Each year during tax season, there always seems to be a new data breach or phishing scheme that reminds us how important cybersecurity is to all of us and our Organizations. It’s important to understand the risks associated with these data breaches and some best practices to protect your Organization from further damage.
Regardless of the focus of your not-for-profit, technology is now a part of everyday life and business. And if you collect donations as most not-for-profits do, you probably are collecting and storing, in some capacity, sensitive information that hackers may find very valuable in an attack (such as names, addresses, credit card information, etc.).
If your organization accepts credit card payments through a third party payment processor with Payment Card Industry (PCI) Security Standards, you will need to understand that minimum requirements are expected to be met in payment processing by such support vendors at all times. These PCI Standards apply regardless of business size, whether it be a sole proprietor or a mega-corporation, when accepting and processing credit card payments. The criteria involved was developed by industry agreement involving many of the major credit card company players in the market and includes the following:
- Network – All vendors will be expected to construct a secure network and support system that includes a firewall design for cardholder data protection at all times.
- Passwords – All passwords must be original and not be automatically placed with default generic passwords.
- Cardholder Data Protection – All cardholder data protection needs to be encrypted during any transmission across an open or public network, i.e. the Internet.
- Active Protection – The payment processing system must be actively protected against passive or latent software threats such as virus, malware, and similar.
- Restrict Access – All cardholder data must be treated as restricted. Access to specific records should only be allowed on a need-to-know basis for specific processing functions. No general access should be allowed.
- Access Validation – Any authorized access should be validated with identity and authorization before being allowed into the system.
- Physical Protection – Physical storage or copies of cardholder data, such as that stored or servers or file carrier drives, needs to be restricted at all times.
- Regular Testing – Payment processing and data storage networks should be tested regularly for weaknesses and signs of break-in. Regular activity should also be monitor, especially for sudden spikes in data transfer and bandwidth.
- Policy – The payment processor should develop and have an updated security policy in place at all times for personnel to reference and follow.
Although the outline above demonstrates the requirements that any business of any size must adhere to in order to accept credit card payments, the goals and requirements are a good starting point for any organizations looking to see how their IT systems and cybersecurity stack up.
Even if your Organization has strong IT and cybersecurity, you are still susceptible to data breaches, in particular phishing schemes or spoof emails, as a result of human error. The CEO Fraud scam is a particularly nefarious scheme that has been in the public eye recently. This scheme involves emails to an employee in the human resources department requesting copies of year-end tax forms. The emails appear to come directly from the Organization’s top executive. The recipient unwittingly fulfills the request and provides the criminals with all of the information needed to steal the identities of employees. The IRS has identified the following details from actual CEO Fraud emails:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, and Salary)?
- I want you to send me the list of W-2 copies of employees’ wage and tax statements for 2015, I need them in PDF file type, and you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.
Phishing schemes and cyber-attacks can do irreversible damage to an organization’s reputation and its financial stability. Criminals have realized that targeting small organizations can be a more profitable endeavor, as these organizations are less likely to have sophisticated security in place. The financial and reputational loss can cripple a smaller not-for-profit, because the breach is almost guaranteed to get publicized by local media and social networks.
Keep in mind that even if your not-for-profit does survive the reputational loss, the costs of settlements, notifying affected parties, and monitoring breached parties are sure to put a financial strain on the organization. These costs are not covered by general insurance, but by cybersecurity insurance, which many not-for-profits either don’t have or lack adequate coverage.
Remember this: The worst possible decision is to do nothing. A not-for-profit does not have to spend significant resources on cybersecurity in order to protect the organization, but it should have some funds dedicated to cybersecurity. So what can not-for-profits do to protect themselves?
- Risk Assessment. Understand the nature of the sensitive data you store and how it is stored. This will help you target vulnerabilities and concentrate your limited resources on those areas that pose the most risk. Understand that certain activities, such as using credit cards to collect sensitive data or submitting payroll to a third-party provider, put the organization at risk.
- Have a data security program that encompasses awareness, training, procedures, and an incident response plan. A third-party consultant can help you set up such a program in the most cost-effective and efficient way.
- Secure the network. Wireless technologies (such as bring-your-own-devices) can put an organization at risk. The organization’s network needs to be secured and plans in place in case of a data breach.
- Review your cybersecurity insurance. This type of insurance is generally very inexpensive right now. Review your insurance policies to determine the extent of your coverage and discuss with your provider whether the coverage is adequate for the nature and size of your organization. Having the right amount of insurance will help ensure that your organization survives the financial impact of a cyber attack.
- Get technical help. Most not-for-profits don’t have the resources to hire the type of IT expertise necessary to protect the organization. Recognize your IT limitations and consider working with a qualified third party. A consultant can help identify risk as well as set up and manage your network and a data security program.