June 7, 2017

In today’s technology-driven climate, security breaches can damage your not-for-profit’s reputation, professional relationships, and sensitive internal controls. Website breaches, social media hacking, and email fraud can lead to inaccurate, and often embarrassing, misrepresentations of your organization.

How can your organization protect itself against a security breach, or minimize damage, if one should occur? The key is to develop a preventative IT security plan and responsive crisis communication plan before a crisis takes place.

Preparing for a Security Breach

Create an IT Security Plan

An IT security plan can help identify and eliminate most of your organization’s potential vulnerabilities. After evaluating your IT security strengths and weaknesses, your organization should apply the following steps to construct an effective security plan:

  • Perform an inventory assessment of your NFP’s assets and determine which resources you’re trying to protect.
  • Complete a risk assessment to pinpoint the level of security that’s needed to protect your information assets.
  • Reference this checklist to determine your organization’s security strengths and weaknesses.
  • Complete an evaluation of your findings and discuss recommendations for correcting insufficiencies and/or improving security.
  • Create your security plan, including target implementation dates.
  • Determine which departments and team members are responsible for each element of the plan.
  • Establish target completion dates and begin monitoring your progress through improvement reports and security initiatives.

Create a Crisis Communication Plan

To establish an effective crisis communication plan, your organization must first develop a communications strategy based on the organization’s policies and procedures. This strategy should be linked to your organization’s data management program and monitored by your IT general controls.

Organizing your communication plan in this way allows you to notice, and address, fraudulent changes almost as quickly as they occur. The basics of a crisis communication plan include:

  • Identifying your crisis communications team (executive and core department leaders).
  • Establishing roles and responsibilities within the team (convening and leading the team, establishing and maintaining a timeline of events, determining next steps, etc.).
  • Developing a process for communicating with employees. This process should make employees aware of the situation, inform them of decisions being made, and provide directions for communicating with external stakeholders.
  • Identifying and managing key stakeholder and vendor communications, followed by developing a process to ensure all are aware of the situation.
  • Preparing foundational talking points on which to build responses.
  • Preparing guidelines to assess the level of crisis and assigning level of response (from relatively minor to catastrophic).
  • Preparing a media communications plan a for high-exposure crisis.

These basics are the starting point for your plan, which can be as simple or robust as you prefer. As you begin to develop the processes, lists, and guidelines, a step-by-step crisis management plan should start to emerge.

There are many communications and PR agencies that can help fill in the blanks as you begin this process. Other possible resources include organizations such as The Taproot Foundation, which pair NFP organizations with skilled volunteers who provide pro bono expertise.

Common Security Breaches

If a security breach should occur, your organization can now respond using its step-by-step security and communications plan. This plan will enable you to tackle security breaches quickly, efficiently, and with as little damage to your organization’s relationships and reputation as possible.

Following are some of the more common security breaches:

Website Security Breaches

For many organizations, websites serve as the primary way of communicating with donors, supporters, and volunteers. And while websites provide public information, such as an NFP’s core message, purpose, and mission; they can also include sensitive information, such as contact information, donor information, access to online donor registration forms, and client access portals.

Your organization’s website crisis communication plan should:

  • Specify whom to notify in the event of a security breach;
  • Specify who is responsible for sending security breach alerts to the rest of the organization;
  • Provide the protocol for notifying donors and volunteers;
  • Specify a designated spokesperson to represent the organization in the media;
  • Contain guidelines for a PR protocol, including a press release and/or social media response, that represent the organization.

Social Media Hacking & Misrepresentation

Social media provides an accessible, cost-efficient way for not-for-profit organizations to reach large audiences, quickly and effectively. That said, your communications specialist should review and Crisis Communication Graphicmonitor all social media exchanges to make sure they are correctly representing your organization and your brand.

Social media users interact with billions of pieces of content each year. If your organization is hacked by an outside party, it can be seconds before thousands of users have seen, or re-shared, a post that misrepresents your organization.

To prevent damage to your NFP’s online presence, you should also have a preventive social media plan. This plan should specify:

  • An intended social media use and security policy that is linked to your organization’s overall communications strategy;
  • A Bring Your Own Device policy (BYOD). This can help limit security risks when accessing content, partaking in unauthorized communications, or spreading misinformation.

In the event of a damaging social media interaction, your organization’s retroactive crisis communication plan should specify:

  • Who is to remove the damaging post from the social media platform;
  • Who is to write an apology for the content and approve the apology before it is sent; and
  • Guidelines for when additional steps are necessary, such as communicating with volunteers, emailing donors, or providing an explanation on your organization’s website.

Email Breaches & Fraud

While websites and social media are vital to online communication, email remains the primary mode of contact for exchanging sensitive business information.

This means that sending and receiving emails is your organization’s primary cyber security threat. Fraudulent links and attachments provide many ways for fraudsters to gain access to your organization’s private information, internal controls, and donor information.

To prevent your organization from falling victim to fraud and phishing scams, your NFP should establish a preventative security breach strategy. This strategy should:

  • Include an annual security awareness training, covering how to identify phishing scams and potentially harmful emails;
  • Inform employees that clicking on untrusted links and attachments can expose your organization’s network to malicious code, ransomware, or key logging programs;
  • Instruct employees to apply email filters and review firewall whitelists (approved traffic) and blacklists (unapproved, or denied, traffic).

Your organization’s email security breach response should proceed much like your website security breach response, while placing additional emphasis on notifying donors, volunteers, and employees of the potential danger.

Bottom Line

Not only do security breaches compromise your organization’s ability to do its work, they can also compromise your donors’ trust and have lasting effects on your company’s image. Your organization’s ability to address disruptions quickly through having pre-established, pre-tested communication protocol, can prevent damage to your organization and brand before it occurs.

Reference these resources to learn more about security breaches and fraud and the importance of IT general controls for not-for-profits.

© Clark Nuber PS, 2017. All Rights Reserved

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.