a finding from the Australian Signals Directorate that suggests the following four strategies could have been used to thwart 85 percent of detected intrusions:
1. Prevent malicious software and unapproved programs from running by restricting the programs that can run on your system (“Whitelisting”)
2. Continually patch software applications such as Flash, web browsers, Microsoft Office, Java and PDF viewers
3. Ensure the operating systems are patched with current updates
4. Restrict administrative privileges (the ability to change settings or install software)
Myth #3 "Cyber security is a technical process for the IT department to handle"
In our work with nonprofits, it’s evident that one mental hurdle still needs to be cleared: the caricature of the modern hacker.
You are more likely to suffer a data or security breach following the actions of someone inside your organization, than a lone-wolf hacker on the outside.
A 2015 HM Government Information Security Breaches Survey found that 81 percent of large organizations reported some staff involvement in the breaches they suffered.
If an employee misuses their access to restricted material, either to cause harm or simply through negligent behavior, the results could be extremely damaging. The strongest firewall in the world can’t prevent a data or security breach if it’s facing in the wrong direction.
Cyber security calls for more holistic, business-focused approach and strategic thinking beyond the IT department.
Why is this the case? Cyber security is not just a technical problem, or extreme risk. It’s also a people problem with technology integrations. The largest threat to secure information is in fact people.
ACTION ITEM
Invest in security training: Regular training for all staff members is an important first step. Helping your staff to recognize suspicious emails (phishing emails) as well as educating them on the proper safety controls can go a long way in the protection of sensitive data. Empowering your management team to champion correct data security is a doorway into a culture of greater cyber security awareness.
Have a password policy: On a practical level, if you have a member or employee portal that grants access private information on your network via a password, it’s important to control and monitor this gateway. Do you require two-factor authentication as an added layer of security? Do you have a minimum length for passwords?
Include cyber security in your budget: Open source software and platforms are popular amongst nonprofits because they can be accessed very cheaply. However, open source means the source code is viewable (and in some cases editable) to the public.
This can create vulnerabilities in the software and compromise your security. Many older operating systems, such as Windows XP, are no longer supported with security updates and therefore make data breaches more likely.
Consider a secure online payment processor: If you receive membership dues or run conferences which collect a fee, your payment processor needs to be secure from end to end.
Reasonable Diligence, Not Perfection
Fraud and cyber threats are ubiquitous. While anti-fraud controls can effectively reduce the likelihood and potential impact of fraud, the truth is that no entity is immune to this growing threat. Your role is to protect your organization as best you can. This begins by confronting any assumptions you may have about cyber security, and beginning the process of equipping your team members and organization for the future.
