Kaczmarek is a cyber security expert, director of both Graduate Studies in MS for Computing and the Center for Cyber Security Awareness and Cyber Defense at Marquette University. In advance of the upcoming workshop at NPC, we interviewed Kaczmarek on cyber security and privacy and why it's important for nonprofits.
REGISTER for the upcoming workshop on cyber security and get a $15 donation to your organization!
NPC: Why should data security be a priority for nonprofits?
Kaczmarek: It is interesting that you should ask that question because the point of the workshop we are planning will be an assessment of the priority for data security. We want the organizations to stop and think about what are their priorities for data security.
The daily threats to privacy, data, and reputation are aimed at individuals, small organizations and on up to the large corporations that we read and hear about being scammed. No one and no organization is immune to the threats. Thoughtful preparation is the key to avoiding threats and recovery should some bad-actor succeed attacking a nonprofit.
NPC: What are some common myths you hear about security? What do you think is important for nonprofits to better understand cyber security?
Kaczmarek: The myths of no one is going to bother me or I’m safe are prevalent. There is a common saying in the cyber security community, “If you think you are secure, you are not.” We all have vulnerabilities. We need to prioritize our resources to protect the most important information. Simple measures can be quite effective if you take the time to think about what information is important and how you treat it.
NPC: Can you share some cautionary tales you've encountered in nonprofit electronic security? Some examples of the importance cyber security?
Kaczmarek: One of the most frequent threats involves “phishing emails.” Today these are most often emails where the author impersonates someone that the email’s recipient knows. This may be from an organization such as your bank or someone that you work with. Often times these wind up asking the recipient for login information, credit card numbers or other personal private information. I know of one Milwaukee nonprofit where the finance director received a request for a wire transfer that involved the executive director of the organization. Fortunate for them, the effort was detected and they did not become a victim. Another scheme that is common these days is “ransomware,” where malicious code is used to prevent access to important data. There are examples of hospitals having to pay a large ransom to a fraudster to regain access to patient data.
NPC: How is security for businesses different than nonprofits–or is it?
Kaczmarek: Virtually all organizations have monetary concerns and a need to protect privacy. The bad-actors don’t care whether an organization is for profit or not. They steal money or sell private information for a profit. Sometimes they do something malicious just because they don’t like you. The differences in cyber security efforts result more from size of the organization, the kinds of information technology they operate, and the kind of information they collect.
However, there are foundations of cyber security defenses that span organizations independent of whether they are for profit or not; whether they are small or large; whether they have an IT staff or not; whether they have large computers systems on premises or none.
In the workshop we are planning, we will help organizations begin to develop a practical, risk-based assessment of what cyber defenses the organization should take based on what they can afford. The approach we will be using has been designed by experts to be used by any size organization that deals with collecting and keeping data. They work equally well for businesses or nonprofits. The key is to start—to take a little bit of time to decide your priorities and see where that leads you.