Cybersecurity is one of the most pressing issues facing both for-profit and nonprofit organizations. According to Check Point Software, the average number of weekly attacks faced by organizations in Q2 of 2022 was up 32 percent compared to the same period last year. Ransomware attacks increased 59 percent compared to the previous year. To put it into perspective, the average North American organization faced 845 cybersecurity attacks a week.  

Cyber Risks to Be Aware Of 

When thinking about public cyberattacks and data breaches, the assumption is often made that these are issues facing large organizations. However, all organizations, including charities, are prone to cybersecurity threats, irrespective of their size and nature of operations.  

Charitable organizations can be especially vulnerable to cybersecurity threats, as they may have limited resources and experienced personnel to help them plan ahead and prepare for a potential attack.  

Generally, data is one of the most vital assets for all organizations, and is vulnerable as organizations experience more and more cyberattacks due to advancements in technology.  

Here are some of the most common challenges: 

Data Breach 

A data breach can be disastrous and no organization would want to experience having their confidential client or donor information compromised. However, it’s not just client and donor information that can be at risk, valuable internal data such as transaction history and inventory lists can also be targeted. Besides the immediate financial losses, a data breach can lead to a loss of faith from clients, donors, and the general public. 

There are several potential causes of data breaches, however, although experts have identified some of the most common security challenges over the years, many of them remain unfixed. Human errors are also significant causes of data breaches. 

Ransomware 

Ransomware refers to viruses that encrypt an organization’s digital files and allow cybercriminals to demand a large sum of money to get it back. In recent years, there have been many high-profile reports in the media relating to ransomware and its victims. Most cybercriminals require organizations to send the ransom in bitcoins due to the difficulty in tracking this method of payment. Additionally, they don’t discriminate and can attack any organization. 

DDoS (Distributed Denial of Service) Attacks 

Distributed denial of service (DDoS) attacks are a subclass of denial of service (DoS) attacks. A DDoS attack involves multiple connected online devices, collectively known as a botnet, which are used to overwhelm a target website with fake traffic. 

Every organization should prepare a detailed plan for managing DDoS attacks against their systems. There are several ways cybercriminals can perpetrate attacks. Application layer attacks are the most common and aim to disrupt a company’s access to its website. 

To clarify, the risk and damage to an organization is: 

  1. Business disruption caused by the attack consuming internet bandwidth and overloading networking equipment and capabilities. 
  2. DDoS Attacks can often mask an attack that is hidden in so much network traffic that it can go unseen. 
Hacktivism 

Hacktivism is becoming a significant problem for nonprofits and charities. Usually, hacktivists belong to a hacker network with similar ideologies. Controversies can make you a potential target for cybercrime by these hacker networks.  

What can be done to prevent cybersecurity attacks? 

While they are not entirely preventable, organizations can take the following measures to become risk aware when it comes to cybersecurity: 

  • Train employees to identify threats, including phishing which is one of the key threats to any organization. 
  • Review suspicious emails that arrive in your inbox. 
  • Keep your systems up to date and patched. 
  • Understand that cybersecurity attacks can’t always be prevented therefore, focus more on reducing the likelihood and severity of an attack. 

Nonprofit and Charity Boards Must include Cybersecurity in their Risk Oversight 

Risk management is critical to an organization’s overall health and well-being. It is the art of protecting against the potential damage that different types of risks (including cyber-attacks) could cause. Ideally, it allows your charitable organization to take the appropriate measures to avoid loss or damage before it even happens. 

Ultimately, risk management is about identifying, quantifying, and controlling risks within a project or the entire organization as a whole. The same principles are applied to cyber risk management.  

The board’s role in managing risk is defined by a board’s mandate, which is generally to oversee the management of risk and not to manage risks itself.  

In assuming their risk oversight role, boards need to focus on the following:  

  • Developing a risk management program and revisiting it over time to ensure it remains operational and relevant.   
  • Approving the risk management policy and strategy. 
  • Maintaining oversight of the risk management program, ensuring that it provides adequate information to support prudent leadership decisions, including risk identification and assessments, handling of significant risks, insurance management and control activities, and other risk oversight activities. 
  • Ensuring that the necessary measures – policies, procedures, processes, and control mechanisms to address these risks – are in place. This is often an area where many boards fail.
  • Monitoring the control environment and evaluating whether controls are appropriately designed and adequately implemented. 
  • Ensuring systems are tested periodically to verify they operate as intended. 
  • Evaluating significant events, actions, or inactions which have caused or could cause a major adverse effect.  

Ultimately, the board sets the risk/cyber risk management framework and strategy, along with the organization’s executive leaders. Doing so gives the members of the Audit Committee a solid starting point to examine the organization’s risk profile and its management for specific risks. From there, the leadership team and ultimately the whole organization (through training and education), are empowered to manage risks and be risk-aware. 

Michael Castro is an IT leader with over two decades of experience building and leading information security, cyber risk, and compliance programs at the enterprise level. Castro founded RiskAware in 2018, and holds an MBA in IT Management. Learn more about RiskAware, click here.