Nonprofit Cyberattack Case Study: 3+ Powerful Lessons Learned From A Data Breach

The following nonprofit cyberattack case study discusses a data breach that occurred in the United Way of Tarrant County (UWTC). Founded in 1922, the organization coordinates individuals, groups, donors, and service providers together to address and help solve tough social issues affecting Tarrant County – including housing and homelessness; health and wellness; education; and more.

While the UWTC works tirelessly to improve the lives of people in their local community through a variety of charitable efforts, they were vulnerable to ill-intended users in ways that they didn’t realize or expect. “Back then we’d say, ‘Why do I need an infosec effort? I’m not selling a product, I don’t have a storefront,’” says Jeff Allison, Chief Financial Officer of UWTC.

To explain what happened to the United Way of Tarrant County, we’ve put together a nonprofit cyberattack case study:

Nonprofit Cyberattack Case Study #1: The Breach

After a security incident in which fortunately no donor data was compromised, the United Way of Tarrant County realized that they were vulnerable to cyber-attacks and needed to strengthen their security posture.

“There’s zero give on that,” says Allison. “It would only take one breach to lose donor data, and that’s our entire business reputation.”

But UWTC was less familiar with information security than with IT operations generally, and in the beginning – facing multiple potential points of vulnerability – the work felt overwhelming.

Nonprofit Cyberattack Case Study #2: The Solution

Makaye carefully walked UWTC step-by-step through fortifying their security posture, starting with an initial assessment of vulnerabilities. The organization identified key areas in need of protection – including policies, Cloud, IT controls, donor information, key applications, backup planning, and more – and developed a comprehensive roadmap. With a course charted, Makaye and UWTC began breaking the roadmap down into achievable, bite-sized actions. UWTC realized that they needed in-depth protection and that the roadmap would take time – as much as a year or more – to fully implement. “You have to have a security presence that’s more than just a firewall, antimalware, basic monitoring, more than just changing your password,” says Allison. That meant Makaye needed to work closely with UWTC’s existing IT service provider to coordinate and collaborate when needed – supporting each other – while providing critical security oversight. By splitting the disciplines, each group could focus fully on their own specialty, while still coming together in, as Allison puts it, “a really powerful way.” There was a lot of ground to cover. Makaye helped UWTC to develop upwards of 100 new security-related policies. It also meant helping UWTC to understand their vulnerabilities and risk factors and what security measures were necessary to take at each step in the roadmap. Underlying all efforts was the key understanding that cybersecurity is a form of risk management and mitigation. “For me,” says Allison, “infosec is an extension of my internal control environment.” That meant developing and deploying security protocols and practices, customized to UWTC’s unique situation as a not-for-profit operating on thin margins and for whom donor trust is an existential concern. In the end, Makaye’s approach to cybersecurity was successful: “It made the infosec work really fall into place nicely,” says Allison.

Nonprofit Cyberattack Case Study #3: Results & Benefits

Improved Security

Having a solid cybersecurity score is a must these days. Not only does it provide current and potential donors proof that your organization is compliant with its cybersecurity obligations, but it can increase your donor audience. This is because network security is seen as a differentiator when donors trust you with their personal and financial data.

For UWTC, after Makaye stepped in, they substantially improved their score, as compared to their competitive set nationally. According to Jeff Allison: “In our case, we went from a very poor infosec rating to, now, a very good rating and we have a plan to keep improving.”

Cost-Effectiveness

At Makaye, we understand that nonprofits often face budget restrictions related to cybersecurity. This is why we offer our partners access to enterprise-grade security at nonprofit-friendly pricing.

Confidence

Nonprofits like UWTC are usually a prime target for cybercriminals due to their lack of network security resources and the amount of valuable personal and financial data that they store. Therefore, creating a security roadmap, adjusted to UWTC’s needs, helps first keep hackers at bay, and most importantly, reassures donors that their information is in good hands.

Additional Resources:

The Ultimate Guide To Cybersecurity for Nonprofits

This Guide will help you understand how cybersecurity can support your mission as a nonprofit.

Makaye Cybersecurity Checklist for Nonprofit

Avoid falling into situations similar to the nonprofit cyberattack case study above by putting into practice the questions in our checklist.

InfoSec versus IT

This article will help you understand what are the main differences between IT and InfoSec professionals.

Cybersecurity Maturity Level Assessment

A Cybersecurity Maturity Level Assessment is the best way to avoid situations like the nonprofit cyberattack case study above. It will help you understand your organization’s current security posture. The knowledge gained through this assessment will help guide the decisions that will need to be made to improve your security and align your risk with acceptable tolerance levels.

If you need help addressing your cybersecurity concerns, Makaye has extensive knowledge and expertise in securing and protecting nonprofits. Contact us today for a free consultation and find out how a Cybersecurity Maturity Assessment can help you secure your organization.