January 9, 2015


While businesses have devoted billions of dollars protecting themselves against cyber attacks, many nonprofit leaders remain unaware of what they should be doing to protect their organizations from hackers and criminals online.

The Office of Corporate Social Responsibility at American Express has launched an effort to bring awareness of this important issue to nonprofit leaders though our already-existing leadership development programs and to share some best practices on what nonprofit organizations could and should be doing to combat this growing threat to their data.

Nonprofit organizations possess myriad kinds of information that might be valuable to hackers and criminals, including:

  • Personally identifiable information. Your organization is likely collecting information on your donors, customers, employees and beneficiaries that would be valuable information for criminals. Information such as names, addresses, email addresses, phone numbers, Social Security numbers, bank account numbers, and credit card numbers are all valuable pieces of information and can be sold on the black market.
  • Donor and patron relationships. Your donors and supporters may be affluent or high net worth individuals, foundations and corporations. They already have a special relationship with you, and if they were to receive an email message from a hacker posing as your organization, they might be likely to open it -- potentially spreading a virus or malware into the donor's own network or computer equipment.
  • Financial and employee information. You collect other valuable information on your employees, including salaries, health benefits, vacation schedules and the like. And, you are most likely using your network to collect and store confidential information on your finances, programs and assets as an organization.

Hackers may target the following parts of your organization:

  • Your staff. Access to one or more email inboxes may provide the ability to gain broader access to your network.
  • Your web site. Whether your web site is hosted internally or externally, it may be targeted by hackers for access to your network and valuable information on your users.
  • Your social media sites. Hackers can gain access to your social media accounts and their users, exposing your users to further attacks and misinformation.
  • Your customer relationship management databases. As dutiee.com reports, these databases often hold "the keys to the kingdom" and are the ultimate goal of hackers.

Here are some ways to train your workforce and to be prepared to respond to a data breach incident:

  • Defend your computer. The security of your computers and networks is crucial for your employees and your organization. Make sure that you've installed anti-virus and anti-spyware software, and protect your routers and software packages with strong passwords. Don't be tricked into downloading malicious software. Think carefully before opening suspicious attachments.
  • Protect sensitive business data. Don't put sensitive and confidential information in email or text messages. If you are unsure if a message is genuine, contact the sender through another device or network. Never share sensitive data – such as personally identifiable information – in response to a phone call or online inquiry.
  • Create strong passwords and keep them secret. Passwords provide the first line of defense against unauthorized access to your data. Secure passwords have at least eight characters and utilize upper and lower cases, numbers and symbols. Don't include your real name, birth date, social security number, or common brand names in your passwords.
  • Guard your data when on the go. Treat all public W-Fi systems as a security risk. Do not expect privacy in Internet cafes, hotels, offices or public places. Use flash drives sparingly or not at all.
  • Make a plan to address cyber incidents. The best time to plan on how to respond to a disaster is not during the incident. Make a plan on how to respond in a fast and efficient manner in order to minimize damage, recover quickly and prevent future incidents. End users should be familiar with symptoms that might indicate an incident and know what to do.
Business Wire NewsHQsm