A Discussion About Nonprofit Cybersecurity
As more and more nonprofit organizations adopt technology to do their work—for fundraising, project management, board communications, social media promotion, etc.—the risk of cyberattacks is increasing, even for small organizations. In a rapidly changing technological landscape, all organizations must put in an effort to keep their data—and by extension their clients and supporters—safe. Does your organization have a cybersecurity plan? Are you ready if a cyberattack occurs?
Recently, NTEN, in partnership with Microsoft, released its inaugural State of Nonprofit Cybersecurity report, which looks at what nonprofit organizations are doing to develop secure technology practices.
NTEN is a membership organization of nonprofit technology professionals, and envisions a more just and engaged world where all nonprofits use technology skillfully and confidently to meet community needs and fulfill their missions. NTEN supports organizations by convening the nonprofit community, offering professional credentials and training, and facilitating an open exchange of ideas.
On November 28, when the report was published, GrantStation talked with Amy Sample Ward, NTEN's CEO, to discuss the findings.
GS: Has NTEN done a report like this before?
NTEN does between five and seven reports a year, but we have never asked questions about cybersecurity before. We've never conducted an entire report specific to cybersecurity. The furthest we would have gone in the past would have been questions related to planning and preparedness in a disaster response-type situation, such as, "Do you have backups of your data?" But we've never focused on cybersecurity until now.
GS: What was the impetus for doing the report now? Is there something specific about the last year or two? Or is it something you’ve wanted to do for a while, and now just seemed like the right opportunity?
Two years ago in November, we released our free online tool called Tech Accelerate, which is an assessment tool for nonprofits. The assessment includes over 70 different questions, so it's really comprehensive across your organization. It looks at where you might be with tech adoption: security, leadership, best practices, all those things. When you take the assessment, you get a customized report that shows where you're low and need to do more investment and where you're doing okay. It also includes some benchmarking so you can compare your results to other organizations. There are a number of questions in the tool relating to security and data access, and we've noticed organizations saying, "Not only do I not have the best answer to this question, I don't even know how to answer this question. This is not even something I've thought about doing for my organization."
The other part of the impetus is that this issue is actually in the news now, nonprofits getting hacked or certain organizations having their data compromised. We're hearing nonprofits ask, "What should I be doing? I don't want all of my donors to be scared of donating to us because they see us in the news having our website get hacked. How do we take care of ourselves?" We wanted to do an initial landscape report: what kinds of things are people doing? Then we would be able to give them the right kinds of content or support to move forward.
GS: Larger organizations with a big donor base know that cyberattacks are a threat. Have you had difficulty convincing smaller organizations of this problem?
I tell organizations not to be a fearmonger, but a realist. Often, the real threat to an organization, especially a small organization, is an internal threat, and not a Russian hacker. Your organization may not be on the national radar as a potential target for attack. As we see in the report, folks may not be training their staff regularly or at all on how to use their tools in a safe way. It's plausible that you have a staff member who is working remotely and logged into the database on their laptop in a coffee shop, then gets up to make a phone call, and there is your data for the world. This scenario is more common than someone online targeting your organization.
GS: You ended up partnering with Microsoft for this report. How did you get them on board?
They are really interested in this topic, too, because they are working with nonprofits of all sizes, not just international enterprise-level organizations, but also really small organizations. They are seeing these threats coming to organizations they serve as well as a lot of inconsistency about how organizations are prepared to handle threats in a reactive way, and inconsistency in how organizations may be proactively preparing.
GS: Over 250 organizations were polled for the report. How were they selected?
They were almost all from the NTEN community. We sent out surveys across the NTEN list and then we monitored who was responding based on geography and organization size and type.
GS: Do you feel these organizations are a pretty representative cross-section of the nonprofit sector as a whole?
I wouldn't necessarily say that on the record, as we don't take an approach to scientifically validate the results. But the data results map to the qualitative results we already knew about from conversations we've had with organizations. It was pretty consistent with what we've already seen in the sector.
GS: Most of your members are already tech-savvy, right?
Yes, that is a good disclaimer. The state of cybersecurity in the sector at large may be worse. The survey doesn't show many organizations doing testing or training. So if that is the result from a community of organizations we could assume to be slightly ahead of the sector on technology, then it might show even fewer positive results for organizations that aren't thinking about technology as much.
GS: I'm curious about the respondents who answered questions with "I don't know if we have this policy." Is that more related to the specific member at the organization who responded to the survey, or an organizational disconnect where people aren't aware of the policy? Clearly, a data manager would know the policy.
It is both of those things, for sure. There are some instances where the person responding to the survey is someone who would not know, but we don't believe that anything we are asking in the survey isn't something all staff should know the answer to. It isn't a very successful cybersecurity policy if not all staff know they should participate in training, or that there should be a backup plan. So lack of communication would mean that implementation hasn't been very successful.
GS: One question reads, "Does your organization have policies and procedures for backing up data, hardware, and software?" Were you surprised by the 38% here who responded "no" or "I don't know"? Growing up in high school in the late 90s, that was hammered into us then and for the last 25 years. Why is this still an issue for some organizations?
One thing we've heard from organizations—and this report was just published today so we haven't done follow-up to do qualitative case studies with respondents yet—is that since organizations are using a cloud product that includes once-a-week backups, that isn't something they need to take management of themselves. There is a trust that the system is doing what it is supposed to do. And for us, that is a huge risk area, because it means the organizations aren't the ones who know how to access those backups, or know when they're occurring. Because there isn't a formalized plan or policy, it isn't a successful backup, because if there is an emergency, you wouldn't be able to access that data. We hear folks saying, "We don't have a policy because we don't need it."
GS: There seemed to be a difference in the number of organizations that had cybersecurity policies and those that offered training based on those policies. Does it work for some organizations to just have the policy? But why have a policy if you are not offering training on it?
I think it's important to have a policy, because if you don't, whatever communication or training or orientation you do with your staff isn't going to be consistent; you don't have a formal document you are referring back to. That means you're also not referring back to an agreed-upon policy in decision-making. So having a policy is very important. But having a policy means nothing if it is not put into practice. Training is required for the policy to be successful at all.
GS: For organizations, what is the biggest barrier to offering training? If it was easy, they'd all be doing it, so what is preventing them from providing training?
Amy Sample Ward
The number one thing we hear—and I don't think this is unique to cybersecurity or technology or any one organization—is, "It's not my job." Helping all staff realize that cybersecurity is every person's job—any single staff member could be the one to click on something that installs a virus, or could be the one to leave their laptop open in that coffee shop. It is everyone's responsibility to keep the organization safe, to keep your clients' and supporters' data safe. It's not your data, just because it's in your database; it's your clients' and supporters' data. You have a duty, every single staff person, to keep that safe. And when folks take on that responsibility, it is easier to say, "I'm not confident about this; I need more training." The staff becomes part of the solution. A lot of organizations need to work on that culture change. For them, it still feels like there is someone in the organization who is managing these policies, who is telling them, "I am forcing you to learn about this." That is not a culture that will be successful when it comes to cybersecurity.
GS: Beyond training, you also have additional questions about drills and exercises. When you do these live-action events, what are the benefits over a standard walkthrough training?
I think what is helpful about these live-action cybersecurity models is to find the things that the perfectly worded and well laid out documented plan didn't address. The benefit to doing these live events is to find the holes and the human errors, because in the moment, we are a different employee, a different self, with a different reaction, than when we were sitting in a room in a meeting going through the plan.
Some of the employees probably didn't even participate in the meetings where the plan was developed, and now they get a chance to participate in the live-action test and to see what it would mean if the organization experiences an event like that.
GS: One question I found interesting was about multi-factor identification. Looking at the percentages, it seems like if you have a robust cybersecurity plan in place, you use multi-factor identification. How do you get the corporate mindset to stop viewing a process like this as an annoyance? "Oh, maybe I won't check my email as often because I have to go through this rigamarole." How do you overcome these minor annoyances to get people to embrace the process?
We need people to understand that we're going through these steps because it's not about you, it's not about that email you're trying to log into or about that document you're trying to access from home. These are the things we need to do to keep our client and supporter data secure. It's about understanding the context of why these tools are there. They are not there to prevent anybody from being successful at their job. They are there to make sure that people are successful, that they are supported and secure, and that they are not the ones creating any vulnerabilities for their supporters or the organization.
GS: If you have a huge organization, you can keep a lot of IT staff around. But according to the survey results, 16% of organizations did not have a single IT person and another 20% didn't have a full-time IT person. So how do these smaller organizations keep up with the "big boys" without any expertise or limited resources when it comes to cybersecurity?
There is certainly nothing in the report, or actions suggested by the report—such as testing or training—that say there has to be somebody with the title of IT Director and that person is the one in charge. I want to clarify that we recognize that many, many organizations don't have enough staff to even have departments and that many organizations have five or fewer staff. And that's fine, but it doesn't mean that you are exempt, that you won't be a target of a cyberattack.
I think there are lots of resources for smaller organizations. These duties can be allocated to somebody's focus area and then they can come to NTEN or other resources to learn what to do and how to craft those policies and make a plan. It can be something that you specifically articulate into an RFP or other type of call for support. Then you can bring in a volunteer or paid consultant to do that work with you. You should be able to say, "This is what I want. These are the parameters." I would never suggest bringing in a consultant and not knowing what you want, because then it would be up to the biases and outside experiences of that consultant, and they are not an expert on your mission the way you are. You should always be leading that work.
There are also pro bono support services out there through a number of different organizations locally and nationally. There are ways to do it for free; there are also ways to pay for it.
GS: If I'm one of these small organizations and I come to NTEN and say that I need help setting up a cybersecurity plan, what are some of the resources you can offer?
We have cybersecurity courses; we have a professional certificate that they could take. There are online forums where folks can ask questions and other people can give example policies, and then they can take those policies and modify them. There are also sample policies available. It depends on if they want a lot of education, or a little education, or just want to connect with other organizations.
GS: How do you plan to use this report? What are you doing with this information?
We are using it to help inform what courses, articles, and content we produce next year so that we have a better sense of where organizations are in the area of cybersecurity, and we can target content based on where people are trying to learn more and invest.
GS: Are there any final points you want to make about the report?
Cybersecurity may sound overwhelming because it seems like something only big organizations can do, but that's because we write technology planning off like it something just for large organizations. But there is no reason a small organization can't also do tech planning. Cybersecurity is certainly an issue for an organization of any size and the implications of not doing this work are pretty huge: losing donors, losing trust, losing the whole organization. Cybersecurity is really important.