By: John Mason, Analyst at TheBestVPN.com
This post is the first in a two-part series about workplace cybersecurity for nonprofits.
Nonprofits are coming to realize the importance of cybersecurity. But not quickly enough. In 2016, the number of nonprofits with a cybersecurity breach response plan was 31%. By 2017, the number had risen to 52%.
This is still only just over half of nonprofits. That’s not enough. Nonprofits are at risk of suffering a cyber attack. 58% of all attacks are against smaller organizations according to Verizon’s 2018 Data Breach Investigations Report.
Criminals target smaller organizations because they’re seen as less tech-savvy. Don’t put your organization at risk. And the other reason why cybersecurity is particularly important for nonprofits is that you hold sensitive data on the most vulnerable people and those trying to help the most vulnerable people. To give you an example of how serious the consequences of an attack could be:
The UN’s World Food Program uses a cloud-based database called SCOPE. It recently failed an internal audit and was described as ‘an accident waiting to happen.’ Can you imagine if the database’s shortfalls were not caught by an internal audit but, say, by a hacker with financial or political motives?
The results of a cyber attack on a nonprofit could be harrowing. You need to be prepared and protect your organization to prevent this from happening.
First, understand the risks
Firstly, you must properly understand the risks that your organization is up against. This not intended to freak you out by the way. I just want to help you make sure a cyber attack doesn’t happen to you.
Data is what cybercriminals crave. And nonprofits hold sensitive data such as donor information, Social Insurance Numbers, private emails, health information, employee and volunteer records and so on.
To give you some perspective, a third of Canadians claimed charitable donations on their taxes last year. So there are clearly a lot of donors to glean data from.
If cybercriminals can get their hands on donor information or other types of data from nonprofits, it’s like winning the lottery. They can use it to commit identity theft, fraud, or even hold it hostage in ransomware attacks.
This is generally how a ransomware attack works:
In May 2017,hackers carried out such an attack against a small nonprofit in Indiana called Little Red Door. An unsuspecting member of staff accidentally downloaded malware (a virus) from an email. Hackers were then able to access the nonprofit’s server. They demanded the equivalent of $43,000 to return the data and keep it private.
To avoid having this kind of thing happen to you, start by assessing what kind of data your nonprofit holds. Is it physical? Do you have paper records held in filing cabinets at your offices? Or is it digital? Do you have records that can be accessed on computers and other devices such as phones or tablets?
Once you know the type of data and its location, you can assess its value and risk level. Can it be secured easily and quickly? Or will it require time and investment?
Then you can take the appropriate steps to secure your data. And that includes training your staff.
Then, train all employees and volunteers
Bear in mind that there will be a lot of people with access to your systems, from the volunteer intern who runs your social media to the staff that has been with you from the jump-off. That’s why everybody in every position needs to be in the know.
Technology clearly goes a long way to protecting your nonprofit. But with cybersecurity, there is always a human element that you need to account for. You can’t assume that all of your employees and volunteers are savvy to malicious links and so on.
Yves Lacombe, Technical Support Director at Vircom, says, “The weakest chain in cyber security is the human being. It’s the lowest hanging fruit. Most of the attacks we see in the field right now are targeting uninformed people.”
Humans have even become more of a problem than technology:
How do people mess up?
Things can happen accidentally. For example, somebody could send private data to the wrong email address by mistake. Or they might take their work home with them and use an unsecured Internet connection.
For instance, malicious employees may wittingly steal data, mess with systems, share passwords, etc., if they have been fired. A few years ago, a disgruntled employee of Canadian Pacific Railway deleted essential files and removed admin accounts from the company’s networks when he was forced to resign.
Another example is if an employee overshares on social media. Hackers can hijack their credentials based on the knowledge they glean from Facebook etc., and pretend to be "Jane Doe" from accounting to access your systems or data.
Those are just a few ways of how employee actions lead to cybersecurity issues. Seeing as human error is a problem in cybersecurity, you need to put protocols in place determining who has access to what data. Only give people access to data and systems that they really need. This reduces the chance of breaches both accidental and malicious.
Professional cybersecurity training for everyone would also be a good idea. There are online resources you can use. Cybrary offers a number of free courses.
Keep an eye on employees and train them to proactively ward against cyber threats. Stay tuned for part two of the series, where we’ll give you three key workplace cybersecurity tips that all nonprofits should never go without to ensure the safety and security of your data.
About the author:
John is a WordPress, cyber security, and privacy enthusiast, working as an analyst for TheBestVPN.com