Cybersecurity for Charities: 1st Step Is Knowing How Very Vulnerable You Are

One day in early January, Carly Visbal was working on the Giving Children Hope website when the homepage went black. Information about its recent activities, including shipping supplies to Syrian refugee camps, was replaced with the message “Hacked By Team System Dz,” followed by “i love isis.”

The California nonprofit had the site restored within four hours with the help of its outside information-technology consultant. It later learned it was one of many organizations targeted by a pro-Islamic State group.

Nothing sensitive was compromised, said Ms. Visbal, the nonprofit’s communications coordinator. Still, “there was a lot of concern, a lot of phone calls.”

Nonprofits’ data and information systems are increasingly under assault from cybercriminals. The threats largely mirror those in other sectors. At risk are credit-card, Social Security, and bank-account numbers, among other personally identifying information.

A report published last year by the software company McAfee and the Center for Strategic and International Studies, a Washington think tank, pegged the annual cost of international cybercrime at more than $400 billion. The FBI’s Internet Crime Complaint Center logged 262,813 consumer complaints about $781 million in losses in 2013. It was a 48 percent increase from 2012.

But when it comes to resources to mitigate and respond to cyberattacks, nonprofit organizations and their for-profit peers diverge. Many small and midsize nonprofits lack the budgets to deal with the steady flow of phishing attacks and other threats, according to those who work in cybersecurity. Worse, a dangerous misconception persists that nonprofit organizations won’t be victimized.

There is a “lack of awareness that security is even an issue,” said Sean Williams, a program consultant at Techbridge, a nonprofit dedicated to helping other nonprofits with their technology needs. “Often a small or a medium nonprofit may have the mind-set, ‘Who would attack us?’ ”

Jonathon Morgan, founder of the digital development firm Good at the Internet, said that data security is more complex for nonprofits than for for-profits because many nonprofits share data with confederations of academics, volunteers, and third parties. He describes the environment as “the wild west,” but added that such collaborations are essential in order for organizations to make use of analytics techniques.

“It’s time to stop playing ostrich,” Mr. Morgan said. “Nonprofits that are serious about leveraging their data in 2015 need a data security expert on their team.”

Relentless Threats

It is impossible to know how many nonprofits have suffered data breaches in recent years, according to those who work in information security. While 47 states now have data-breach notification laws, and federal legislation is pending, such incidents continue to be underreported. In some cases, the accessed information does not fall within the parameters of state laws. In others, hacks go undetected.

What is clear is that the threats are relentless and the origins of breaches varied. Nonprofit breaches listed in a database maintained by the nonprofit Privacy Rights Clearinghouse include a stolen laptop, a hacked online-payment system, and exposed client data.

Nonprofits could be targeted based on their mission and work, said Jonathan Trull, chief information security officer at the cybersecurity company Qualys. But they are more likely, just like any for-profit business, to be victims of opportunity.

“What if I deleted every record that you ever had about your donors?” said Mr. Trull. “Sure, you could recreate it, but it would be painful.”

One of the first things nonprofits need to know is whether they are equipped to spot data breaches. Oftentimes the answer is a sobering no, he said.

Even when organizations have security products in place, they don’t have the manpower to monitor and block all possible threats. In his previous role as chief information security office for the State of Colorado, Mr. Trull’s team was receiving 600,000 alerts a day from all the security products they had set up.

“Of those 600,000, which ones do you really need to be worried about?” Mr. Trull said. “And I had a pretty decently sized team. Now you think about a nonprofit that might have an IT director for whom security is kind of a part-time jobs as well. How do they deal with that?”

White-Hat Hackers

In summer 2013, the national service charity Points of Light contracted white-hat hackers — or benevolent hackers — to illuminate vulnerabilities in its information systems. Chief Technology Officer Scott Geller declined to say what prompted the exercise, noting only that he and his colleagues “thought it was important to make sure we were secure.”

The hackers’ first play started with a decidedly old-school twist: They drove into the Points of Light parking lot. Positioning themselves within range of the nonprofit’s wireless network, they had little trouble cracking the password-protected Wi-Fi and breaking into the network, Mr. Geller said. Among the biggest takeaways from the exercise was that some vulnerabilities actually start with physical security, he said, like a lost device or an unauthorized office visitor. Some schemes involve what is known as social engineering, in which hackers do things like place phone calls posing as a vendor to get staff members to volunteer network passwords.

“People who are really good at hacking can figure out unbelievably creative ways to get into your systems,” Mr. Geller said. “You just have to be really vigilant. You have to train your people.”

Nonprofits can’t hope to be completely impervious, Mr. Geller said, but they should avoid being the easy target.

“With a small amount of effort, any organization can make themselves at least a well-lit house so the bad guys go to the next house,” Mr. Geller said.

Low-Budget Options

Nonprofits can use a number of free and low-cost steps to bolster their security posture, according to experts. They include conducting regular inventories of devices, limiting the number of people with administrative-level access to networks, and developing written policies.

Alfredo Boccalandro, founder of the Florida-based web-development firm Avviato, which specializes in working with nonprofit organizations, says the most common breaches he sees are nonprofits that “didn’t keep up with basic practices, anything from password access to updating software.”

Last year, he and his colleagues were contacted by a nonprofit looking for employee training. For months, officials there noted unusual activity on their website — changes popping up on the home page, entire pages going missing. Staff members, or maybe the interns, didn’t know what they were doing, officials concluded.

But when Mr. Boccalandro’s team of developers went into the content-management system, they quickly discovered some errant code. A hacker had been inside the system and toying with it for about six months.

“There are essentially two categories of organizations: those that have been hacked and those that don’t know it yet,” said Laura Iwan, senior vice president of programs at the Center for Internet Security.

Mystery Source

The exact source of the hack at Giving Children Hope in California was never determined, said Ms. Visbal. But the charity’s website was out of date. Built on a custom WordPress template, it was probably 15 updates behind, Ms. Visbal said.

She and her colleagues are now working to modernize and harden the site.

Since the white-hat hacker exercise at Points of Light, Mr. Geller had his colleagues have made a number of changes. They enhanced the security level of the wireless Internet network to what is known as WPA-2. They hardened their website and financial systems. Still, he hasn’t made it through his checklist, Mr. Geller said.

“I would say there are more things we still have to do, some that don’t cost that much and some we can’t afford.”