Foundations and nonprofits provide some of the most vital services in our communities and some of which have legacies that reach back generations. They are an important source of funding for communities, new developments, and discoveries while advancing programs that sometimes wouldn’t have a chance getting off the ground. Knowing this, who would ever want to hurt a foundation? Cybercriminals never care about the good a target does; they only look at the effort and reward!

Many foundations and nonprofits think they fall under the radar of cyber criminals, and yet they often operate with the some of the highest risks. So, what makes foundations and nonprofits so risky? Here is what makes them easy prey:

• Hold high value information of high-net-worth individuals.
• Typically operate with a lean administrative staff.
• They manage a significant asset base.
• Management/Leadership team often works remotely.
• They exchange large amounts of data.
• Often have a low investment in technology or don’t keep it up to date.
• If they have internal technology staff, they may not stay current on latest best practices.
• Don’t perform system vulnerability assessments regularly.
• Don’t proactively train and test staff on cyber security threats.
• They may have a high number of independent contractors whose credentials never get terminated after the contractor leaves.
• They believe cyber insurance will protect them.

If you have ever received a security breach letter from a company, you can relate to the sinking feeling of not knowing what might happen next. As a foundation or nonprofit, you have spent years building your legacy. Not taking basic security precautions can mean your reputation being tarnished along with an expensive clean-up effort.  In March 2024, Lurie Children’s Hospital in Chicago suffered a data breach impacting over 800,000 people’s personal records and the hospitals ability to treat patients came to a halt with their systems and they didn’t fully recover for a matter of four weeks!  This is an organization with a large IT department, now imagine a foundation managing millions and typically with a staff of less than 50 people.  The risk vs. reward to the criminal is very attractive.

Foundations and nonprofits don’t always take proactive steps because they don’t believe they are at significant risk or they think the cost is too high, though that is typically the furthest from the truth. Whether the organization operates with an internal IT team, or it is outsourcing, it is important to know your risks and account for them. An independent vulnerability assessment is a great place to start. This goes beyond an assessment your independent auditor/accounting firm may do, as they often only focus on documented internal controls and not your overall IT environment.

In addressing risks, a foundation or nonprofit should do the following:

• Create an information security committee/team with the organization’s governance board.
• Conduct a risk assessment which looks at data, systems access, environment, employee training and development, code of conduct, etc.
• Conduct an independent annual vulnerability assessment which looks at both external and internal threats, potential attack vectors, and performs actual system tests.
• Review internal policies and controls related to information access and user credentials of both employees and contractors.
• Provide the findings report to the security committee along with a remediation plan for the identified risks.
• Appoint a leader for executing the remediation and reperform the system tests.
• Lastly, most failures result from employee actions, so it is important that a robust employee anti-phishing training and proactive testing plan is in place.

An effectively managed security plan along with maintaining the system environment does not have to be a costly and overly burdensome experience. But if a plan is not in place, a security incident can hurt the reputation of the organization and be very costly in the end. Being proactive and recognizing the need for a security plan is an important step on the road to continuing your organization’s vital mission.

Sagin, LLC is a management consulting and IT managed services firm which provides full service 24/7 support to organizations including help desk, infrastructure, server/cloud management, data security risk mitigation, strategic planning and specializing in non-profits. Sagin is also a certified LGBTQ Diverse Business Enterprise. For more information about an independent assessment protecting your organization or how to better manage IT costs, you can contact us at: info@saginllc.com or visit us at: www.saginllc.com or +1.312.281.0290.

 You can also ask us about a free copy of our latest research study: Museum 2030 the future of museums and non-profits.

 Sagin, protecting Nonprofits and Foundations.