Cybercrime is being hailed as one of the biggest crises humanity will face (2019 Official Annual Cybercrime Report. Herjavec Group). It’s time for nonprofits to pay attention or face some serious consequences.
Cybercrime will impact every person, every organization.
Imagine this: your top donor, who just gave your organization a multi-million-dollar gift, calls your president to say you spread a virus to her computer through your email and the hacker got into her bank account. Think it’s farfetched? This sort of phishing (called Cross-Site Scripting or XSS for short) is the most common type of attack there is: it enables hackers to gain access to identity data of other users.
According to Accenture’s 2019 Cost of Cybercrime global survey, data breaches have increased 67% over the past three years. Yet, as of just two years ago, 70% of all U.S. employees don’t understand cybersecurity (2017 State of Privacy and Security Awareness Report). Furthermore, phishing attacks represent over 90% of all data breaches and are also responsible for 92% of all malware (Verizon 2018 Data Breach Investigation Report).
How does all this relate to my nonprofit?
Just the other month, a longtime client sent me malware via their email, which had been hacked. An employee accidentally clicked on a fake link and their entire organization was impacted. All their organizational contacts were sent phishing emails, including me, their top donors, and national partners. It took months to clean up the reputational damage.
Consider this: it is estimated that half of small businesses fail after a cyberattack. What does this mean for nonprofits?
Studies show that two-thirds of all consumers will not engage with a company again after a cyberincident (Gemalto Data Breaches & Customer Loyalty Report 2018). If a nonprofit lost two-thirds of its donors or participants, it would quickly shutter. Not only would a data breach impact donor or member retention but also all those your nonprofit serves and supports.
Is your organization ready to spend millions on a cyberbreach?
The Herjavec Group is predicting cybercrime will have a global cost of $6 trillion by 2021. Whether it’s a phishing or ransomware attack, cybercrimes are not something just lurking on the horizon or something that happens only in the for-profit realm.
A recent report (IBM Security and Ponemon Institute 2018 Global Cost of Data Breach Study) estimates an average cost of $148 per lost record, and a staggering $3.86 million average total cost of a full breach. Most nonprofits have more than 1,000 donor records, and most have significantly more than 10,000 records. In the education field, where there are tens of thousands of data records, 70% of all cyberattacks are ransomware (ENISA Threat Landscape Report 2018).
This is a math problem nonprofits cannot afford to ignore.
Cybersecurity is not a tech problem. It’s a people problem.
As a senior vice president of Graham-Pelton, I’ve worked with numerous nonprofits (across all sectors), and two of the things that I hear most from nonprofits about cyberissues are:
1) it’s an IT problem; and
2) they’re not big enough to be a focus for any hacker.
Yet, Norton Security reports that the U.S. is the primary target for all cybersecurity attacks, and 60% of Americans claim they or their family members have been victims of cybercrime attempts (The Harris Poll and the American Institute of CPAs).
We are all responsible for cybersecurity.
Practices such as working in unprotected spreadsheets and using unsecured personal devices (for example, laptops and cell phones) create vulnerabilities. Nonprofits, like small and large businesses, are facing real financial threats – and not just from the breach. Reputation is a hefty commodity in the nonprofit space where trust is the underlying factor in most fundraising programs.
I recently spoke with the CEO of a DC-area nonprofit, and he said, “I don’t think this is a top priority right now.” Understandable given budget constraints. But what if a moderate investment now saves you millions of dollars later? What is it worth to save your reputation and protect those you serve and those who support you?
I’ve received plenty of phishing emails. In fact, twice I’ve accidentally clicked links online that temporarily froze my computer and gave me a number to call to get back control of my computer. Lucky for me, they were screen locker ransom programs, which only froze a single interface in my browser. While I was able to figure out a solution, it could have been a disaster.
PWC’s recent study shows that globally, less than 50% of all businesses are prepared for a cyberthreat. And the numbers are more dismal in the nonprofit space. A 2018 study of 250 nonprofits by Microsoft and the Nonprofit Technology Enterprise Network shows that 39% of nonprofits surveyed have no cyberpolicies on managing risks, nearly 60% have not conducted any training for staff, and nearly 70% have no plans in case of a cyberattack.
You can’t afford not to plan.
Georgia Tech had a recent data breach that exposed the personal data of 1.3 million constituents. In the education field, both K-12 and higher education are estimated to be among the top 10 targeted industries this year and next year. This should make all of us in the nonprofit space nervous. Cyberthreats aren’t just hurting big businesses such as Marriott, Facebook, LinkedIn, Target, and Sony.
It’s time boards start prioritizing cybersecurity to care for and protect the nonprofits they serve. Even if you’re not sure what all this means, it’s time to learn. In 2018, the average cost of a data breach was $3.86 million. Isn’t that money better spent helping people and communities?
Jennifer Harris, Ph.D., is Senior Vice President, Associations, Cyber and Social Change Sectors at Graham-Pelton. She is also a community psychologist and is the author of the books This Is How I Dream It and Pink. She has been a fundraising professional for 25 years and has helped clients and organizations she’s served reach historic philanthropic goals. To learn more about how you can protect your nonprofit, go to: https://grahampelton.com/cybersecurity-readiness/.