Data Breach, Cyberliability, and Your Nonprofit

Since I’m not talking to anyone specifically and there’s no fear that I’m trying to sell you something, I’m going to dispense with the niceties.

cyberliability and nonprofits

photo from


You do have to worry about data breach and cyberliability issues.

I don’t care how small your nonprofit is. I don’t care how high-tech your IT guy is. I don’t care how much you think nobody is targeting you.

Here’s why: Cybercriminals and the malicious code they dispense into the world wide web do not care about those things and are looking for any hole they can find, regardless of who you are. 

Cybercriminals do not only use the sniper method. They have shotguns and wide nets.  They use all kinds of tactics and strategies to gain access to computers, servers, laptops, smartphones, and tablets.

And these tactics are being deployed continually.

I’ve known this fact. I’ve been the victim of this wide-net, shotgun approach to criminal data-gathering.

No cybercriminal is targeting some random insurance agent in the suburbs of Atlanta, yet my Yahoo email has been hacked, my Facebook passwords have been compromised, my social security number has been hijacked, and my debit card has been stolen.

These things happen not because a guy like me is targeted. They happen because the internet is crawling with viruses and malware. Consider a kindergarten class where two kids have the stomach crud. That’s the internet.

Let me offer an initial recommendation to anyone who does work on a computer, smartphone, laptop, or has a smart refrigerator (all human persons in the western hemisphere):

If We’re Vulnerable, What Next? 

I’m about to commit a small cyber crime here and copy Marc’s ‘UPDATE’ protocol for some simple, basic risk management around your personal computing and smartphoning activities (please go listen to that podcast, though, to put this protocol into context):

  • The UPDATE Protocol
    Update – keep your software updated (otherwise it’s full of holes)
    Password – don’t use your Facebook account to login to other sites
    Download – from authorized sources only
    Administrator – don’t use your computer when logged in as admin (except when necessary)
    Turn your computer off – or at least the wifi
    Encryption – scrambles your data unless you have the password

As soon as I log off after writing this blog, I’m going to go buy Marc Goodman’s Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It (Amazon Affiiliate Link) to get a better handle on just how certain hacks and data breaches take place.

Did you know, for instance, that Target’s breach took place because the hacker gained entrance to Target’s servers via their HVAC contractor?  Who would think that? It was your basic random employee who clicked on one of those spammy looking links in an email. And bam. 1/3 of the United States gets affected.

Some Suggestions for Nonprofits’ Cyber Risk Management

Let me make some suggestions on how to respond to the fact that we are all vulnerable to a cyber attack or data breach:

  1. Be Honest with Yourself: Most computers have some form of malware or virus.  We have to start by being honest that criminals are to the market quicker with malware than our virus protection software is with protection for the new viruses.  In a word, we’re vulnerable.
  2. Enact the UPDATE Protocol: This protocol is the clearest, simplest approach I’ve seen to basic risk management. Make the protocol your new good habit.
  3. Purchase Cyberliability Insurance: Find some coverage for the events that might slip through. Cyberliability insurance helps pay expenses in the event your nonprofit or business is a part of the breach.  Remember that cyberliability not only addresses computer related breaches, but (normally) also includes paper documents.
  4. Train, Train, and Train: Continually keep these issues in the forefront of your employees’ minds. As annoying as it is (our IT folks bombard us often, too), remind them to not click spammy links, to update software, and to take special care of portables like laptops, phones, and tablets.

Data Breach Comes in Many Shapes and Sizes

Data breaches can be the result of hackers, stolen laptops, disgruntled employees, or simple employee errors. Don’t allow yourself to pigeonhole where a breach can come. When I speak with clients, they typically have a very narrow view regarding where a breach can come. Realize that there are a thousand ‘doors’ into your office. A breach only requires one door to be propped open with a cyber-brick (thanks to the Marc Goodman for that little analogy).

My guess is that insurance claims around our computers and other electronics will become more prevalent than many other types of claims (outside of auto related claims because, dang, people are dumb in cars).

Start developing a risk management stance towards you and your nonprofit’s use of all devices connected to the internet.

We love convenience, but convenience comes with added responsibility and a potential price.

Be prepared.


In case you missed my earlier recommendations, please go listen the podcast with Lewis Howes and Marc Goodman about cyber crime.

Speak Your Mind