Charity charge: Case study
Charity charge: Case study

It's not just the networks of money-making institutions that are targets of cybercrime these days. 

Because of the troves of data stored on internal databases, even charitable organizations are likely targets for incursions by miscreants desiring to mine the personal information stashed on servers to sell like any other commodity on the underground market for cash. So, the files must be protected just as if they were crown jewels.

The nonprofit Goodwill Industries of Greater NY and Northern NJ, headquartered in Astoria, N.Y., is one of the largest and oldest Goodwills in the country. It serves the 38 most western New York counties – from New York City all the way to the capital region in Albany – and the 10 most northern counties of New Jersey. Last year, with revenues of more than $110 million and employing 1,641 community residents, Goodwill NYNJ served 95,000 persons and placed more than 8,400 individuals in jobs. 

The human service agency is comprised of 30 program sites, 40 retail stores, four Attended Donation Centers and three campuses with a cluster of offices. Its 70 programs offer services for people facing economic challenges and other barriers to employment, including persons with all types of disabilities, children and youth at risk, U.S. veterans and individuals lacking education, training, work experience or skills. 

Goodwill NYNJ faces the same security concerns as most other small and medium-sized enterprises: How to protect sensitive customer and financial information. Industry experts agree that traditional security solutions like anti-virus and network perimeter although necessary components, are not single-handedly effective at detecting and stopping advanced threats. Goodwill's 15-person IT staff  needed to find a cost-effective, but strategic approach to better security. 

Most organizations (even regardless of industry and size) are coupled with tight IT budgets and limited qualified personnel. As a result, security teams are struggling to properly handle the overwhelming influx of data and threat alerts. In Goodwill NYNJ's case, prior to the execution of a more advanced security strategy, Chief Information Officer Andre Bromes (left) and his team were seeing isolated instances of attempted intrusion attacks across the network. It was clear that the organization's current level of cybersecurity enforced wasn't enough. Goodwill NYNJ needed to ensure that its security team was able to detect attacks across the network and endpoints first, and then efficiently remove the threats from the system. 

By not executing an advanced security strategy, Goodwill NYNJ would have left financial information and other critical data at risk of being compromised. A targeted breach had yet to occur, however Bromes and his team were not willing to wait around and become the next target. If its retail stores were compromised, the repercussions would be two-fold: the loss of the organization's hard-fought and duly-earned community reputation as well as the dissemination of monies that would otherwise be spent on the community programs that Goodwill NYNJ supports. 

Collectively, Bromes and his team recognized the need for a defensive measure, one that could operate at machine speed. Because budget was an important factor to the overall decision, the team knew that the solution to their problem needed to not only be affordable, but also easily integrated within the specific constraints of a retail organization.

At first, the group evaluated the more traditional security systems used by larger retailers, such as hosted security solutions that route all traffic through a remote security operations center for analysis. These solutions were far outside of Goodwill NYNJ's price range: The up-front costs associated with installing hardware at every single store, community program sites and office complex in the region were too high. A lot of them also required Goodwill NYNJ to upgrade its internet connections in order to handle the high-speed needed to transmit all of the data. Additionally, these systems were not adequately designed for retail organizations, especially ones similar to Goodwill NYNJ's size.