Nonprofit Resources
Practical Steps to Safeguard Your Nonprofit’s Financial Reporting System
Technology is rapidly transforming how nonprofits operate, helping them streamline processes, boost efficiency, and reach potential donors and constituents in new ways. These advancements can open new possibilities for greater impact and mission success.
However, the use of technology also requires nonprofits to safeguard sensitive financial data. A single data breach can significantly disrupt an organization’s capacity to carry out its mission and impair accurate financial reporting to the executive team, board, and donors.
Understanding the Threat
Here are a few examples of scenarios that can put an organization’s financial reporting system at risk:
- A former employee’s login is not deactivated, and he is able to access the system remotely and delete critical data.
- Keylogger malware on a controller’s computer records every keystroke and sends the information back to the hacker, including login credentials for the donor management database. Because the organization did not configure multi-factor authentication (MFA) on the account, the hacker is able to access thousands of donor records and list them for sale on the dark web. The organization operates in a region with strict privacy laws, which may result in significant penalties and fines.
- A 15-member accounting department uses one shared login to access the general ledger. A team member clicks a phishing link that installs malware on the user’s computer, allowing the hacker to access the account. The hacker corrupts a large amount of data, and the IT department spends over a week trying to discover which user caused the issue and resolve it.
- A hacker obtains a controller’s login for her organization’s financial application and uses password-cracking software to launch a brute-force attack. With no account lockout settings or MFA configured, the hacker has unlimited attempts to guess the password and gain access.
If these or similar scenarios occurred, the results could be crippling. Beyond reputational risk, a data breach can also impact your financial reporting function, which is essential for producing the information your management and board rely on for informed decision-making.
Fortunately, you can mitigate the risk. The following practical steps will help you add layers of controls to your financial reporting system.
Strengthen User Administration
User administration involves managing user accounts and access rights across systems and applications. This involves tasks such as:
- Creating and deleting user profiles
- Assigning roles and permissions
- Ensuring users have appropriate access to systems based on their job responsibilities
Without procedures in place to restrict access to financial systems, an organization may have extraneous accounts and elevated access rights. More accounts mean more opportunities for attacks. And if an account with unnecessarily high access levels is compromised, a hacker can use it to change, delete, or otherwise compromise data.
For effective and secure user administration:
- Develop a formal process for administering access and promptly removing it when it is no longer required. Only users with legitimate business needs should have access. This process should include:
- Disabling access for individuals upon termination or resignation.
- Adjusting access levels after a change in a user’s job function or role.
- Reviewing non-employee accounts, such as accounts used for testing, external auditors*, or supporting systems or processes that are no longer required.
- Review access regularly. While user administration is an ongoing process, establishing a point-in-time, periodic review of access will help ensure nothing is overlooked. For this process:
- Obtain a system-generated user report from each application.
- Review each report to identify accounts and access rights that should be modified or removed.
- Restrict access rights, including administrative functions, based on need and address any discrepancies identified during the review.
- Limit the use of shared accounts. Shared accounts that are actively used don’t inherently increase the risk of a breach. But if a shared account is compromised or results in another issue, it will be extremely difficult to determine which individual is responsible. All financial system users should have unique login credentials so you can establish proper audit trails.
Reviewing, limiting, and removing unnecessary user access is a crucial first step in securing your financial reporting system. The second step is to add strong application controls for an additional layer of security.
Enhance System Access Controls
The following components can help you strengthen your system access controls:
- Authentication controls such as minimum password parameters, account lockout settings, and MFA can reduce the risk of a user’s password being guessed by a brute-force attack, such as via password-cracking software. While the recommendations for minimum password length and complexity requirements are continually evolving, it remains true that the longer and more complex a password is, the longer it will take a bad actor to crack it. This graphic from Hive Systems illustrates the time it would take a bad actor to uncover a password through a brute-force attack.
MFA adds a critical layer of protection even if a user’s login credentials are compromised because MFA requires an additional element (such as a code from an authenticator application, a fingerprint scan, or another biometric) to fully authenticate the login. Weaker forms of MFA can be compromised through social engineering and other attacks, so it’s vital to properly configure your MFA settings and train end users on social engineering threats.</p style>
- Segregation of duties can reduce the risk of fraudulent or erroneous activity being posted in your financial system without detection. If your financial system is configured to enforce the segregation of duties and an account makes unauthorized or inaccurate changes, the configurations should prevent the activity from being posted without a secondary review. While there’s always the threat of collusion, effective segregation of duties can significantly mitigate the overall risk.
- Audit capabilities are critical for maintaining a record of who initiates and approves each transaction within the associated system. If an account is compromised but the system has adequate logging, you can generate reports showing all activity performed by that account and determine what data needs to be recreated or changed. Some financial reporting systems can record very granular activity, which can be crucial in determining the extent of the compromise when sensitive data or constituent details are involved.
- Backup processes are vital if an issue results in the alteration, deletion, or corruption of financial data. With adequate backup and recovery procedures in place, your organization should be able to successfully restore data. Although there is still a risk that sensitive details could be exposed in a breach, the impact on the presentation of financial data should be minimal.
While you can’t stop every threat, these strategies can help protect your financial system and significantly limit your cybersecurity risk. Carr, Riggs & Ingram (CRI) provides a range of cybersecurity services to help you establish and maintain a robust cyber risk management system. Contact CRI to learn more.
Authors:
Allison D. Ward, Partner, CRI Advisors, LLC† | Partner, CRI Capin Crouse Advisors, LLC† | Partner, Capin Crouse, LLC*
Jeremy Landon, Partner, CRI Advisors, LLC† | Partner, CRI Capin Crouse Advisors, LLC† | Partner, Capin Crouse, LLC*