Why cyberdefenses are worth the cost: These tips can help not-for-profits and other organizations minimize the risk of potentially devastating data breaches.

Author:Shelhart, Mark

Yes, all organizations are vulnerable, and yes, you've heard the warnings that it's likely only a matter of time before a data breach happens at your organization. But how do data breaches apply to not-for-profit (NFP) organizations? Why would anyone want to target an NFP?

The primary motivation for today's attacks is to acquire information and money. Every new person a hacker can identify can be a new victim or opportunity, and NFPs possess information about donors that may be very useful to hackers. Some in the health care sector, such as hospitals, have electronic health records (EHR) that may be worth more than $1,000 each (i.e., the EHR for one person) on the black market, according to a 2017 Forbes article.

NFPs host an array of potentially valuable information, from donor lists and profiles to employee and client files containing Social Security numbers and other sensitive data. Even if your organization is 90% volunteers and consists of little more than a tent-based medical camp, attackers realize that you likely have data and funds they can target. On the other hand, your organization might be a large, well-established NFP. Perhaps you have an IT staff that supports computers for hundreds of other staffers across multiple sites. Regardless of the size or sophistication of the organization, an NFP that falls victim to a ransomware attack might prefer to pay an attacker instead of having operations paralyzed for any amount of time and perhaps damaging its reputation (see the sidebar "Ransomware").

A lack of IT resources devoted to cybersecurity can make NFPs appealing to hackers. But regardless of the type or size of your organization, you can choose from multiple options to enhance your security against attacks. These tips can help any organization guard valuable systems and data.


Educate your employees regularly about new attacks and risks. You can provide this education in many ways, including online training (perhaps through a company intranet) or written documentation provided in a simple, user-friendly format.

Consider monitoring the news for security incidents and passing along those articles to your staff. Staying informed about recent attacks can be a great form of defense.

It doesn't cost much to warn users against opening malicious files and clicking on links. To prevent wire or Automated Clearing House (ACH) fraud, educate employees on when to be suspicious of certain messages or email addresses (see the sidebar "Wire Transfer and ACH Fraud").

Management support goes hand-in-hand with security awareness training. Employees should be able to contact their superior and ask, "Are we sure about this?" or "Is this real?" without any fear of reprimand. Management must emphasize that missing a deadline to get confirmation from a superior is better than taking the risk of sending money to the wrong...

To continue reading