Turning the Course of Nonprofit Cyber

Written By Sean Eyre

When talking to people about cybersecurity in the nonprofit space I frequently say, “The nonprofit sector is 15 years behind the power curve on cybersecurity.” I like to think that it’s provocative to say. But in all the times I’ve used it, I haven’t heard a single “Hey! That’s not fair!” in response.

Unfortunately, the nonprofit world is just waking up to this set of problems, and missionaries are no exception. So, let’s explore the drivers for security on the for-profit side of the house to see what lessons we can learn.

Drivers of Security

For-profit businesses have about 7 drivers that force them to confront cybersecurity and quickly get on top of it:

1.      Breach – Getting breached and learning about breaches continues to be a major driver for business around the world. Paying the costs of a breach or ransom and going through all of the stress of recovering is pain that many prefer to avoid, so businesses build programs to prevent and respond to breach.

2.      Insurance – Insurance providers have lost a huge amount of money to cybersecurity failures because of miscalculated risks. They are increasingly passing on the costs of breach to the insured company either in the form of high deductibles or high premiums—or refusing to issue a policy altogether—so establishing a cybersecurity program directly saves businesses money on their insurance policies.

3.      Mergers, Acquisitions, Private Equity, and other Investors – Investors of all forms from seed funding to growth equity want to know that businesses are exercising due diligence and managing risk responsibly because they don’t want (overly) risky investments. Funding sources increasingly expect a minimal level of security and compliance before releasing funds, so businesses invest in cybersecurity to unlock more funding.

4.      Board Members – As board members move from company to company, they take their lessons learned with them and their scar tissue. Businesses invest in cybersecurity to exercise their fiduciary responsibilities and keep the board satisfied.

5.      New Customers – Customers have been burned by bad vendors in the past when service providers have failed to properly store private information or when data has been lost and disclosed in a breach. As customers (particularly for business-to-business products) begin to question vendors’ security postures and demand certain security features, businesses adapt so that they can close bigger deals.

6.      Vendors – Security vendors constantly (cold-)call potential customers looking for new business. Security vendors play a minor role by ensuring that no one can forget about the problem and producing most of the content about fixing security deficiencies.

7.      Compliance – Governments, industries, and professional organizations set standards which businesses must comply with. Compliance forces businesses to at least acknowledge the security problem, even if businesses are still often willing to bear the cost of a fine rather than investing in top-tier security.

Application to Nonprofits

I would argue that all of these can be drivers for nonprofits as well, but there’s work to be done to unlock each driver.

1.      Breach – High-profile breaches like Blackbaud and SiteStacker are bringing awareness to nonprofits about risks to and via their donor management platforms. Ransomware spares no one. Attackers will drain a nonprofit or church’s bank account just like anyone else.

2.      Insurance – Many nonprofits already rely on insurance in other domains, so insurance is already a viable driver for cybersecurity adoption across the nonprofit sector. The desire to get insured in case of breach or to drive the cost of insurance down may help bring up the level of security investment.

3.      Mergers, Acquisitions, Private Equity, and other Investors – Grantors and foundations play this role in the nonprofit sector but I argue that they aren’t yet working to help nonprofits improve their cyber efforts.

4.      Board Members – As experienced board members serve on multiple nonprofit boards, the number of boards that ask executive directors “What are we doing about cybersecurity?” will increase.

5.      New Customers – It’s possible (though unlikely?) that mass movements of donors and supports will refuse to support a nonprofit if due diligence isn’t in place to prevent loss of money to cyberattacks. It’s more likely that the nonprofits themselves will push THEIR software vendors to improve to get ahead of third-party risk in a process that looks more like enterprise sales. Which is why we wrote a vendor security questionnaire.

6.      Vendors – Security vendors can learn to speak “nonprofit”—and many are! (We’re one of them!) The advantage of traditional cybersecurity vendors is scale: having a large base of customers maintains a demand for high-quality output and actually drives prices down, making it more within reach for budget constrained organizations of all types.

7.      Compliance – Governments, industries, and professional organizations set standards which businesses must comply with. Nonprofits are just businesses with a different fiduciary responsibility, so compliance can help drive adoption too. Since most mission-driven teams have some level of budget constraints, it’s less likely we’ll see them behave like multi-national banks who can eat a fine and more likely we’ll see proactive work to avoid fines.

Sean Eyre
Previous

Year in review
Next

Frameworks for Cyber Success