Originally posted by Nonprofit Hub, powered by Do More Good.
Sightline Security is a 501(c)3 nonprofit organization missioned to help other nonprofits embrace cyber and information security with confidence. https://sightlinesecurity.org/ In our first blog post with the Nonprofit Hub community, we are excited to share insights gathered through our work with our nonprofit members and break down the myths and misconceptions about cybersecurity in nonprofit and mission-based organizations. If you have any questions about this post or our work, please feel free to reach out - hello@sightlinesecurity.org.
In its most recent report, the National Center for Charitable Statistics stated that more than 1.56 million nonprofits were registered with the Internal Revenue Service in 2015, contributing an estimated $985.4 billion or 5.4% of the Gross Domestic Product (GDP) of the US economy. Remarkably, given their significant contribution to the GDP, nonprofit organizations have not been included in the development of best practices for cybersecurity systems, which, to date, have been exclusively developed for commercial businesses. Typically, nonprofits have not been viewed as a lucrative market by for-profit security solutions or that they have an immediate need, as observed by the anecdotal response of, who would cyber-attack a nonprofit, what do they have to steal?
1.56+ million nonprofits registered the US contribution to U.S. economy = $985.4 billion (2015-2016)
36,000 US municipal and township governments, 3,000 county governments, and 38,000 special purpose districts with combined annual revenue of about $1.8 trillion (2015-2016)
6,146 US hospitals including 5,198 Community Hospitals of which 2,937 are Nonprofit with 36,353,946 admissions (2018)
130,930 US schools serving 50.8+ million public school students (2018)
So imagine for a moment if these organizations, like yours, were impacted by a cyberattack?
What would happen to them if they were forced to pay a high ransome?
What vital services would be disrupted due to an attack?
We think about this every day but also realize it's not that simple to unravel. So, let's start at the beginning.
Have you ever wondered what the difference is between cybersecurity and information security, anyway?
You may have seen both terms used a lot in the news and often interchangeably, with cybersecurity the front runner.
At Sightline, when we onboard a new nonprofit member, we begin with breaking down the difference between information security and cybersecurity. We have found that by simply stepping back and breaking down these standard and confusing terms, our members immediately start to see a path forward. Suddenly, they say, "we can improve the security of the information in our organization." Because they can see it.
Here's a quick glimpse of how the conversation goes.
Before we dive into fixing and figuring out what cyber or information security tools, systems, processes, training, etc., you need, let's start by understanding what we are protecting.
Cybersecurity, which we hear a lot about in the news, is defined as the “prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.” With Sightline members, we explain it as a wide-open space, where there aren't clear boundaries, laws, regulations, systems, and more, where it's difficult to define and understand, where you can't put your mind around it.
So how can we talk about securing it? From the outset, many organizations they begin to experience overwhelm even at this state.
But consider for a moment.
Information security as “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.” Taking this a step further, think about what information you have in your organizations. Is it captured on paper or in digital form? Information like addresses, names, phone numbers, photos, and more. Information from donors, staff, volunteers, supporters, members, people your nonprofit serves, and more.
There is a common thread in these definitions. And it's core to how we, as security professionals, look at protecting information.
Integrity - guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity.
What does that mean? Making sure someone or something does not alter the information, and it remains accurate (un-altered).
Confidentiality - preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
What does that mean? Only the people who need to see or work with certain information have access.
Availability - ensuring timeline and reliable access to and use of information.
What does that mean? Making sure that the steps to keep information secure doesn't get in the way of doing business.
What does this boil down to?
The best way we see for nonprofit and mission-based organizations to address cybersecurity is to not focus on it - but to focus our efforts and time on understanding what information is vital in your organization and taking steps to secure it in a cyber environment.
Could you list out information that you interact with as a part of your job right?
Try this for one day ->
Start a list.
Jot down all (or maybe what you consider most vital) the pieces of information you interact with during your day, including information you use to log into systems, information shared with you, things you create, capture, store, manipulate, etc.
Put a star or marker next to pieces of information that would impact your organization if it got in the hands of an attacker.
Now that you know the difference between cybersecurity and information security are you ready to start your journey for your organization?
Excellent!
Join us for the first of three interactive webinar events where we break down the language and complexities of cybersecurity and give you practical business geared approaches you can do today to improve the safety of the information inside your organization. Also, we will provide answers to some of the most critical questions nonprofits of all sizes and missions are asking. We will give you useful next steps to help you balance cyber investments at your organization.
By investing in this time with us, you will walk away with:
Greater confidence in cybersecurity terminology as it pertains to your organization;
Insights on how to align cybersecurity best practices with your business operations and your mission;
Better understanding of how to balance cybersecurity best practices with what makes sense for your organization;
Knowing what the real cybersecurity threats are, you should be concerned about;
Inspiration from nonprofit organizations just like you who successfully weaving cybersecurity best practices into their organizations;
Steps for you to take today to get started with improving cybersecurity in your organization - no consultants to expensive technology required.
Sightline Security is a 501(c)3 nonprofit organization, like you, missioned to help other nonprofits embrace cyber and information security with confidence. (https://sightlinesecurity.org/) Core of our mission is to engage with nonprofits to help them improve cybersecurity by:
Cybersecurity is a BIG, confusing space for anyone to navigate. Let us guide you at the pace and in the direction you and your organization need.