Nonprofit owners and managers must be as vigilant about protecting digital assets as the world’s most renowned tech companies. Financial institutions and health organizations have some of the highest concentrations of personally identifying information, but nonprofits are unsuspecting stores of Social Security numbers, banking information, and more.
Insider threats are becoming more prevalent in the digital threat landscape. How can nonprofits that require copious outside assistance keep data safe?
Unpacking Insider Threats
The term “insider threats” is complex, primarily when nonprofit organizations have so many moving parts. Over
They have permanent staff alongside a constantly rotating door of volunteers, sponsors, and business partners. Any one of these contributors may be an insider threat and compromise data with their access. Examples of inside threats include:
- Using fraudulent payment processing and accounting
- Working with threat actors to create vulnerabilities for cyberattacks
- Stealing donor or stakeholder information
- Selling data illegally to third parties
- Mismanaging fundraising funds with harmful intent
Nonprofits
Nonprofits lose donor loyalty by ignoring the importance of protecting against insider threats. It has consequences on reputation and income. Most importantly, it impacts the charity’s mission when staff and supporters lose morale from compromised momentum. These strategies protect organizations on all sides from insider breaches.
1. Strict Volunteer Vetting
Nonprofits rely on the kindness of volunteers to execute projects. Unfortunately, interest does not always signify good intentions. A desperate need for staff leads to people from every background having internal insights into the nonprofit. Most volunteers will work with honest intentions, but insider threats are too prevalent to provide blanket optimism.
Vetting volunteers eliminates concerns because management can perform safety measures to ensure high-quality helpers. Nonprofits may interview, perform background checks, and review references to determine character quality. It provides
2. Limiting Permissions
A case study of 20 nonprofit organizations revealed teams are too trusting. Around
Paper resources are more accessible for insider threats to tamper with or steal, and limiting who has access to business-critical information reduces the likelihood of theft. It also minimizes risk response because nonprofit managers will spend less time discovering the person or people behind the breach if only a small group of staff and volunteers have keys or passwords.
3. Developing Business Continuity
Do nonprofit owners and managers have consistent documentation and plans that are easily accessible in case of an insider threat? Business continuity documents should be accessible to anyone detecting the insider threat.
The plan must contain action steps for
- Phone numbers and links for police
- Who to notify in information technology in the event of a digital breach
- Who to tell in management to contain the threat
- Shutdown actions, such as deactivating Wi-Fi, locking doors, or freezing company financial assets
- Executing digital backup recovery measures
- What evidence to gather
Nonprofits are responsible for practicing and fine-tuning the continuity plans as new insider threats become more severe. Oversight must stay in touch with current events and trends in the sector to know what to protect against. Action must be proactive instead of reactive to have the most significant effectiveness.
The plan must receive scheduled attention annually for reevaluation with advice from a fraud professional. The document should be thorough yet efficient because the last obstacle a nonprofit needs during a crisis is a too-laborious procedure for isolating the threat.
4. Establishing Culture
Every previously mentioned action culminates into a nonprofit culture that opposes insider threats. The more a group works to establish that precedent, the more it reduces a threat actor’s willingness to work toward a breach.
Creating safeguards and being transparent to donors and staff increases awareness of what the nonprofit is doing to protect its resources and people. Why would threat actors be motivated to target an organization with more robust security than another?
Another way to establish a
The more aware everyone is of these anti-insider threat details, the more likely workers are to report suspicious activity or challenge questionable language or actions from other stakeholders. Minimizing complacency and empowering staff members with confidence and agency increases the likelihood they expose insider threats.
Even if they do not turn out to be legitimate, it diversifies a person’s view on what a threat could look like and how nonprofit managers can reduce false positives in the future.
Guarding Against Insider Threats in Nonprofits
Social good projects will only increase in influence as time goes on. More people will donate their time and money to causes to improve the world. However, this puts any relinquished data in a potential threat actor’s hands.
Nonprofits are a great place for cybercriminals to gather data. Charities can set precedents that the sector is well-protected by using these strategies to deter malicious activity.