February 22, 2017

“Cybercrime keeps climbing” was the key finding of the 2016 Global Economic Crime Survey recently completed by PwC. In fact, the survey results show cybercrime “jumping from 4th to 2nd place among the most-reported types of economic crimes.” While organizations are embracing new ways to make their operations digital for efficiency and effectiveness, criminals are becoming progressively more skilled at obtaining valuable information. As a result, cybercrimes such as phishing, ransomware, hacking, identify theft and malware are on the rise.

Unfortunately, cybercrime is not just an IT problem, nor is it limited to small business, corporations or the government. Nonprofit organizations are also falling victim, and this is happening on the watch of their Chief Financial Officers. The finance leaders of nonprofit organizations are increasingly responsible for the IT function and many, along with their organizations’ board members, experience significant gaps in knowledge when it comes to IT security. This opens the door for many nonprofit organizations to become victims of cybercrime if they do not take steps now to make IT security a priority.

Those who understand recent trends in cybercrime, how criminals think, where their organization may be vulnerable, and which protection measures are appropriate for their operations stand a better chance of avoiding the risk of high economic losses and perhaps, most importantly, loss of reputation. It starts with a few key realizations.

All organizations are at risk. Nonprofit organizations receive hundreds, if not thousands, of emails each day. Phishing emails are easy to send and offer quick returns, and the practice is attracting new criminals each day. Unsuspecting ransomware victims are quietly paying thousands of dollars to cyber criminals to get their data back, some having to close their doors forever.

The odds are not in your favor. All companies and nonprofit organizations are targets for cyber attacks, and the criminals are only getting smarter. In fact, according to Microsoft, 20% of small to mid-sized businesses have been targets of cybercrime. “Soft targeting” is increasingly successful because it reaches specific individuals and cleverly mimics internal communications. All it takes is one person within the organization clicking on a link they think is from someone they trust and the entire network is compromised.

Technology will not solve the problem. Unfortunately, there is not one magic technology solution to avoid becoming a victim of phishing and/or ransomware. Human beings play an important role in cybersecurity, and criminals have learned to exploit vulnerabilities by constantly changing their tactics. A few years ago, criminals were sending a phony resume to review. Then, they tried to lure people with an overdue invoice. Cybercriminals are continuously adapting to find new ways to get employees to provide valuable and potentially damaging information.

If properly trained, employees are the best defense. Employees play an important role in protecting the organization; therefore, it is imperative that everyone (from the board of directors to the hourly employees) sees cybersecurity and privacy as their responsibility. Like their business counterparts, nonprofit organizations must have comprehensive policies and procedures for IT security, and should implement employee training on phishing tactics and handling of emails containing possible ransomware at least twice a year. Early victims of these crimes only wish they had that opportunity!

Nonprofit CFOs and IT professionals who focus on understanding the fundamentals of cybercrime, and take a close look at their operations, are better positioned to withstand the challenges ahead as cybercrime becomes even more prevalent. Proactive organizations not only employ IT policies and training to make cybersecurity part of their culture, many are turning to IT assessments to identify the specific risks to their organization. Using the National Institute of Standards and Technology (NIST) Cybersecurity Framework, these assessments not only identify an organization’s unique vulnerabilities, they also provide detailed recommendations for safeguarding its most valuable information assets.

For more information on cybersecurity threats and IT assessments specific to nonprofit organizations, contact Ricardo Trujillo, CPA, CITP, CISA, Senior Manager, IT Audit Services & Consulting at 301-951-9090.

[1] PwC. (2016). Global Economic Crime Survey 2016: Adjusting the Lens on Economic Crime – Preparation brings opportunity back into focus. Retrieved from http://www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf

[1] Warnick, Jennifer. “Digital Detectives. Microsoft Story Labs. https://news.microsoft.com/stories/cybercrime/ (February 9, 2017).

Ricardo Trujillo, CPA, CITP, CISA

Partner, Audit and Assurance