Special to the Philanthropy Journal Ted Devine
The bulk of nonprofit executive directors aren’t sleeping very well, at least according to “Trend Spotters: What Keeps You Up at Night.” What has them tossing and turning? Unsurprisingly, 85 percent of respondents identify worries about adequate funding as the cause for sleepless nights. What is surprising, however, is that only 51 percent articulated concerns about online fundraising.
Online fundraising is convenient but is also opens the door for data breaches, which can damage an organization’s reputation and impact future funding. However, with the proper cyber security measures, executive directors may not lose more sleep over their digital fundraising efforts.
How a Data Breach Can Hurt an NPO
When it comes to fundraising, more nonprofits are exploring online and mobile giving solutions. The Blackbaud Index shows online giving was up 7.5 percent in September this year, and a quick review of prior months indicates this trend will continue. Offering online options is a sensible move considering the data from the Internet Trends 2015 – Code Conference report Sean Milliken cites in “Impact of Mobile on Charitable Giving.” According to the study, digital media usage has lept from 2.7 hours to 5.6 hours per day in just seven years.
Going where the people are is smart, but it isn’t without risk. Online transactions draw the kind of troublemakers that can hurt your fundraising efforts. Hackers with malware can make your donors’ private information public, but so can employees who open phishing emails, lose their laptops, or send emails without double-checking the recipient list.
Breaches hurt board members, too. Their names are tied to the organization’s work, and the bad press that follows a breach can overshadow an otherwise exemplary work record. Worse, breach victims may name board members in a negligence lawsuit, costing them time and money to fend off even if they played no role in the breach. The damage to the board usually exacerbates the nonprofit’s plight because it may mean losing talent that is integral to the organization’s success.
Best Cyber Security Practices to Protect NPO Data
The good news is that most data breaches are avoidable. According to Online Trust Alliance’s 2015 Data Protection & Breach Readiness Guide [PDF], 90 percent of data breaches in the first half of 2014 could have been prevented through simple controls and security practices.
Some aspects of cyber security can be expensive and time-consuming, making them unsound for any nonprofit watching its budget. However, some security measures are relatively easy and inexpensive, such as…
- Installing and updating antivirus software.
- Educating personnel on phishing scams and malware.
- Requiring proper disposal of paperwork and old equipment.
- Requiring strong passwords with an eight-character minimum.
- Using mobile devices with automatic lockouts and wiping capabilities.
- Specifying a standard of care in service provider contracts.
- Requiring authentication on all inbound and outbound email.
- Creating guidelines for employees who use their personal mobile devices.
- Limiting access to personally identifiable information.
Unfortunately, even with these best practices, data breaches can still happen. Cyber security experts like to say, “It’s not a matter of if, but when,” so nonprofits should have a data breach response plan in place, too (see this example from Experian for ideas). Additionally, nonprofits can invest in cyber liability insurance to help them handle breach expenses, such as donor notification costs, credit-monitoring services, PR costs, and legal fees if someone sues.
One caveat: cyber liability insurance is a new product for the insurance industry, which means carriers are still struggling to standardize its use. A nonprofit’s board member named in a cyber lawsuit may not be covered by a particular policy. However, cyber security can be interpreted as part of the board’s fiduciary duty, so a breach lawsuit may trigger a nonprofit’s directors and officers insurance. It’s a somewhat tricky area that is best discussed with an insurance professional who has experience with both coverages.
Cyber security best practices may not solve every problem, but they may mean a better night’s sleep for some directors.
Ted Devine is the CEO of Insureon, the leading online provider of small business insurance. Prior to joining Insureon, Devine held senior leadership positions at Aon Corporation and McKinsey & Company. He lives with his family in Chicago.