A high-value target for hackers? Nonprofits

By Laura Haight

Community service is highly valued in the Upstate and we are home to thousands of local nonprofits, churches, educational institutions and local chapters of national organizations.

But during this summer hackathon that has provided political and international intrigue, probably few of us have concerned ourselves with whether or not our favorite nonprofit might be victimized. Two factors, however, should make us think twice.

First, when the National Center for Charitable Statistics was hacked In February 2015, hackers got a treasure trove of information about more than 700,000 U.S. nonprofits from the exposed 990 database.

That may have made it easier for hackers, who, according to a Duke University survey, breached 80 percent of all businesses regardless of size in the U.S. in 2014. But the truth is nonprofits have been a highly ranked target of opportunity for hackers all along. Why?

Nonprofits are often understaffed, utilize volunteers rather than paid professional staff and don't have the expertise or the infrastructure to implement and maintain best practices for security.

Most nonprofits use a reputable online payment system to protect credit card information. But sensitive information that is of interest to hackers goes well beyond a credit card number: User names, email addresses, physical addresses, and, potentially, passwords can all be put to use.

Copies of databases removed from centrally managed systems by well-meaning employees or volunteers are prevalent in nonprofits. Those shadow databases are often targeted through phishing efforts and frequently account for costly breaches and exposed data.

Finally, because they can. Sean Parker, co-founder of Napster and founding president of Facebook says: "This is core to the hacker mentality: We hack systems that can be hacked and leave the rest." Hackers embed malware into websites, gaining a foothold to push a message or to spread malicious code to your donors and constituents. Phishing schemes and ransomware often find fertile ground at nonprofits with limited IT support.

How can nonprofits protect themselves?

Lock out / Lock down external devices

In the vast majority of cases, staff or volunteers are not trying to damage the organization by exposing sensitive information. But the ability to plug in a USB, transfer information to hard drives, export information out of a more secure cloud-based system onto my local hard drive or laptop are all costly behaviors. According to the Verizon 2015 Data Breach Investigations Report, 45 percent of all the healthcare breaches were the result of stolen or compromised devices; 22 percent of those were laptops stolen from employee vehicles.

In many theft cases, the nonprofit was probably not being targeted. They were just easy. The likely scenario is that thugs saw the laptop as a target of opportunity. Once they had it, they realized they had a valuable commodity to sell. And, whether the data was sold or the not, doesn't change the way the nonprofit must — both legally and ethically — respond: Notify those whose records were exposed, potentially offer compensation such a fraud monitoring, and take the hit. Programmatically restricting the use of external devices closes a big security hole.

Encryption, Clouds and Codes

Many small nonprofits have little IT support or lack the ability to effectively manage outside IT contractors. You don’t know what you don’t know. Even if you use a cloud-based storage service like DropBox, Google for Work, or Office 365, you still need to encrypt your local computer drives to protect downloaded documents and data.

Understand the human factor

A reliance on volunteers and often the passion and commitment of staff is both the core strength and the greatest vulnerability for nonprofits. And employees certainly would not knowingly do anything to damage the organization. So it is important to have written policies and procedures for both staff and volunteers to follow. Included in those should be a policy ensuring no organization information be maintained outside of primary systems and the office location, the use of mobile devices and home computers remotely limited to secure networks, and an email policy that prohibits the sending and receiving of sensitive documents. Nonprofits need to take additional steps to protect organizational data and the loss of reputation as well as expense if it is exposed.


The hit from a cyber attack is two-fold: An organization can be shut down for days, a website for weeks. That costs the organization donations that are often made online. Record loss in 2014 carried an average price tag of $145 per compromised record. A lost laptop with a 30,000-record database on it could carry a price tag of $50,750 on average.

That is a big ticket for any business, but particularly crushing for a small nonprofit. And the reputational damage can be even worse. Donors have many places they can give and, while anyone can be hacked or victimized, the perception that a hacked or defrauded nonprofit wasn't diligent enough can turn their heads.

For that very reason the depth of nonprofit hacks and frauds may never be fully known. They are often kept as quiet as possible so as not to engender bad press, or raise doubts among its donors and major supporters. Hackers are egalitarian: Nonprofits are no safer than any other business.