6 Barriers to Improving Cyber Security for Nonprofits and Charities
Charities and nonprofit organizations aren’t immune to cyber attacks.
In the NetDiligence 2016 Cyber Claims Study (PDF) – a study that provides comprehensive analysis of insurers’ claims on losses sustained from data breaches and other kinds of cyber events – showed that out of the 176 cyber claims submitted for the study, 11% of the claims were from the nonprofit sector.
“Breaches are not just for the Fortune 500 companies anymore," NetDiligence said. "The majority (87%) of claims submitted for this study are for organizations with revenues less than $2B."
The recent "Cyber security among charities" study commissioned by the UK Department for Digital, Culture, Media and Sport and carried out by Ipsos MORI revealed that charitable organizations aren’t considered as off-limits by cyber criminals. Charities interviewed in the study shared that they experienced a wide range of cyber breaches or attacks.
In one case, a charitable organization reported substantial financial loss after the CEO's email was hacked and the malicious hacker sent out a fraudulent message to the charity’s financial manager with the instruction of releasing funds to pay for new equipment.
Another case involved the taking down of the website of a mid-sized organization on numerous occasions. The first attempt to bring the site back took the hosting company 10 days.
In another case, one charity found that its website was injected with a malicious code. Although the organization eliminated the malicious code two years ago, the organization felt the incident had a negative impact on its online reputation as a warning about its website saying it could have been hacked shows up in the Google search results.
The Ipsos MORI study revealed that cyber breach isn’t enough to motivate some charities to enhance cyber security. When breaches such as websites being taken down or staff emails being hacked made no impact on their operations, charities continue “without any changes – highlighting that charities were not necessarily learning from these attacks,” according to the Ipsos MORI study.
Here are the 6 barriers to improving cyber security for nonprofits and charities:
1. Cyber Security Viewed as an Unaffordable Luxury
The study found that some charities consider cyber security as an unaffordable luxury. Some stated that if their budgets increased, they would rather spend the money on other areas such as core service provision and fundraising.
“We need to make sure we are taking the right precautions to safeguard our information … but we have other priorities – difficulties with cash coming in, and a restructure last month,” a £500,000+ annual income, international aid charity said.
2. Cost-Cutting Culture
Many of today’s charities, according to the study, have a strong cultural emphasis on cost-cutting, which makes it difficult or challenging to justify cyber security cost. This emphasis on cost-cutting led some charities to value cost than quality, for instance choosing the cheapest cyber security provider at the expense of sacrificing quality service.
This cost-cutting culture is also evident in charities’ reluctance to upgrade to the latest software or hardware. When the WannaCry ransomware was released to the wild by cyber criminals last May, many nonprofit and charitable organizations fell victims to this malicious software.
A number of UK’s National Health Service (NHS) Trusts – nonprofit organizations that are part of the NHS but have more freedom in how they run their hospital – were affected by WannaCry ransomware for using outdated or unsupported desktop operating systems.
3. Deprioritizing of Some Cyber Risks
The study showed that charities consider loss of funds and loss of personal data (for example donors’ list) to be a major risk as they’re viewed as an existential threat. On the other hand, loss of non-personal data files (for instance data lost to ransom attack especially when the data is backed up) and loss of business (for example a website take down) aren't considered as major cyber risks as they aren’t viewed as an existential threat.
4. Cyber Security Viewed as a Common Sense Issue
The study found that some charities view cyber security as a common sense issue and, therefore, shouldn’t need much thought or investment. Instead of taking pre-emptive action, these charities would simply ask their staff to be sensible and to take a common sense approach.
5. Lack of a Central Office
Some small and mid-sized charities have no central office. This is an offshoot of the cost-cutting culture of nonprofit and charitable organizations. Organizations with no central office allow their staff to use personal devices – opening up susceptibility to breaches via personal devices. These organizations also change their board of trustees every year, resulting in regular change of the base of the organization.
6. Lack of IT Awareness and Skills
The study found that most charities don’t have an internal specialist who has the technical skills to cover cyber security. Hiring an internal IT specialist is seen as unaffordable and unnecessary as the organization views itself not as a target of cyber attacks. Most of these organizations leave the cyber security responsibility to individuals who have existing duties and responsibilities in the organizations, such as fundraising, finances, communications or general operations.
Many of the smaller and long-time running charities are also often run by older trustees, who might lack IT awareness and knowledge. This may limit the organization’s engagement with cyber security professionals or to find people inside the organization who could advocate for the organization’s better cyber security.
In Canada, the implementation of the Digital Privacy Act may spur cyber security awareness among nonprofit and charitable organizations. The law requires “organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner.”
An organization that knowingly violates the breach notification requirements may face fines of up to $100,000 per violation. The implementation of the Digital Privacy Act – passed into law on June 18, 2015 – is seen as the country’s first step of bringing its data protection law in line with the rest of the world.
Steve E. Driz