By Laura Haight

There is no way to know for certain how many nonprofits were hacked in 2015 or are in the process of being hacked right now. But many security organizations and cyberthreat analysts believe it is at least as high — if not higher — than the rate for small business.

Like small businesses, nonprofits are disproportionately victimized by fraud and hacking as well as underprotected by controls and detection measures. This assessment from the Association of Certified Fraud Examiners is a wake-up call for nonprofits that do not realize how at risk they are. To support the nonprofits serving critical needs in the Upstate, Portfolio and Wessel Accounting are offering to provide their BizSafe Security Review for free to one local nonprofit each month through 2016.

BizSafe is a scalable tool to help assess, identify and mitigate the veracity of internal controls and security procedures that could be leaving a business or nonprofit vulnerable to hacking, cracking or fraud. The service is jointly provided by Laura Haight, a former IT executive and president of Portfolio, and Kelly Wessel, former director of internal audit for the Greenville Health System and president of Wessel Accounting.

Although periodically news of a hack or exposure of a nonprofit comes to light in the news, there is a shortage of hard data to analyze. Experts like the the ACFE and the Hauser Center for NonProfit Organizations at Harvard University, see this not as a lack of risk but a lack of public reporting.

In the small business sector both the National Small Business Association and Symantec reported that in 2014 more than 60 percent of small businesses in the US. were hacked. That trend only expanded in 2015, every cyber expert admits. Across the board, the ACFE estimates that 6 percent of revenue for all businesses is lost to fraud or hacking. In many cases, attacks and embezzlement that the business is unaware of. When it comes to cybercrime, the FBI has stated that most businesses have a hacker in their systems for 18 months before they even realize it, and most find out when the FBI comes knocking at their door.

Experts believe nonprofits are at least as vulnerable - and most more at risk - than other small businesses. In addition to detailed donor databases including names, addresses, donation amounts, banking information and even in some cases credit cards, nonprofits have information about grants given and received, as well as clients they serve. They may have health records or family information. All of these are important data points that hackers or cybercriminals will use to build a profile and hack identities. Additionally, websites are particularly vulnerable because they are often not regularly updated or have support staff to fully monitor their security.

“Kelly and I are very concerned about the vulnerability of nonprofits and we hope that by offering our BizSafe service to some local organizations we can raise awareness about the risks, the availability of solutions and the importance of educating and protecting ourselves, our businesses, our donors and our sustainability,” noted Haight.

You can learn more and nominate your favorite nonprofit by visiting the BizSafe website: http://www.bizsafesc.com/nonprofit-program/.

For more information, contact laura@portfoliosc.com or kelly@wesselaccounting.com.

In the wake of the data breach at the South Carolina Department of Revenue, I would like to mention some steps that businesses can take to protect themselves, their customers, and their employees from possible intrusions from this breach and other potential breaches or disasters.

1) All individuals should take advantage of the free credit monitoring being offered by South Carolina through Experian. The link to get this protection is: www.experian.com/scdor. The access code is scdor123. Also, place a fraud alert and a credit freeze on your credit report with the Experian, Equifax, and Transunion credit reporting agencies.

2) South Carolina businesses should take advantage of the free credit monitoring offered by Dun & Bradstreet.

3) Monitor banking and credit card accounts on-line daily.

4) If you (or your business) have provided your banking information (account and routing number) to the state, talk to your banker about how your bank is protecting its customer accounts. If you are not comfortable with protection provided by the bank, discuss changing your account number.

5) If your business does not already have a written security policy that sets up the company standards and responsibility for security of on-line data and off-line documents, get one. Be sure to address secure document disposal, data back-ups and the security of the back-ups. The policy should also include consequences for violations and it must be enforced.

6) Know what kind of consumer and employee information you are collecting, where it is, and who has access to it. Access should be limited to as few as possible on a need-to-know basis. Likewise, know who you are giving YOUR information to, why they need it, and how they protect it.

7) If you accept credit cards make sure customer credit card information that is stored in your system is encrypted by you or your processor. For recurring charges, it is preferable to store those card numbers in a data vault provided by your processor. Customer credit card numbers and other consumer information should never be stored on unsecured documents . And don’t blow off the annual PCI questionnaire (SAQ). Complete it honestly. This questionnaire should show you where you may be exposed. Your merchant account provider should be willing to help you with this.

8) Develop a strict password policy that addresses assigning passwords, levels of access, routine password changes, prohibits password sharing, and sets up procedures for immediate password deactivation when appropriate.

9) Hire an IT security specialist to review your system security if you don’t have a qualified employee to do this. If an employee designed the security, the review should be independent.

10) If you keep hard/paper copies with sensitive employee or customer information, they should be adequately protected, secured, and protected during disposal.

11) Restrict access to your facilities. Know who can enter and what they can access. Restrict key distribution and change locks/keys in appropriate situations (lost keys, employee termination, etc.).

12) Have a disaster recovery plan. This plan should specifically address each step to be taken, and by whom, in the event you have a data breach or a physical disaster (e.g., your building burns down). A data breach will require notification and damage control procedures for your employees and customers. A physical disaster plan will address steps and responsibility to work with your insurance company, acquire an alternate facility and equipment, and restore the data from back-ups.

I realize that the above procedures can be costly and sometimes cumbersome. Each business needs to weigh the costs of implementing such procedures against the benefits that will be derived from the protection provided. The State of South Carolina is going to spend at least $12,000,000 repairing the damage from the recent data breach. That doesn’t include what they’ll spend to prevent it from happening again. I’m sure many are wondering if the State would have been better served by spending that money years ago to strengthen system security. But hindsight is 20/20.

Wessel Accounting and Portfolio offer free security reviews for non-profits in 2016

Improving Data Security for Your Business: A 12-Step Program