Cyberattacks and data breaches are commonplace in the news now—it would be easy to miss the changing trend on where these attacks are being focused. Financial institutions and banks will always be prime targets due to the information they contain, but the marked increase of attacks aimed at non-profit organizations, with particular focus on charitable and educational institutions, isn’t as understood.
It’s first important to remember what these attackers value—they value personal information they can exploit for their own financial gain. Nonprofits are more likely to possess a greater cache of personal information, with far more detail, than many other for-profit companies. The depth of the personal information makes it even that much more valuable. In fact, a full personal information record sells for a great deal more than most other types of information when being sold on the dark web. Credit card information sells for about 25 cents; medical records sell for approximately $2.50; personal data information sells in the $25-$30 dollar range, depending on how much information it contains.
It’s the very nature of the information collected that makes nonprofit information so valuable to malicious actors, and charitable organizations rate even higher. Think of the information present in a typical charitable organization’s database:
- donor rolls and all of the personal identification information kept on each donor
- names, addresses, and email addresses on mailing lists
- corporate sponsors, their information, and the record of their donations and support
- the names of every board member, employee, and volunteer—along with their personal information—that does work for the charity
- all of the financial and banking information of the organization itself
While these organizations are not alone in possessing this type of data, what makes them such a valuable target is that criminals will choose the path of least resistance. They desire the biggest return with performing the least amount of work. It is the very nature of these organizations that leave them so susceptible to an attack.
Nonprofit organizations tend to not have the largest operating budgets, especially for internal matters. This leads to a disproportionate lack of funding to their IT infrastructure as compared to other for-profit organizations. Historically this has meant information systems are not as robust and are often not running advanced data protection systems—systems that can cost for-profit enterprises in the hundreds of thousands of dollars. Nonprofit IT departments tend to be more understaffed and overtasked. These two factors contribute to the prevention of keeping an organization at its highest possible security level.
There are actions that an organization can take to help improve their security footprint. Recent reports show that 91 – 93 percent of spam email contains malware. Ninety-seven percent of that will utilize some form of a phishing attack. Two of the most common forms are spearfishing and whaling, or business email compromise. Spearfishing targets a specific individual and/or role within an organization; the email will be crafted specifically to the individuals’ roles and interests. It could be crafted in a request for proposal, an offering at funding, an unpaid invoice, or offer to follow up with an offer if you’re interested. Business email compromise will impersonate a high-level board member and request information be sent, such as W-2s of all staff; they may request an updated listing of all donor rolls; they will often request that a wire transfer be sent to an account.
The very nature of the people who work for charitable organizations is what makes them more susceptible to these types of attacks. Their inherent good nature and desire to help others leaves them susceptible to falling prey. The lack of staffing, investment in infrastructure, and large number of volunteers leaves an opening that is looking to be exploited. There is a lack of training and education that is often present in for-profit enterprises with much larger operating budgets.
There are actions that your nonprofit organization can take and that do not require a large investment. One of the simplest, as well as least inexpensive to implement, is a training program for your staff. The vast majority of attacks will occur through fraudulent emails. A training regimen that educates all staff, volunteers included, on how to identify fraudulent emails will create an excellent opportunity to increase the security posture of a nonprofit organization. Learning the most common methods and how to identify them, along with creating a culture of informed caution, greatly reduces the risk of a data breach. Processes should be established that allow for double-confirmation, through separate channels, of any request that requires transferring funds from an organization. This is a good start at hopefully turning your organization into one that isn’t an easy target; one that requires far more work than worth the payout for the attackers.