Hacking is real and nonprofits are not immune.
Consider this increasingly common scenario: a hacker illegally accesses an organization’s emails, looks for incriminating information, informs the organization that she/he/they possess this information, and threatens to leak it unless the organization pays up. Most nonprofit budgets do not have a line item labeled, “hush money,” so managing this type of crisis is – naturally – quite difficult from a moral, ethical, and financial standpoint.
Nonprofit leaders need to understand the negative impacts of being hacked. Does their organization have a policy or incident response plan? It may seem like a task for an intern, or a non-pressing issue that can be added to next fiscal year’s to-do-list.
Increasingly, however, an institution being hacked is not a question of “if” but of “when.” That means preparations should start now.
There are different types of hacking. Depending on the type, different players need to be involved.
1. If your organization is part of a larger breach and is notified by an outside public agency, involve the organization’s legal officer or representative.
2. If your organization’s trade secrets are stolen, the executive board should meet immediately.
3. If your organization’s private customer information is compromised, the compliance team – which most likely consists of the audit committee, CEO, CIO and HR manager – should all be included on the first call.
After determining the type of hack, an organization should be prepared to execute a seven step plan to navigate the incident.
1. Determine the type of hack and assemble key players to manage the incident.
2. Discover the breadth and depth of the hack. This step involves a response team, which should be established ahead of time. Think of these individuals as emergency response personnel or first responders. This team communicates directly and frequently with the key players during the immediate aftermath of a hack.
3. Execute an incident response procedure. This involves:
i. Communications – Each of an organization’s constituent groups should be addressed with unique messaging that is disseminated in a timely manner.
ii. Tech – Determine level of damage, continued threats, and next steps to clean up systems.
iii.Normalization – Be prepared to restore systems and files, as well as to replace machines, and adjust firewalls.
4. Investigate, analyze and remediate. This is the deep-dive stage which may require an expert third-party vendor stepping in to assist in order to make sure that the hacker has no residual access to organizational systems and the network’s environment is clean.
5. Prioritize work responsibilities. The organization should communicate to staff members that hack-related duties temporarily take precedence over on-going projects.
6. Internal communications plan. Provide transparent, accurate information to the board of directors to ensure that the organizational message is clear. This will ensure that they understand how to answer any questions directed to them by the media, public, or constituents.
7. Post-mortem. Immediately following the clean-up of the incident, meet with staff, board members, and all of the vendors involved for a post-mortem discussion about what worked, what didn’t work, and ways to improve the process in case of future hacks.
Be aware of the dangers and threats that could harm your organization and take action early. Preparation will ensure a well-executed plan to combat unexpected attacks.