Defending Donor Data Isn’t Simple

Imagine if you will, someone sitting in a room in an undisclosed city who sends your charity $1 on a credit card. All of a sudden all of your donor data is on the dark web. This is not an episode of “The Twilight Zone.” It happens every day in fundraising offices around the world.

You must understand cybersecurity risks and the impact they have on not just fundraising but your entire nonprofit entity.

Tim Bryan, a partner with Crowe LLP and Jennifer Mistretta, associate assurance director at Postlethwaite & Netterville, ran down best practices to protect, detect and defend your data during a session at the recent AICPA Government & Not-For-Profit Training Program. They described the triad of security as “CIA,” confidentiality, integrity and availability.

In 2018, The Internet Crime Complaint Center received 1.5 million complaints of cyber fraud resulting in $2.7 billion in losses, not to mention costs of fixing the original problem. It is projected that cybersecurity spending is predicted to exceed $1 trillion during the next five years across all business silos.

You must understand your data assets, the told those in attendance. Know whatr data is on which systems and why they are there. Define roles well and make sure they are reasonable. The proliferation of data outside of information technology is a real and growing issue.

Assume you’ll have a breach and plan for it. There are four elements to that plan.

  1. Plan and Practice: Know risk assessments; deployed security controls/solutions; routine testing/audits; and, user awareness/education.
  2. Identify & Respond: Know your alarms such as malware, whitelisting and to lines.
  3. Investigate, Contain and Remove: Determine specialized training and techniques; use specialized tools and solutions and get outside help.
  4. Reflect and Refine: Know your metrics, measure and proof of performance.