Bill Ayens, senior instructor of information systems at the UCCS College of Business, informs nonprofit professionals about needed security measures.
Bill Ayens, senior instructor of information systems at the UCCS College of Business, informs nonprofit professionals about needed security measures.

When it comes to cyber vulnerabilities, no business is exempt.

But for nonprofits, the stakes are different. Charitable organizations maintain client records and donor information that, if compromised, could potentially put an end to their mission. So how do nonprofits invest in complete security measures with limited budgets and staff?

To give nonprofit professionals more perspective, UCCS’ College of Business hosted a two-day seminar Feb. 15 and 22 about basic cybersecurity terminology, organizational impacts from cyber incidents and methods nonprofits can use to tighten systems to include implementing consistent security policies, password protection and employee training.

Risk management

Bill Ayen, senior instructor of information systems for the College of Business, hosted the seminar, where he shared tips on protecting sensitive information.

Continuing to identify security risks within an organization is essential, he said. Nonprofits should develop checklists or scenarios to identify risks early on.

“It’s easy to identify a risk after it happens, but if it’s after the fact, an organization’s options are limited,” Ayen said. “Come up with scenarios and say, ‘What if this happened now? What are some of the current vulnerabilities?’ Sit down with staff to brainstorm what is at risk.”

- Advertisement -

And prioritize risks specific to leadership roles, Ayen said.

“The IT guy doesn’t understand from an enterprise standpoint what the biggest impact is for the organization, because he only knows bits and pieces,” he said. “By evolving at the highest levels, you can determine the impact from an entire organizational standpoint.”

Risk impacts are considered either qualitative or quantitative, according to Ayen. Quantitative risks use hard data within an organization to measure an incident’s financial impact, whereas qualitative risks use soft data and scenarios to gauge impact.

“And once you’ve identified threats and vulnerabilities and have implemented mitigating controls, an organization will reduce risk, with only residual risk remaining,” he said. “It’s impossible to eliminate all risk, but [these are good steps] to becoming more secure.”

Passwords and policies 

Using secure passwords, changing passwords and having a defined bring-your-own-device policy are security essentials for any organization, Ayen said.

A BYOD policy allows employees and contractors to work from their own device, such as a personal laptop. The organizational data that can be accessed, stored and shared depends on the policies of each business.

Some session attendees said their organizations don’t allow workers to access information unless they use PCs owned by the nonprofit.

“The first line of defense is people,” Ayen said. “Who has a key or proximity card? A lot of companies don’t have protocols in place, especially nonprofits, when people transition out of the organization. If someone is no longer employed, within two hours, do they still have access to the facility or database?”

And volunteers should not be ignored when it comes to security, he added.

“The risk could be an insider such as a volunteer, vendor or contractor; someone who is given inside information,” he said. “Pay attention to their access.”

A nonprofit’s reputation is vital as they’re dependent upon the trust of donors. Ayen said if a nonprofit has an incident that erodes trust, the organization could easily go out of business.

“It not only hurts them but their clients,” he said. “If clients’ data is compromised — say credit card or personal information — [the nonprofit] will lose clients, which could lead to [not making] payroll next month. They can’t go to their stockholders and get more [money].”

Dana Lightsey is the minister of High Plains Church Unitarian Universalist in Colorado Springs. She said the organization consists of four paid staff and relies heavily on its volunteers.

“We have about 70 [people] a year who help with everything from working at the soup kitchen [to] helping with finances and building and grounds maintenance,” she said.

Lightsey said the UCCS session shed light on needing a systematic approach to security, for both employees and volunteers.

“It just seems like security is becoming more of a concern all of the time,” she said. “We need to make sure the right people in the organization know how to access different things for backup. Who does have access to QuickBooks? Do past treasurers still have access? We have to keep track of what is going on with everyone connected to our finances.”

Emerging threats

Since the National Cybersecurity Center started operations in November, the nonprofit has supported five organizations following a cyberattack. NCC Chief of Staff Eric Hopfenbeck said a popular attack during tax season includes hackers attempting to obtain sensitive information via email.

“They will try to get an employee to send them their W-2 tax form so that they can sell it on the Darknet,” he said.

Hopfenbeck said nonprofits can take other basic measures to enhance security, such as educating employees on the danger of clicking on unfamiliar emails or attachments; securing Wi-Fi with complex passwords; encouraging employees to change passwords regularly and using anti-virus software.

“This does not mean the organization is fully protected,” he said. “It is simply the first line of defense.”

Awareness and training is key, he said, with 70-80 percent of cyberattacks carried out through email, in the form of phishing — where a hacker sends an email and requests sensitive information from the recipient.

The NCC provides high-level trainings for C-suite employees and board directors and can assist nonprofits, he said.

“Currently we have limited operations to respond to a cyber attack, but we are hoping to build that out over the course of 2017,” Hopfenbeck said, “We will also have an education and training component fully operational later this year.”