Yes. Because they normally store sensitive information desirable for attacker, and also they can be seen as an easy entry to larger nonprofits or government entities.
Because many nonprofits store personally identifiable information (PII), including full names, addresses, social security numbers, medical information, driver’s license numbers, email addresses, and more, their IT systems are a target-rich environment.
Many nonprofits collect and store sensitive personal information that is protected by law as confidential. When there is a breach of the confidentiality of those data, that poses a risk for the individuals whose data was disclosed, AND for the nonprofit that will now potentially be subject to liability for the breach.
It makes sense for EVERY nonprofit to - at a minimum - assess the risks of a data security breach, and protect its data from unauthorized disclosure.
First Step | Risk assessment: assessing your nonprofit’s data risks is to take inventory of all the data your nonprofit collects and identify where it is stored
Second Step | Are the data your nonprofit maintains "protected" or "confidential"?: Second, know whether the data your nonprofit collects and maintains is covered by federal or state regulations as “personally identifiable information.” If so, forty-seven states’ laws require nonprofits to inform persons whose “personally identifiable information” is disclosed in a security breach, and 31 states have laws that require the disposal of such data in certain ways. Additionally, the Federal Trade Commission's Disposal Rule also requires proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” Protecting personally identifiable information is all about training staff on how to collect/store/dispose of and generally protect this data.
Third Step | Drill down on the actual risks: Third, consider using the US National Institute of Standards and Technology (NIST) Cybersecurity Framework to help your nonprofit identify risks, and make management decisions to mitigate those risks. This framework is not intended to be a one-size-fits-all approach but to allow organizations to manage cybersecurity risks in a cost-effective way, based on their own environment and needs.
That depends on the strength of the security of individual nonprofits’ websites and how consistently users follow strong password protocols.
Typically, the main website remains intact, but the hackers create additional content that can’t be good for your nonprofit’s reputation – or Google analytics. So, on balance, a site takeover does not create the same type of liability risks that other security breaches do, but cleaning up the mess can be time consuming and costly.
Insurance policies are available to cover losses from breaches affecting a nonprofit’s own information and losses affecting third parties’ information (such as patients/clients, and donors). The types of losses/expenses that cyber insurance can cover a range from the cost of notifying all the folks whose information may have been comprised; to the cost of content repair, such as repair to a hacked website; to the cost of hiring a PR whiz to help your nonprofit recover its reputation after a severe security breach. There are even some policies that address business interruption in the event a cybersecurity breach is so severe that it forces the nonprofit to temporarily suspend operations
(1) Understand how a breach of privacy claim could affect your nonprofit
(2) Work with a knowledgeable insurance agent or broker who not only understands how different cyber liability policies differ in their coverage, but also understands your nonprofit’s operations and activities well enough that s/he can break down your nonprofit’s exposures with you. Choosing insurance products should be a collaborative effort with your nonprofit’s broker/agent
(3) as with all insurance, take a hard look at the cost of the annual premium.
Risk #1: Online Donations While technology has made it much easier for nonprofits and charitable organizations to accept donations online, it has also made it that much simpler for a digital pickpocket to steal from the organization.
While payment is easy for the customer, having an unsecured website could mean leaving an open avenue for a cyberattack.
Risk #2: Phishing Scams and Ransomware
Communicating with donors, partner organizations, and clients is a simple process today. Automated emails and newsletters keep interested parties aware of what's going on in the organization. But as you're responding to emails, you could be putting the organization at risk. Clicking a bad link, downloading a seemingly safe Word, Excel, or PowerPoint file, or even just opening a PDF file could put your hard-won funds at risk.
Cybercriminals use phishing emails, a type of social engineering scam, in an attempt to obtain sensitive information. They may also install ransomware, or ransom malware, on a nonprofit's computer system, blocking access until they receive a sum of money or another action has been completed.
Risk #3: Volunteers
Volunteers share their time for many reasons, from being a surviving family member to wanting to give back to the local community. And while many volunteers have good intentions, there are a few that may volunteer their time to gain access to your data stores. Training time is short, onboarding an on-the-job process, and the bad guys can sometimes slip through the cracks, leaving your organization at risk for a cyberattack.