Your organization’s website can be a dangerous tool if it falls into the wrong hands. Unauthorized users may use the reputation of your not-for-profit organization to promote their spam websites, or they may distribute malware through your website to access sensitive information about your organization, its shareholders and its website users.
Hackers gain access to a website through weaknesses in its system. Sometimes they are able to trace keystrokes to obtain authorized users’ login credentials. Third party plug-ins or software can also be an entry point.
However it happens, your organization should be prepared to address the problem quickly. Cybersecurity breaches are emergencies, and you should have a triage plan in place to minimize damages. The stakes are high. In 2014, the average cost of a data breach was $3.5 million. Your ability to serve the community would also be materially hurt if your organization appeared as if it couldn’t protect its sensitive information.
With reputational and financial damages on the line, you can’t afford to be caught off guard. Your whole organization, from your information technology support team to your board and your leadership team should work together to address the problem and prevent a similar event from occurring again.
Cut the Source
Cyberattacks are rarely obvious when they begin. Evidence surfaced after the fact that both Sony and Target had warning signs of their breach that went unnoticed. They are not alone. Only 1-2% of breaches are detected within the first 24 hours. The length of time between the breach occurring and it being discovered can be up to 210 days.
Search engines may be able to detect a problem with your website before your information technology team notices anything amiss. Some hackers may be using coding that does not disrupt the look and feel of your site, but the search engine scanning your site may detect the problem, such as a not-for-profit school’s website containing code that advertises dietary supplements.
The first step in addressing a problem, once discovered, is to identify and stop the source of the breach. You may need the assistance of a third party so you can quickly isolate the breach and prevent the website hacker from disrupting or disseminating any more data about your organization.
Stopping the breach can become complicated if you’re working with outside vendors, as they may have contracts with agencies or other programs that handle cybersecurity incidents. Third-party information security specialists can also assist your organization with coordinating data-breach efforts with these outside parties, helping you streamline the process.
Assess the Damage
Once the primary source of damage is addressed, you can start the damage control process. What was lost? What may have been compromised? The scale of the damage will map out the steps you need to take in your recovery.
Part of your damage assessment should be an evaluation of the circumstances that led to the cyberattack. Information technology audits can show the weaknesses that allowed the hacker access to your site. You can identify if there are improper system configurations, software or hardware flaws, or operational deficiencies that made you vulnerable to unauthorized users. Firewall protection and wireless network security should also be included in your damage assessments, as these may have provided entry points for the cybercriminal.
Provide an Update about the Problem
After you understand what the website hacker had access to, you need a plan for how to communicate about the incident. Cybersecurity issues can be complicated because legal issues arise if the information compromised had personal information attached to it. Involve your legal team in the discussion about how and who you need to notify about the breach. They may be able to minimize your potential liabilities and avoid further complications or reputational damage.
There are a number of parties you need to contact about the breach, from board members to users affected by the breach and law enforcement groups. For example, if it’s credit card information, you need to communicate the loss to the credit card company and the issuing banks.
Communication about the cyberattack cannot be taken lightly. Though it’s going to be damaging to your organization’s reputation, it will be worse if the community and your shareholders find out about the breach from someone else.
Recovery from a breach includes steps to prevent the attack from occurring again. Information uncovered during the information technology audit will pinpoint some of the vulnerabilities in your system, but keep in mind that your risk environment is always changing. Hackers continually find new ways to disrupt and disseminate sensitive data. Your organization should have a cybersecurity strategy that is able to keep up with the trends in its environment. For more information about how your not-for-profit can recover from and prevent website breaches, please contact us here.
John Robichaud is the Shareholder in Charge of the Internal Audit and Internal Controls Practice. He can be reached at 617-761-0546 or JRobichaud@cbiztofias.com.