Did you know the first recorded ransomware cyber attack was targeted at a non-profit organization? In 1989, over 20,000 attendees of a World Health Organization (WHO) symposium on AIDS research received a complimentary floppy disc containing a file supposedly related to the research. Instead, it was a malware file that, once clicked, blocked access to all files on the computer on which it was installed. The ransom demanded for a code to unlock the malware was $189.
The threat has risen dramatically since that first clumsy extortion attempt. In early 2021 non-profits around the globe were hit by the “Nobelium” virus, which used a legitimate mass-mailing service to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations.
What makes non-profit organizations such choice targets for cyber criminals? Two reasons: 1.) the donor information that is the lifeblood of non-profits is exactly the data online thieves want to steal; and 2.) non-profits often choose to spend their limited capital on items other than cyber security protection and training, making access to data easier.
It is estimated that up to 70% of non-profit organizations have not conducted a cyber security vulnerability assessment to determine their potential risks or implemented a Written Information Security Plan (WISP). And 56% do not even use such basic cyber protections as multi-factor authorization for network access.
Non-profit organizations that have not yet implemented a WISP are taking a huge risk that can present problems on many levels:
- Data breaches, ransomware, and other cyber attacks are a rapidly expanding plague that affects businesses of all types and sizes: 32% of organizations have suffered a cybersecurity attack in the past 12 months, an increase from 25% since last year
- 26 states (including Massachusetts, Rhode Island, Connecticut, Vermont, New York, and Maryland) have laws requiring any organization that possesses personal data on donors, employees, vendors or subcontractors to have and maintain a WISP
- The consequences of suffering a cyber attack without an up-to-date WISP in place can be expensive and devastating, with the financial repercussions of an attack averaging $104,296 in 2020, almost double the figure reported in 2019 ($53,987)
What is a WISP?
As its name implies, a WISP is a written document that details a company’s security policies, controls, and procedures. The WISP helps to ensure that a business implements and maintains reasonable security processes for the information they hold. Aside from the legal requirements, a WISP provides non-profit organizations with solid security procedures that can help reduce the chances of data breaches and limit the liability if one occurs in the future.
What Data is Covered?
Most cyber security laws and regulations apply to any organization that holds or accesses personally identifiable information (PII) that can be used alone or with other data to identify an individual. If you think you don’t hold this information, you are probably wrong. PII can include a person’s full name, Social Security number, tax records, financial or banking information, payroll data, driver’s license, or medical records. You almost certainly have some or all this data on your donors, employees, and vendors, and are therefore likely subject to the regulations.
What Goes into a WISP?
Writing and implementing a WISP is not a simple process. It is a project that requires reviewing the management and fundraising processes of your organization, an understanding of the laws and regulations that apply to the IT systems and data used in those processes, identifying potential information security gaps and weaknesses, finding the right compromises between fundraising practices and security, and educating end users about the policy once it is approved by management.
Every non-profit should have a WISP that is customized specifically for the organization. Typically, a WISP addresses the following:
- Designation of the employee or employees responsible for the security program
- Identification and assessment of security risks
- Policies for storage of data, as well as access and transportation of personal information
- Disciplinary measures imposed on WISP violators
- Limiting access by/to terminated employees and volunteers
- Managing the security practices of third-party vendors and contractors
- Methods of restricting physical and digital access to records
- Monitoring and reviewing the scope and effectiveness of the WISP
- Documentation of data security incidents and responses
Implementing Your WISP
Policies and procedures are useless unless and until they are communicated and implemented throughout an organization. Part of your WISP implementation, therefore, must include notifying, educating and training employees, volunteers, vendors, and subcontractors about the data security procedures that are required. All paid employees and regular volunteers should be trained on the policies appropriate to their level of access to data and be required to sign off to confirm their training and understanding of the policies. All new employees and volunteers should receive data security training as part of their onboarding or orientation.
Training should not be a one-time thing. As new threats emerge from clever cyber criminals, additional security steps must be taken, and more training done. Many organizations use outside consultants to run simulated phishing attacks on a regular basis to test alertness and compliance by employees, volunteers – and even managers.
You must also ensure that third parties who may have access to your data also develop, implement and maintain their own WISP. This may include banks, credit card companies, accountants, consultants, subcontractors, and others. If they are the cause of a data breach and you did not confirm they have a WISP, you may be held responsible for the breach.
Keeping a WISP Current
When an organization’s security is breached regulators or prosecutors will soon come knocking. The worst possible position to be in is to not have a WISP in place. The second-worst position, however, is to have a WISP tucked in a drawer, with no indication it was ever implemented.
A WISP is not a document you can simply “file and forget.” Because both the cybersecurity landscape and IT systems are constantly evolving (not to mention data security laws) a WISP that was drafted just a few years ago may not be sufficient to address today’s threats. In addition, any event that may have an impact on data security requires an update to your WISP. For example, an upgrade to your computer network, moving your data storage to the cloud, running a new fundraising campaign, or expanding into another state will necessitate a WISP update to keep your firm in compliance with the law.
In Massachusetts, the data security law (which has been used as model legislation by multiple states) requires companies to provide notice of any breach to the state’s Attorney General and identify any steps taken or plans to take relating to the incident, “including updating the written information security plan.” Some additional information regarding the Massachusetts data security law can be found here.
Want Cyber Insurance? Better Have a WISP
Your non-profits may consider investing in cyber insurance to help mitigate the cost of a data breach. But most cyber insurance policies provide coverage for “first party” damage to the insured, such as the cost of communicating a data breach to individuals whose data has been compromised. It does not cover damage done to third parties. There have also been cases documented in which the insurance company refused to pay damages because the insured did not have a WISP in place.
Conclusion
Nothing about a WISP is simple or easy. That’s because the threat to your organization, your employees and your donors is significant and imminent. Unless you have an internal IT staff, it is usually a good idea to engage an outside consultant to help you prepare, implement and maintain your non-profit’s WISP. An experienced IT services provider recognizes the latest threats, understands how to help you comply with data security laws and regulations, and can help you properly manage the response should a data breach occur.
If your non-profit organization does not have an active and up-to-date WISP, you are placing it in serious peril. For help on how to develop, produce and maintain a workable WISP, please contact me at (781) 407-0300 or bgarrett@gggllp.com.
