Welcome to #nonprofitsbehavingbadly?, where we find lessons in other nonprofits’ bad press so you can improve your own nonprofit risk management. Keep in mind when you read these posts that the nonprofit in the spotlight may have actually done nothing wrong. That’s part of the point. There’s always a story behind the story, and unfortunately a nonprofit does not get to write the press it receives. So what can a nonprofit do now to try to reduce the likelihood of bad front-page news?
The Bad Press
The Save the Children Federation in Connecticut fell for a cyber spoof in which a hacker posing as an employee, got the charity to send about a million dollars overseas. Save the Children subsequently implemented a number of measures to ensure, in the immortal words of Pete Townsend, that they don’t get fooled again. But what can your nonprofit do now to defend against cyber threats?
What You Can Do Now
- Educate and verify. In the cyber world, experts often refer to “PICNIC” issues — Problem in Chair, Not in Computer. Cyber-security aware employees will commit fewer cyber breaches, so educate your employees about threats. But don’t stop there: impose controls (e.g., two-person sign off on invoices over a certain dollar amount) to reduce the likelihood of unforced employee error. Save the Children took these reasonable steps after the fact, but you can act before disaster strikes.
- Review your insurance. Save the Children had insurance that covered 90 percent of this fraud. Where would you stand? Cyber insurance is expensive and confusing, but traditional general liability insurance may not cover cyber breaches. Talk to your broker, particularly if you store personally identifiable information (PII).
- Perform a cyber-security review. The National Council of Nonprofits has excellent source documents you can use to audit your current vulnerability.
- Think beyond external threats. Remember PICNIC: your employees may be your biggest weakness. Consider how your nonprofit is safeguarding against accidental or willful release of private information. Data loss prevention (DLP) software can impose automatic rules that inhibit such leaks or track them if they occur. Consider asking a data security expert to evaluate whether DLP could help your organization.
This story proves that “nonprofits behaving badly” do not always behave with bad intent. Sometimes simple mistakes lead to significant costs, along with a ladle of bad press. Save the Children made an error, paid for it, and took steps to prevent a recurrence. But with hackers increasingly targeting nonprofits, these threats will only increase. Cyber security can be done on a budget. Don’t become a statistic. Nonprofit risk management does not demand perfection, but it does require vigilance.