In today’s technology-driven climate, security breaches can damage your not-for-profit’s reputation, professional relationships, and sensitive internal controls. Website breaches, social media hacking, and email fraud can lead to inaccurate, and often embarrassing, misrepresentations of your organization.
How can your organization protect itself against a security breach, or minimize damage if one should occur? The key is to develop a preventative IT security plan and responsive crisis communication plan before a crisis takes place.
Preparing for a Security Breach
Create an IT Security Plan
An IT security plan can help identify and eliminate most of your organization’s potential vulnerabilities. After evaluating your IT security strengths and weaknesses, your organization should apply the following steps to construct an effective security plan:
- Perform an inventory assessment of your NFP’s assets and determine what information or resources you are trying to protect.
- Complete a risk assessment to determine what level of security is needed to protect your information assets.
- Reference this checklist to determine your organization’s security strengths and weaknesses.
- Complete an evaluation of your findings and discuss recommendations for correcting insufficiencies and/or improving security.
- Create your security plan, including target implementation dates.
- Determine which department and team member are responsible for each element of the plan
- Establish target completion dates, and begin monitoring your progress through improvement reports and security initiatives.
Create a Crisis Communication Plan
To establish an effective crisis communication plan, your organization must first develop a communications strategy based on the organization’s policies and procedures. This strategy should be linked to your organization’s data management program and monitored by your IT general controls.
Organizing your communication plan in this way allows you to notice, and address, fraudulent changes almost as quickly as they occur. The basics of a crisis communication plan include:
- Identifying your crisis communications team (executive and core department leaders).
- Establishing roles and responsibilities within the team (convening/leading the team, establishing/maintaining a timeline of events and next steps, etc.).
- Developing a process for communicating with employees. This process should make employees aware of the situation, inform them of decisions being made, and provide directions for communicating with external stakeholders.
- Identifying and managing key stakeholder and vendor communications, followed by developing a process to ensure all are aware of the situation.
- Preparing foundational talking points on which to build responses.
- Preparing guidelines to assess the level of crisis and assigning the level of response (from relatively minor to catastrophic).
- Preparing a media communications plan for a high-exposure crisis.
These basics are the starting point for your plan, which can be as simple or robust as you prefer. As you begin to develop the processes, lists, and guidelines, a step-by-step crisis management plan should start to emerge.
There are many communications/PR agencies that can help fill in the blanks as you begin this process. Other possible resources include organizations such as The Taproot Foundation, which pair NFP organizations with skilled volunteers who provide pro bono expertise.
Common Security Breaches
If a security breach should occur, your organization now has a step-by-step security and communications plan that you can execute. These plans will enable you to tackle security breaches quickly, efficiently, and with as little damage to your organization’s relationships and reputation as possible.
Following are some of the more common security breaches.
Website Security Breaches
For many organizations, websites serve as the primary way of communicating with donors, supporters, and volunteers. And while websites provide public information, such as an NFP’s core message, purpose, and mission; they can also include sensitive information, such as contact information, donor information, access to online donor registration forms, and client access portals.
Your organization’s website crisis communication plan should:
- Specify whom in the organization to notify in the event of a security breach;
- Specify who is responsible for sending security breach alerts to the rest of the organization;
- Provide the protocol for notifying donors and volunteers;
- Specify a designated spokesperson to represent the organization in the media;
- Contain guidelines for a PR protocol, including a press release and/or social media response that represents the organization.
Social Media Hacking & Misrepresentation
Social media provides an accessible, cost-efficient way for not-for-profit organizations to reach large audiences, quickly and effectively. That said, your communications specialist should review and monitor all social media exchanges to make sure they are correctly representing your organization and your brand.
Social media users interact with billions of pieces of content each year. If your organization is hacked by an outside party, it can be mere seconds before thousands of users have seen, or re-shared, a post that misrepresents your organization.
To prevent damage to your NFP’s online presence, you should also have a preventive social media plan. This plan should specify:
- An intended social media use and security policy that is linked to your organization’s overall communications strategy;
- A Bring Your Own Device policy (BYOD). This can help limit security risks when accessing content, partaking in unauthorized communications, or spreading misinformation.
In the event of a damaging social media interaction, your organization’s retroactive crisis communication plan should specify:
- Who is to remove the damaging post from the social media platform;
- Who is to write an apology for the content and approve the apology before it is sent; and
- Guidelines for when additional steps are necessary, such as communicating with volunteers, emailing donors, or providing an explanation on your organization’s website.
Email Breaches & Fraud
While websites and social media are vital to online communication, email remains the primary mode of contact for exchanging sensitive business information.
With that in mind, sending and receiving emails is your organization’s primary cybersecurity threat. Fraudulent attachments and links provide many ways for fraudsters to gain access to your organization’s private information, internal controls, and donor information.
To prevent your organization from falling victim to fraud and phishing scams, your NFP should establish a preventative security breach strategy. This strategy should:
- Include an annual security awareness training, covering how to identify phishing scams and potentially harmful emails;
- Inform employees of the threats of clicking on links and attachments from untrusted sources. These links and attachments can expose your organization’s network to malicious code, ransomware, or key logging programs;
- Instruct employees to apply email filters and regularly review firewall whitelists (approved traffic) and blacklists (unapproved, or denied traffic).
Much like responses to website security breaches and social media damage, your organization’s response to an email security breach could determine how much damage is inflicted on your organization and your brand image.
If, for example, your organization is the target of a dangerous phishing scam that sends malware to your donors and clients, your crisis communication plan should allow you to send notifications to your donors before they provide the fraudsters with sensitive information.
Your organization’s email security breach response should proceed much like the above website security breach response. Your organization, however, should place additional emphasis on notifying donors, volunteers, and employees of the potential danger – instructing them not to click on links or download potentially damaging documents.
Not only do security breaches compromise your organization’s ability to do its work, they can also compromise your donors’ trust and have lasting effects on your brand image. Your organization’s ability to address disruptions quickly through having pre-established, pre-tested communication protocol can prevent organization and brand damage before it occurs.
Fritz Duncan, CPA is the leader of the Jones & Roth Nonprofit Team and specializes in tax, auditing, and financial review for non‐profit organizations and limited partnerships. Fritz also specializes in affordable housing, including the Low Income Housing Tax Credit.