TechSoup@PND

Through an arrangement with TechSoup, PND is pleased to offer a series of articles about the effective use of technology by nonprofits.

Nonprofits Beware: You Can Get Hacked, Too

Nonprofits Beware: You Can Get Hacked, Too

As a nonprofit, you have a mission, and that's usually a contribution or benefit to society, people, the environment, animals, or some other cause.

Whatever it is, you provide a service without the reward of big profits. You're humble.

What you make is funneled back into programs, staff, and projects. So, you're safe from hacking, right? Who would want to hack an organization that doesn't have much money or large databases of unknown personal and private information?

It's simple: People want to hack your organization because it's an easy target.

Hacking: A Serious Problem for Nonprofits

Hacking is a serious problem for nonprofits. When a hacker attacks, it's not just your organization's information they want; it's your donors' information. And if a hacker is successful and obtains donor information (along with anything or everything else), the consequences can be ugly.

  1. The nonprofit's projects and programs might be stalled while it reacts and works to strengthen its website.
  2. The organization may lose its ability to accept donations for a period of time.
  3. The organization may lose credibility and the trust of donors and would-be supporters.

All are serious, no matter how large or small your nonprofit. Your reputation is at risk, and in today's environment that means almost everything in terms of its survival.

Identify a Hack: Signs of the Attack

Your organization can be attacked on many fronts. The following are some things to consider. If any of them raise a flag, you should take immediate action.

Server. You'll know your server has been hacked if staff start receiving ransom messages, fake antivirus messages, unwanted browser toolbars, random pop-ups, or have their Internet searches redirected. Other telltale signs include passwords that no longer work, automatic software installations, disabled anti-malware software, webcam light flickering, and automatic mouse movements.

Website. Your browser may be the first thing that alerts you to an attack. If it identifies one, you may see a red warning screen or other messages indicating something is wrong. Other indications may include:

  • Your website disappears.
  • Your website is slow to open or crashes.
  • Your website displays another website or inappropriate or unrelated advertisements.
  • Weird code fragments start to appear at the top or bottom of your Web pages.
  • Emails are redirected to spam folders.
  • Your Web application stops working.
  • Files disappear or their locations change, or large files that you didn't create or download mysteriously start to appear.

Facebook. You can check your Facebook page to determine if you've been hacked. Under Settings, choose Security and Login and then Where You're Logged In. A list of devices that you've logged in to and their locations will appear. If there is a login you do not recognize, you may have been hacked.

Other signs to look out for include:

  • Changes to your email or password that you didn't make.
  • Messages sent on your organization's behalf that it didn't authorize.
  • Posts published to a blog that the organization didn't authorize.

Obviously, your organization's other social media profiles can be hacked, but, depending on how you interact with your followers, Facebook is likely to have gathered and stored the most information on your organization and its followers.

What to Do Once You Realize You've Been Hacked

There are specific actions you should take as soon as you determined you've been hacked.

  1. Inform all partners, donors, or anyone else associated with your organization whose data may have been compromised. 
  2. Check your federal and state laws regarding data breaches. You may be required to file a notice of breach with your state attorney general's office.
  3. Call in a forensics team or cybersecurity expert to determine the type of hack, what part of your network was affected, and what you need to do to secure your data going forward.
  4. Notify local and federal authorities in case the hacking of your organization is part of a wider scheme.

Tips for Preventing It from Happening Again

There are several things an organization can do to safeguard against hacks. 

1. Mitigate your potential losses. Limit the amount of customer information you collect and hold on to and be sure to back it up on a regular basis. Make it a practice to purge donor or partner information once the data you've collected is no longer relevant or needed.

2. Raise internal awareness and establish policies and regular trainings for staff. When it comes to basic security for your network and computer systems, all nonprofits should have ongoing awareness-raising mechanisms and specific data security policies in place. Employees and volunteers with access to your network should be able to identify suspicious activity and know what to do if they detect it. And, of course, passwords should be changed on a regular basis.

Employees and volunteers should also be prevented from connecting their own devices to your network. USB sticks are an especially popular way for hackers to transfer malware from one computer or network to another.

3. Protect your organization. Your organization simply must devote resources to the purchase, and regular updating, of encryption software, firewall protections, and cybersecurity software that hunts for and quarantines viruses and malware. You may also want to consider cyberinsurance. 

Know the Most Effective Security Protection to Take

Schedule an IT security consultation. An IT security consultant is your best line of protection and can provide an unbiased analysis of the cybersecurity policies and procedures your organization needs to implement.

An IT security consultant also can be a more practical option for nonprofits that can't afford its own IT team or a security breach. With an IT security consultation, you get more than just protection; you'll also gain an understanding of your organization's cyber vulnerabilities and an integrated approach to mitigating your risks.

This piece was authored by the folks at TechSoup and is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.