By Reggie Novak, CPA, CFE
Ciuni & Panichi, Inc. senior manager and certified fraud examiner
Is Your Not-for-Profit a sitting duck?
Not-for-Profits generally have limited administrative personnel and often lack dedicated IT staffers. They also typically have smaller budgets for technology solutions such as firewalls, antivirus programs, and intrusion protection. It’s no surprise, then, that the nonprofit sector is one of the most frequently compromised by hackers.
Your Not-for-Profit’s computer network probably contains a wealth of data to entice hackers — for example, donor information, including names, addresses, credit card numbers and bank account information. Also coveted by cybercriminals are personnel data, such as employee Social Security numbers and direct deposit information, and accounting records related to payroll, payables, banking, investments and other financial functions.
Hospitals and other Not-for-Profit health care organizations that collect and store patient data, including medical records and insurance information, are particularly vulnerable. Colleges and universities also are popular targets because of their multiple networks and many users — that includes students who participate in risky online behavior such as illegal file downloading.
Is your defense strong enough?
Most Not-for-Profits are already familiar with protections such as firewalls and antivirus programs. And as long as you keep your programs current and download updates as soon as they become available, you can count on some measure of cyber security.
But your defensive strategy should extend to include policies and procedures, such as data-handling rules. Overworked staffers may neglect to weed out old files and it’s important to implement procedures for disposing of sensitive data that’s no longer needed. Key data and systems should be backed up regularly and stored in a safe offsite location. Because Not-for-Profit employees often share responsibilities, be sure to create accountability for specific jobs.
Training for staffers, volunteers and board members is critical, too. For example, your network’s users should be made aware of such issues as e-mail scams and “social engineering,” where criminals manipulate people into volunteering passwords and other information. Also educate your employees about the proper use of laptops and mobile devices.
Finally, consider taking proactive steps against an attack by hiring a “white hat” hacker. This consultant uses the latest techniques to test your network and devices for holes so that you can plug them.
Are you up for a fight?
Of course, a robust cybercrime-fighting program takes time and at least a small bite out of your Not-for-Profit’s budget. Convincing your board that such expenditures are necessary may be tough.
Increasingly, nonprofits are creating technology committees led by tech executives or other knowledgeable board members. If your board lacks tech expertise, make recruiting someone who understands the need for cyber security — and how to achieve it — a priority. Your tech committee might be tasked with creating policies, determining budgets, evaluating software and products such as cyber liability insurance, and planning how your organization would respond to a cyber attack.
If your tech committee plans to act as first responders to a cyber security incident, be sure to include a public relations expert in the group. The timing and wording of communications can significantly affect how the media and your organization’s stakeholders respond to an event.
Thwarting cyber thieves
Unfortunately, cybercrime will continue to threaten organizations of all types. Join us for a free seminar to learn more about how you can protect your organization on Thursday, April 21 at 7:30 am at the Doubletree Independence, 6200 Quarry Lane, Independence. Click here for more details and to register for the event.
Reggie Novak is a Senior Manager in the Audit and Accounting Services Group. As a Certified Fraud Examiner, Mr. Novak can assist you with prevention services, including recommending internal controls and other measures to be implemented to prevent theft or misappropriation. If fraud is suspected, he can investigate and present his findings and recommendations. Contact Reggie Novak at 216.831.7171 or rnovak@cp-advisors.com for more information.
You may also be interested in:
