Reputation is crucial when it comes to attracting financial contributions to Not for Profit (NFP) organisations. Yet with cybercrime on the rise, NFPs are facing a new threat to brand reputation and profitability, should the personal information of donors become compromised in an attack.
A tarnished reputation has the potential to reduce the number of individuals that trust, and are willing to donate to a NFP. Given the heavy reliance most NFPs have on donor contributions, as well as the fierce competition in attracting donor dollars, a cyber breach, coupled with possible legal action from third parties, has the potential to heavily impact the financial sustainability of a NFP organisation.
In this day and age, the number of business systems holding sensitive data that rely heavily, if not solely on the internet is staggering. Although the internet enables us to achieve so much, it sadly also means that data rich business systems are becoming more vulnerable to attack by skilled cybercriminals who perceive them as a goldmine.
And while public awareness and protective measures against cybercrime are continually advancing, so too are the methods of savvy cybercriminals. The recent, now notorious cyber incidents – WannaCry (May, 2017), and Petya (June, 2017) which shut down businesses across the globe, just add to the already insurmountable evidence that no business is immune to cyber attacks.
What is cybercrime?
‘Cybercrime’ is criminal activity carried out using a computer and/or the internet, with the goal of gaining unauthorised access to, or procuring digital information - primarily of a personal or financial nature.
Varying methods include: computer and network hacking, installation of viruses and malware, phishing and scam emails, or extortion via malware. This is where systems and data are held to ransom for a financial sum, with no guarantee of regaining access following payment.
Why do cybercriminals target NFPs?
NFP’s tend to have limited resources, with a high level of accountability surrounding expenditure. These factors, among others listed below, can translate into an increased vulnerability to cyber attacks.
- If your NFP relies on donations, it is likely you hold sensitive financial data on donors. Information of this nature is a lucrative target for cybercriminals.
- Older computers, or ones that haven’t been diligently updated, can be devoid of necessary security patches to keep cybercriminals from accessing information.
- If volunteers form a large portion of your workforce, or you have high staff turnover, many individuals may not be adequately trained in information and data security procedures, or the Privacy Act.
- Free software or inexpensive webhosting can have weaker security measures, making you an easy target for cybercriminals.
- Under the pretence of donations, cybercriminals can forward hyperlinks that introduce viruses or malware into your computer systems.
- NFP organisations can lack sufficient resources to adequately protect data and defend against cyber attacks.
What are the potential consequences of a cyber attack?
1. Statutory fines and penalties
February 2018 will see the Australian Government enact the Notifiable Data Breaches (NDB) scheme. Once introduced, all organisations affected by a serious data breach are required to notify the Office of the Australian Information Commission (OAIC), and all individuals whose information may have been compromised.
Businesses and business directors that fail to adhere to new guidelines set out by the NDB scheme could face severe financial penalties: up to $360,000 for individuals, and $1.8 million for organisations.
2. Loss of trust and reputation
Brand reputation is one of the most valuable assets of a NFP organisation, playing a vital role in attracting donors, suppliers and investors.
Should your NFP experience a data breach where personal and / or the financial details of donors are leaked, the fallout could be disastrous for your brand and bottom line. In this competitive sector, it could take months if not years to regain the trust of donors, to the point they feel comfortable donating once more.
3. Third party legal action (e.g. donors)
Third parties who experience damages as a result of a cyber attack, have the right to take legal action against you in order to seek compensation for their losses.
Changes to the Privacy Act in March 2014, saw companies become accountable for the security of third party data, e.g. your donors. As a result of this legislation, a breach of privacy or information theft, can see third parties seek compensation for emotional distress and future harm. Organisations may also be required to provide ongoing credit monitoring services to affected parties, at their own expense.
How can you protect your NFP against the fallout of a cyber attack?
Cybercriminals are continually finding new ways to circumvent IT security. Fortunately, there are a number of effective risk management strategies which can significantly reduce the risk, helping you protect your organisation against the fallout of a cyber attack.
a) Be proactive when it comes to data security
Below are some important preventative measures your company can take towards securing your data, (Computer Emergency Response Team (CERT), 2017).
- Install up-to-date software patches and use supported versions of software
This can prevent malware from exploiting known security issues.
- Develop a daily data backup strategy for your critical information
This ensures your organisation can still access information in the event of a cyber incident. An offline backup can also reduce the impact of a ransomware attack.
- Ensure no systems use default passwords
Companies should apply unique passwords to all systems, including website memberships so they cannot be easily guessed.
- Ensure you have reputable firewall, anti-virus and anti-spyware programs installed
A robust security platform helps to defend against malicious or unauthorised network traffic.
- Ensure staff have non-Administrator access
Administrator level accounts are a prime target for cybercriminals. Ensure your staff are using non-Administrator profiles for day-to-day activities to reduce the risk of compromising your network.
- Ensure your online payment portal is secure and encrypted
If you rely on donations or contributions, a secure payment system is essential. See Smart Company’s Top tips for choosing the best payment gateway for your business.
Note: there are many other situation-specific risks that need to be taken into account. To read a full list of CERT’s recommendations, click here.
A sound IT security strategy can lessen the likelihood of a breach, but also demonstrate to stakeholders that your organisation takes information security very seriously. Additionally, your vigilance may help lessen the severity of legal outcomes should your organisation experience a breach, and third parties commence legal action.
The OIAC have multiple guides on how to secure personal information, how to handle security breaches and how to develop response plans. For more information view the OAIC’s website.
b) Purchase a Cyber Liability Insurance policy
With the average cost of a data breach costing organisations around AUD$2.64 million (source: Ponemon Institute 2016 Cost of Data Breach Study: Australia), Cyber Liability insurance is an essential risk management measure to provide financial protection for your bottom line, and reputation.
Cyber Liability Insurance can offer a broad range of financial protection:
- Fines & penalties - Financial compensation to recoup costs that result from a security breach – including regulatory fines - which can amount to $1.8 million.
- Third party liability - Compensation for clients and customers who suffer financially or emotionally as a result of stolen data.
- Legal and forensic investigation expenses - Extends to include expenses for legal representation and costs that incorporate forensic and legal counsel.
- Reputational repair - Covers for the cost of professional consultants to assist in repairing damage to your company’s brand and reputation.
- Network interruption - Cover for net income that would have been earned, and continuing normal operating expenses incurred including payroll as a result of a security failure.
A Cyber Liability policy can provide cover and help maintain the trust among your key stakeholders, assisting with the survival of your organisation in the aftermath of a cyber security crisis.
Note: Standard Business Insurance policies do not extend to include non-physical threats such as cyber incidents.
c) Ensure the proper destruction of digital storage devices
It is important that any digital storage devices and hard drives are properly wiped and destroyed. A 2014 study by the National Association for Information Destruction (NAID) discovered an alarming quantity of confidential personal information stored on the hard drives of recycled computers. If made public, the release of this information would constitute a severe data breach.
The NAID encourages all businesses to be careful when selecting a recycling service for digital devices, and stresses the importance of ensuring data destruction is carried out by a company possessing the appropriate technical expertise.
d) Develop a Cyber Crisis Management Plan
All organisations should have a Cyber Crisis Management plan that clearly outlines immediate steps to take should a cyber incident impact your business. A clear plan can assist to ensure breaches are swiftly dealt with, and can help to reduce the severity of the fallout following an incident.
The plan should include key external support agencies who can assist in managing the crisis:- IT consulting partners, your insurance broker and/or insurer, and cyber security agencies where you are required to report the incident e.g. Australian Cyber Security Centre (ACSC) and the Australian Computer Emergency Response Team (AusCERT).
A proactive response can help minimise reputational damage and enable you to quickly rebuild trust among key stakeholders. In the event of a data breach, companies must remember to:
- Remain transparent
- Provide full disclosure to clients and regulators regarding the extent of the data breach
Withholding information, or intentionally playing down a serious situation, could have severe legal repercussions and damage your reputation.
e) Instil IT awareness in your employees
An IT Awareness Program can help educate employees on cybercrime, and most importantly, remind them of the part they play in keeping company data secure.
As hacking techniques become more sophisticated, it is increasingly difficult to distinguish between legitimate emails and phishing scams. Regular training on helping your workforce can recognise fraudulent emails and scams can play a key role in preventing malicious, damaging attacks on your IT systems and data.
For further advice on how a Cyber Liability Insurance policy can protect your Not-For-Profit organisation, please contact your Whitbread Insurance adviser for more information. T | 1300 424 627 E | firstname.lastname@example.org.
This insight article is not intended to be personal advice and you should not rely on it as a substitute for any form of personal advice. Please contact Whitbread Associates Pty Ltd ABN 69 005 490 228 Licence Number: 229092 trading as Whitbread Insurance Brokers for further information or refer to our website.