Goodwill Industries was hacked in September, 2014 by predators using the same software that earlier struck Target and Home Depot. Goodwill franchises in 19 states and the District of Columbia were affected, and an estimated 868,000 credit and debit cards were compromised.
Goodwill is not an isolated incident. Some organizations are victimized because of their mission. In July 2015, Planned Parenthood informed federal investigators that anti-abortion hackers had accessed its website databases and the names and email addresses of employees. The attack was motivated by Planned Parenthood’s politics.
Many high-profile data breaches have appeared in the news in recent years, especially given the increasing sophistication of hackers and others who seek to do harm.
During a session at the AICPA Not-for-Profit Industry Conference in National Harbor, MD, Ricardo Trujillo, audit manager and certified information technology professional at Gelman, Rosenberg & Freedman CPAs, highlighted the need for sufficient infrastructure to respond to potential threats.
With donor information, credit cards and private employee information such as social security numbers and tax information at stake, nonprofit managers would be wise to start looking more critically at systems, Trujillo said.
“There need to be different roles within each organization responsible for protecting it from cyber-attacks,” Trujillo said. “Everyone involved needs to be aware of four key principles to cybersecurity — confidentiality, integrity, security and availability.”
He made several suggestions. “I would advise nonprofit managers to implement a security awareness program throughout their organization, perform regular IT assessments and follow a known cybersecurity framework such as Control Objectives for Information and Related Technology by ISACA, the ISO 2700 series or that developed by the National Institute of Standards and Technology,” he said.
Every day, an opportunity increases for criminals to take advantage of security flaws. Nonprofit managers should not feel safer than other types of organizations because they are not well known or have less money. In fact, the tendency toward a lack of concern might place the organization at even greater risk.