Cyber Security & Privacy in Nonprofits – Is your Organization Secure? by BMS Group

Non-profit and charitable organizations face the same threat of a cyber breach as governments and big businesses but are often unprepared to deal with the technical and financial consequences. If your organization collects or holds any digital records with people’s private information, like a volunteer database, donor list or employee records –you are responsible for protecting that information from cyber threats. So, what do you need to know?

Viruses, Malware, Ransomware, Phishing; the cyber threats that organizations of all sizes face are evolving and becoming more frequent. According to Beazley plc (Beazley), a leading provider of data breach response insurance, organizations across all sectors continue to be targets for cyber criminals. There are also other common risks to privacy breaches including accidental disclosures and human error.

Did you know that all three scenarios below are considered privacy breaches?

  1. A virus is sent via a fake promotional email to staff, which is accidentally opened allowing access to the computer’s stored files containing confidential information.
  2. An employee is walking to their car and a folder of files containing confidential donor information is blown away and unable to be recovered.
  3. An employee accesses personnel and volunteer files that they do not have authority to look at.

While many of us think privacy breaches only come from sophisticated attacks by elusive hackers, simply misplacing or losing documents is still considered a breach.

As of November 1, 2018 it is mandatory across Canada to notify of certain privacy breaches. Organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will have to do this as soon as possible after a breach and can face fines of up to $100,000 if they don’t comply.

PIPEDA applies to all businesses incorporated under federal law, including charities and non-profit organizations, that collect, use or disclose personal information in the course of “commercial activity”, unless a “substantially similar” provincial law is in effect. Many non-profits may not think their day to day operations constitute commercial activities, however if you are selling merchandise or services or are charging admission fees for events or performances you are undertaking commercial activity. Commercial activity also includes the selling, bartering or leasing of donor, membership or other fundraising lists. However, fundraising, collecting membership fees, compiling a list of members’ names and addresses, and mailing out newsletters are not considered commercial activities.

Causes of Incidents – 2018

Beazley Breach Response Insights, October 2018

Hacking or malware, including ransomware, continue to be one of the largest threats to small and medium-sized organizations. Ransomware is a kind of cyber extortion where malware (malicious software) is uploaded to a computer or network and makes all its data and files inaccessible until a ransom is paid for the decryption key.

The Rise of Ransomware in 2018

Some tips on protecting your organization against Ransomware:

  • Ensure anti-virus software is up-to-date
  • Regularly train employees to avoid phishing attempts (see below) and not to open unsolicited attachments and links
  • Periodically test employees through phishing campaigns and monitor the effect on response rates
  • Block emails with .js, .wsf., and .zip extensions and macros if possible

Email Phishing

A commonly used tactic for ransomware attacks is Email Phishing. This is carried out by email, where someone is encouraged to provide information or click on a link that subsequently downloads a virus. The emails are made to look like they’re coming from the person’s employer or someone else within the organization and can be hard to differentiate from authentic emails.

Some tips on protecting your organization against Email Phishing:

  • Establish clear procedures for how any legitimate request for financial information or fund transfer will be handled, and train relevant employees annually on the procedures. If possible, establish a policy that no requests for transfer of funds will be made or responded to by email.
  • Train all employees, especially those with employee payroll or benefits information, to beware of phishing attempts.
  • Configure your email system to highlight emails coming from outside the network. Phishing emails are often masked to look like they are from within the organization.

Cyber attacks and privacy breaches can be costly, particularly for small organizations and non-profits. They can occur quickly and when you least expect it.

The Canadian Government’s “Get Cyber Safe” has a range of general tips to help mitigate the risk of a cyber attack, including:

  • Educate employees and volunteers to not click on pop-ups when on the internet and encourage caution when opening certain emails containing links or inconsistent branding.
  • Keep software and operating systems up-to-date
  • Regularly back up important data
  • Encrypt computers, laptops and USBs
  • Appoint an administrator and ensure the main password is changed regularly and only known to that employee.

Through Volunteer Canada’s “Under Our Wing” insurance program, Directors’ and Officers’ (D&O) Liability insurance automatically includes $100,000 of Cyber and Privacy coverage.

The policy will cover expenses related to your legal defence and will pay damages awarded to the individuals whose private and personal information was compromised. It will even pay for costs to notify the individuals whose information was compromised and for costs to hire a public relations firm to repair any damage to your organization’s reputation.

For more information or if you have any questions about Directors’ & Officers’ Insurance, please contact a broker at BMS on 1-844-294-2715 or at underourwing@bmsgroup.com.

For more, watch this 15 minute webinar on Cyber Security and Privacy presented by BMS in November 2018.