An October 2015 BizTech article noting that nonprofits lag in cyber protection raises a critical issue:
Nonprofits have tended to lag behind other organizations in terms of security tool adoption because of limited funding and, often, a generally trusting, open-minded culture. Often they do not monitor and restrict what employees and volunteers do. Unfortunately, this exposes nonprofits to many more threats and can ultimately result in major data breaches that compromise sensitive information and lead to financial loss and embarrassment. Threats continue to intensify, so nonprofits should assess their existing security systems and identify instances where they might consider replacing those resources or adding new tools.
The article mentions nonprofits often think they don’t have the resources to address cyber security. Such thinking muddies the equation. An economist would respond that if an organization does not have sufficient resources to run competently at its current levels of output, it should not run at those levels. To oversimplify, if a nonprofit can serve 1000 people without addressing cyber risks or 900 people while taking reasonable precautions against such risk, it should serve 900 people. That’s the reasonable conclusion.
Moreover, nonprofits responsibilities that extend beyond the needs of potential current service recipients. For instance, nonprofits are, quite literally, using other peoples’ money. Current and future donors reasonably presume that nonprofits have adequate controls and safeguards to protect data. They presume that they won’t give money to an organization that will later embarrass them by committing cyber-related negligence.
Furthermore, if (as the article reports) the cost of data breaches can be staggering, nonprofits who fail to take adequate steps to address cyber issue now place their long-term viability at risk. That means they put not only current service recipients at risk, but also a vast pool of future service recipients who may never receive services if the nonprofit fails to take reasonable steps now.
In other words, nonprofits who underfund critical infrastructure protections look at the issue too narrowly. The question is not whether paying for some risk awareness and mitigation takes money out of the hands of a needy person. The question is whether you should extend your hand to that one more person if you can’t do it consistent with reasonable business practices.