A few weeks ago, one of my clients had its website hacked. A small nonprofit here in Columbus, Ohio, we couldn’t figure out why our website wasn’t loading properly and what had happened to all of the content. Then, we received the simple explanation from our web manager: “We got hacked.”
“We Got Hacked”
At first, there were laughs around the room. And then we realized that this was actually a real thing. And it happened just in time for our holiday give campaign to start. (Cue: Sad Trombone Sound)
Nonprofits assume they’re exempt from the threat of hacking and cyber security breaches. Why bother hacking a tiny nonprofit when you could hack a large corporation who has a ton of money and a bunch of customers who’ve handed over their personal information? Want the truth? IT’S REALLY EASY.
Hacking a nonprofit isn’t about the monetary gain for the hacker – it’s about making a malicious statement that it can be done. And, unfortunately, the result of nonprofit hacks can be really costly for the organization. Lost records, damaged public relations, a knocked out donation system, or compromised donor personal information can shut the organization down pretty quickly. And when your staff is comprised of volunteers or previous pro-bono work, it could take a while to get yourself back online.
Remember that donors can give money to plenty of places and a hack could turn them completely away from your organization, suggesting that you weren’t careful or diligent enough to protect their information. So what can you do to prevent being hacked or to rebuild after a hack? Here are a few steps to take:
What You Can Do
Lock down your devices. Laptops, iPads, mobile phones, even desktop computers are super easy to steal or connect to. Stolen or lost devices account for a large chunk of compromised information. Make sure you keep track of all devices – even if they’re not often used – and have a plan to wipe secure information should the device be compromised.
Reset your passwords often and be careful how you share the information. If your organization is small, it’s likely that everyone working there knows the password to at least one shared account. There’s probably a “passwords” document stored on a Google Drive or in a notebook (in an unlocked drawer) that would be easy for a data thief to discover. Take a page from the corporate security book and make a reminder to reset your passwords every few months. You can use password storage programs through your anti-virus software, or something like LastPass to keep passwords private and secure and accessible to just those who need them.
Encrypt, encrypt, encrypt. Though you might use Cloud storage, you should always keep files on your hard drive encrypted. It’s super easy to do and the benefit is that even if data is compromised, hackers will still need to know how to access your encrypted files.
Put it in writing. When organizations rely on volunteers and a small staff to execute, policies and procedures are often overlooked or oversimplified. When it comes to the privacy and security of your information, you must make sure your staff members and volunteers know what they can and cannot share. Put it in contracts, employee manuals, and agreements so there is no confusion.
Have you ever been hacked? How did you fix it? Tell us in the comments!