When Jim Thie showed up in Americus, Ga. one day last year to interview for the chief information officer job at Habitat for Humanity International, he quickly figured out he was a long way from the corporate world.
Not that Habitat, the 20th largest U.S. charity according to Forbes, was hopelessly confused about information security. After all, the ecumenical Christian organization has an annual operating budget of $178.4 million, plus a strong reputation. But that also means millions of dollars in online donations and loads of personally identifiable contributor information that must be protected.
Looking back now, with Thie's hiring in March 2005 sandwiched between two of the worst natural disasters in recent memory — the prior December's South Asia tsunami and Hurricane Katrina nine months later — the 47-year-old's arrival was just in time.
There was little doubt security needed to mature at the organization, which provides housing assistance for people in need. Hundreds of thousands of homes were destroyed by Katrina. Not surprisingly, internet donations through Habitat's website catapulted from $6.7 million in fiscal year 2005 to $29.3 million in fiscal year 2006, which began about one month before Katrina made landfall.
"When I came for my interview, it was as much me interviewing them as them interviewing me," says Thie, who was drawn to the organization's mission from his role as CIO at Ultimate Software, Weston, Fla. "Habitat had an OK view on security. I've certainly escalated that.
I saw a good basic security posture in effect. What I didn't see was any security policy in place. It's huge because it sets the tone. It says that these things are permissible and this is not. Without that tone, it's difficult to get momentum in any one area."
So Thie, whose prior experience also includes positions at CA and KeyCorp., enacted crucial policies governing the gamut of information security issues. Plus, he moved the data center to a hardened site in Atlanta and hired John Salomone from Delta Air Lines to head up security on Habitat's 60-person IT team. And in May, the organization announced it deployed a security suite (from WebSense) to protect against spyware, keyloggers and phishing attacks.
As far as nonprofits go, Habitat is an effective identifier of where the charitable space is heading. Experts say nonprofits, built on the backbone of trust, are becoming more aware of their need to protect critical data — particularly the personal information of donors — in light of recent natural disasters and well-publicized phishing attacks and breaches at various organizations, including the American Red Cross. They also are dealing with new compliance regulations, such as payment card industry standards.
"You're only as good as a supporter can trust you," says Robby Berman, founder and director of Lake Success, N.Y.-based HODS.org, a six-person nonprofit that encourages organ donations by Jews to the general population. "If a supporter can't trust you with the information they're sending you, I'm not going to keep them as a supporter."
But nonprofits often face daunting challenges, namely limited budgets and difficulty in recruiting talent as many security professionals opt for higher
paying gigs in the for-profit sector. As a result, security often takes a backseat at many of these organizations, say experts. And those charged with safeguarding nonprofits can face another obstacle when trying to bulk up their security spending plans: Oftentimes, the path to increased resources is blocked by a nonprofit's board of directors. These executives, whose main focus obviously rests on fundraising, may lack the business understanding to grasp how risk impacts the bottom line.
Nonprofits growing in stature
In light of recent disasters, the spotlight seems to be shining on nonprofits more than ever before.
According to nonprofit researcher GuideStar, roughly 1.5 million nonprofits exist in the United States, comprising about eight percent of the nation's workforce. The Williamsburg, Va.-based firm added roughly 60,000 new nonprofits to its database last year. Collectively, all of the nation's nonprofits manage trillions of dollars in assets, and range from billion dollar private foundations, hospitals and universities to the neighborhood boutique charity, says Bob Ottenhoff, GuideStar's president and CEO.
"I think nonprofits play a critical role in our society," he says. "There's an expertise and commitment to public service that often the commercial sector can't provide or isn't interested in providing. The fact that Americans would contribute this much money on an annual basis demonstrates nonprofits are valuable to people and serving a need."
Six years separated from the bust of the dot-com bubble, Americans are donating in record numbers. The GivingUSA Foundation estimated in its annual study this year that contributions reached $260 billion in 2005, a six percent jump from the previous year. The increase was fueled by major disasters, which generated $7.37 billion, making up about three percent of the total.
And donor trust is on the rebound, too, following the September 11, 2001 terrorist attacks, when many Americans began questioning how charities dispersed their money. According to an August study conducted by the Robert F. Wagner Graduate School at New York University, 69 percent of Americans expressed a great deal or a fair amount of confidence in charities, compared to 60 percent in September 2002.
By their very nature, nonprofits are financially hamstrung and are in a
constant struggle to justify their expenses in the battle to control spending. There are no bank loans, stock offerings or investment capital into which to tap. Information security often suffers.
"They're lucky to have an MIS [management information systems] guy," says Rufus Connell, IT research director at analyst firm Frost & Sullivan, San Antonio. "Most of these nonprofits don't have a dedicated CISO. They're lucky to have a CIO."
Berman of HODS.org believes that paying for sophisticated security solutions and services at nonprofits is a no-brainer given the current climate of attacks. He admits that when he began his organization in 2001, he was "a little ignorant," and security was not at the level it should have been. That has changed, he says, especially when he considers the need to encrypt the private information of the donors who keep his organization afloat.
"Computer security is certainly one of those things you don't want to get on the cheap end," he says. "If it needs to be secure, we'll pay the money. It's like oxygen. If we don't have that, then there's no reason to go forward."
At Habitat, the annual IT budget is $12 million — about 6.7 percent of the overall spending plan — which is in line with the average of most companies on the for-profit side. About $300,000, or 2.5 percent of the IT budget, is devoted to security. Thie says that even though he is comfortable with the amount of money earmarked for IT, he knows costs still must be reigned in.
He and other nonprofit IT professionals look for affordable solutions that balance security and functionality. Outsourcing and managed services also are viable options for cash-strapped organizations. (Habitat, for example, farms out penetration tests and internet content filtering.)
"We use standard technology that's tried and true," Thie says. "I'm also a big proponent of outsourcing. I'm not out there trying to burn a path. We need to be good stewards of our donors' money. To take a flier on bleeding-edge technology, I don't think that's a good use of our donors' money."
And charities have the added requirement of justifying expenses. Federally tax-exempt nonprofits that earn more than $25,000 a year are required to file IRS Form 990, an annual reporting return that provides information on the organization's programs and finances, says Suzanne Coffman, director of communications at GuideStar.
"Nonprofits have the public accountability angle," she says. "As a nonprofit, you have to be prepared to be able to inform the public why spending this amount of money is important."
The same cost-conscious attitude must be applied to staff. Positions across the board at nonprofits typically carry lesser salaries than their for-profit counterparts. That is why people such as Thie use the mission, not compensation and benefits, as an incentive to attract prospective employees. He targets the proven IT leaders who have spent many years on the for-profit side and are now seeking a unique challenge in the latter stages of their career.
"I know I'm underpaid," he says. "I know my network director and security director are underpaid. But I'm not sacrificing skill level for budget. They have a strong affinity for the mission."
Smaller nonprofits, such as the 109-student Heritage Preparatory School in Atlanta, which began work this year on establishing a virtual private network (VPN), sometimes lack the funds to hire any IT staffers. So on Thursday evenings, a few "IT volunteer dads" come over to the pre-K-through-seventh-grade school to educate the 15 teachers — who were just recently outfitted with laptops — on such topics as virus and spyware protection, says the Rev. W. Davies Owens, the headmaster. "You've got to rely on the volunteers," he says. "You just don't have a lot of people who are tech savvy."
Even nonprofits as small as Heritage Prep must realize their obligation to protect personal information or they could face an embarrassing disclosure through state privacy laws, says Kris Lovejoy, CTO of Herndon, Va.-based Consul risk management.
Compliance is not just for the large, public companies, healthcare providers or the financial institutions. Nonprofits face regulatory obligations, as well, and more could be heading their way. In 2004, California became the first state to pass a Sarbanes-Oxley-like law for nonprofits, called the Nonprofit Integrity Act. It mandates that nonprofits with a gross annual income of more than $2 million are subject to the same financial reporting requirements as private companies. (New Hampshire has passed a similar law — with a $1 million floor — and New York is expected to soon follow.)
The nonprofits, however, may not be ready. A study conducted in September by the Urban Institute, a nonpartisan economic and social policy research organization based in Washington, D.C., revealed that four in 10 nonprofits would have trouble implementing SOX audit committee provisions.
Lovejoy suggests nonprofits examine the industry best practices. "You really want to pursue the recommendations that the public companies are following," she says.
Recently adopted payment card industry (PCI) standards, meanwhile, are forcing nonprofits for the first time to look at their security posture in terms of processing credit card information. Many charitable groups have "turned a blind eye to PCI compliance," says Tim Whitehorn, founder and CEO of ServiceU, a Memphis, Tenn.-based provider of nonprofit software used to manage online event, registration and ticket payments.
While the rules apply to nonprofits, many lack the resources or knowledge to comply, he says. Some nonprofits are still using outdated ecommerce shopping cart software. Meanwhile, PCI mandates policies such as encryption on the data server and the processing of credit card information on a separate firewall from the rest of the company.
"Frankly, I don't know how most nonprofits could dare comply on their own," Whitehorn says. "They're not really protected from viruses or worms. Frequently I hear them say ‘Our servers are down because we got hit by a virus.' If they can't even protect themselves against something as simple as viruses or worms, how could they ever deal with the complexities of PCI?"
Finding a PCI-compliant service provider is critical, Whitehorn says. They can take the burden off a nonprofit, but organizations must be careful to hire a certified vendor because if something fails, "Visa will still hold the merchant responsible," he says.
Just as many nonprofits need help from outsiders when it comes to compliance, so too must they sometimes enlist external support when it comes to the battle against increasingly sophisticated phishing attacks. The most well-publicized schemes have targeted the Red Cross, with opportunists tugging on the heartstrings of kind, unsuspecting Americans following Hurricane Katrina.
"They certainly have preyed on people's charitable givings," says Avivah Litan, a Gartner research director. "Even after 9/11, scam sites were set up. It happens after every natural disaster."
Many nonprofits are not equipped to combat such attacks, either because they lack the resources and expertise to get an SSL certificate, which ensures a website is guarded (represented by the padlock in the bottom right of a website), or because they cannot afford to hire anti-phishing services to sniff out spoofed sites.
"They're just getting whacked," says Judy Shapiro, vice president of marketing at Jersey City, N.J.-based Comodo, which offers free SSL and content verification certificates for nonprofits. "They thought they were under the phishing radar."
Gordon Bass, interim CISO for the American Red Cross, which is based in Washington, D.C., says nonprofits must rely on partners to locate phishing sites. He recalls the tremendous support his organization received from entities such as the FBI, SANS Institute and Anti-Phishing Working Group following the increase of sites mimicking the Red Cross in the wake of the tsunami and Hurricane Katrina. (A Miami man was recently indicted on charges he was selling phishing kits at $150 a pop that included software used to develop phony Red Cross Hurricane Katrina relief sites.)
Still, while nonprofits seem to be getting hit more often, they remain safe relative to for-profits because they, in many cases, lack the brand recognition that cybercrooks savor.
"If I was a hacker, I'd go where the money is," Frost & Sullivan's Connell says. "If you look at common attacks, you're targeting the biggest piece of the puzzle. If you're going to do a phishing attack, you're probably going to start with a Bank of America rather than a Red Cross."
So, while many nonprofits lack the necessary resources to battle today's complex threat landscape, they still have one important safety mechanism going for them: the fact that they are nonprofits.
Still, in this age of the internet, most charities are relying on secure technology more than ever before to make their business model work. At Southland Christian Church in Lexington, Ky., for example, parishioners can purchase tickets online to fundraising events, says Becky Martin, the e-ministry coordinator at the 8,000-member house of worship.
"If the church is called the safest place, then I think people need to realize we're not just concerned about their spiritual safety and emotional safety and relationship safety," she says. "We're concerned about their identity safety as well."
Habitat's Thie agrees that security is becoming a top-of-mind issue across organizations. "I'm here at a fortunate time," he says. "There's such a heightened awareness in general."
AMERICAN RED CROSS:
Learning from mistakes
With charitable organizations, the main focus among boards of directors is fundraising. Trying to convince them to invest in information security is sometimes a difficult sell.
"Corporations understand the impact of risk to the bottom line," says Steve Cooper, CIO at the Washington, D.C.-based American Red Cross. "The threats posed by a breach of their global network can represent a loss to their corporation in some dollar amount. But the nonprofit doesn't issue stock. The whole thought process that this could impact earnings per share is a moot argument. Nobody understands it. Nobody cares."
Cooper opts to use real-life examples for the people writing the checks. The former CIO at the Department of Homeland Security is not hesitant to admit that the 35,000-employee Red Cross was not fully prepared for what Hurricane Katrina delivered.
Since the devastating storm made landfall more than a year ago, the provider of half the nation's blood supply has suffered through several information security incidents, most notably the internal breach by third-party hires of a disaster relief call center in Bakersfield, Calif., which allowed friends to cash in on hundreds of thousands of dollars in financial assistance. And in May, a donor recruiter in St. Louis, with access to about a million Social Security numbers, opened up credit card accounts using the names of three donors.
Since the California case, the Red Cross has significantly strengthened access controls to applications, Cooper says. The 20-year-old offender in the St. Louis case is awaiting sentencing, and the Red Cross is in the process of abandoning Social Security numbers as donor identifiers, spokesman Ryland Dodge says.
"Katrina did a number of things that affected the entire nation," Cooper says. "What it did in the area of information security [was highlight] the vulnerabilities that we may not have seen for a longer period of time. Katrina placed all of our business processes and systems under greater stress than you would normally see."
Currently, Cooper and his team control a $250 million annual IT budget — about five percent of the total. About $2.5 million, or one percent, is spent on security. Cooper admits he would like to see that number increase, although it is a substantial gain from previous years.
The Red Cross continues to battle trust issues for a number of reasons, including response time and disbursement of funds. Still, officials at the organization say donor confidence is on the mend. Continuing to make strides in IT security should only help that.
"If you went back three years, you'd probably find we were spending a half million dollars on security, and that was mostly for [a salary] for the chief information security officer," Cooper says. "What we have done in addition to adding security professionals is we've also added money to do projects in an accelerated manner." — Dan Kaplan
A nonprofit budget
Discounts — A host of software vendors provide discounts or free products and services for nonprofits. Some specialize in dealing with the charity space. Visit www.techsoup.org or www.npower.org for more information.
Toolkits — The Better Business Bureau recently launched a national initiative aimed at helping small business owners better protect employee and customer data. While the kits are designed for small organizations, many nonprofits share similar deficiencies and can find the help useful. Visit www.bbb.org/securityandprivacy.
— Dan Kaplan