As more of us continue to work remotely and stay home longer than usual, our Internet use and exposure to screens have grown exponentially. Unfortunately, along with this rapid rise comes a higher exposure to cyberattacks and data breaches.
Nonprofit organizations are especially vulnerable to the risk of an attack, as they often do not have online safety protocols in place and may lack dedicated staff and budgets to implement robust cyberdefenses. According to a study by NTEN, for example, more than 80% of nonprofits don’t have a strategy to deal with cyberattacks. Similarly, more than 70% of them have never conducted a vulnerability assessment to check for risk exposure. What’s more, the same study found that 56% of nonprofit organizations do not enforce multi-factor authentication (MFA) when logging into their accounts. MFA is a simple yet effective first step in protecting the integrity of user profiles. In addition to inputting a username and password, MFA requires adding a passcode that is generated at the time of login, often sent by email or text message to the account administrator. As an added layer of protection, it is entirely free and only takes a minute to complete, making it a great first line of defense for online accounts.
In the rest of this post, we will look at the most common forms of cyber risk faced by nonprofits and will offer preliminary suggestions for strengthening your organization’s online safety. This post is the first in a new series we’re launching today called The Nonprofit’s Guide to Online Safety, so keep an eye on our blog over the coming weeks to read the full series!
What Is a Data Breach?
Even if your nonprofit works primarily with communities on the ground, you may be surprised to learn that the data you hold carries enormous appeal to hackers and cybercriminals. Most organizations, in fact, will have several databases to draw from, whether that’s a marketing list or contact lists for individual donors, philanthropic or corporate supporters, volunteers, vendors, and so forth. The appeal of this data set grows even more for organizations conducting operations online, whether that’s e-commerce, fundraising, or live events.
A data breach is any event in which an attacker gains illegal access to information that is internal to your organization. This can be personal contact information such as the one described above or so-called proprietary information, such as your internal metrics, program or product details, and revenue.
According to this article by Wild Apricot, there are several types of data breaches to look out for, the first three of which we covered above:
- Leak of donor information; Breach of employee information;
- Ecommerce hack;
These two types may not be the first to come to mind but are nonetheless important:
- Hardware failure: for example, is hardware is physically stolen or it is outdated and does not have the most recent updates to protect from potential attacks;
- Human error: as the article states, sometimes people are not fully aware of their cybersecurity responsibilities. “Having what they refer to as a ‘low cyber IQ’ leads to employees accidentally exposing customer data through negligence.”
Pro Tip: Check HaveIBeenPwned to see if your online accounts have been exposed in a data breach.
What To Look Out For
Cyberattacks are categorized in two ways: passive and active attacks. An "active attack" attempts to alter system resources or affect their operation (e.g., ransomware), whereas a "passive attack" attempts to learn or make use of information from the system but does not affect system resources (e.g., wiretapping). Since passive cyberattacks may not be as obvious as active attacks, it’s recommended that you perform a regular security scan of your systems regardless of your computer’s performance.
Both passive and active cyberattacks can occur in several different ways, for example, in the form of malware, phishing, Denial-of-service (DoS)/Distributed-denial-of-service (DDoS) attacks, and drive-by attacks. In this section, we look at some of the most common types affecting nonprofit organizations.
the term refers to ‘malicious software’, and can include what are known as viruses, worms, spyware and ransomware. These work by exploiting a vulnerability to enter a system, for example, through a dangerous URL, pop-up ads, or questionable email attachments. Once inside the system, malware can take your data or system hostage until a payment is made (ransomware), obtain and transmit private information from your hard drive to another location (spyware), or disrupt certain functions of your system. This short video explains the difference between viruses, trojans and worms:
the term refers to the practice of sending communication that appears to come from a safe source but is actually fraudulent. Through phishing, cyberattackers can steal sensitive data such as credit card numbers and passwords, often by sending emails or forms designed to look very similar to those that a colleague or friend would send. This video by the Government of Canada’s GetCyberSafe campaign shows you a hands-on example of phishing at work:
A denial of service attack is when an attacker overloads a website, preventing others from being able to visit that site. In a distributed denial of service (DDoS) attack, attackers employ the use of a botnet, a type of malware that allows cybercriminals to remotely control scores of infected computers — sometimes in the millions — to do their bidding. By instructing computers in a botnet to try and load and reload a website repeatedly, attackers can effectively knock a website offline temporarily.
Protecting Your Nonprofit from Cyberattacks
Whether you have a budget and dedicated staff available or not, there are several best practices to follow to ensure that your online accounts are protected. Many of these can be achieved fairly seamlessly with a modest time investment and open communication among team members.
1. Create Redundancies and Back Your Data:
This is a good rule of thumb to apply in general––make sure you are always backing up your data, both file backups and system/disk image backups - and to do so in more than one place (e.g., on the cloud and a physical server). This way, if one data source gets compromised you will not lose complete access.
What is a file backup? File and folder backup saves each file and document on your computer, which is different from a full restore of an operating system (more on that later). Ideally you should configure a frequent, automated file backup of all mission critical data from your workstations. (e.g., mobile, tablets, laptops, PCs).
What is a system/disk image backup? A disk or system image backup saves your entire operating system, including files, executable programs and operating system configurations. With a disk image backup, you can restore a single file, directory or entire disk to the same or another hardware, or to a virtual machine. Servers and complex computer systems (e.g., systems running databases, SQL and Exchange servers) should definitely have regular disk image backups set up. Disk image backups are also a quick and painless way to restore an infected computer back to its original state.
Pro Tip: Looking for professional instant recovery and backup solutions? Discounted O&O Software and Horizon DataSys products are available to eligible nonprofits. Check out our product catalogue to learn more.
2. Stay Updated:
Another good rule of thumb––make sure all your systems are running on the latest version and that your software has been patched against known bugs and vulnerabilities. Hackers exploit systems that have not been updated so always install the latest security updates on all your devices. Many of them will generate automatic reminders and/or can be scheduled to periodically check for available updates. Web browsers such as Chrome and Firefox also regularly receive security updates, and if you are using plug-ins such as Java, you will want to keep those updated as well.
3. Harden Your Systems:
In addition to keeping your technology updated, it is a good idea to install security software such as antivirus, Internet security, firewalls and Virtual Private Networks (VPNs). A firewall keeps your network secure by monitoring incoming and outgoing traffic, and has the ability to allow or block data based on a set of security rules. VPNs give you privacy by creating a private network from a public connection (learn more about them in this article by Norton.) Lastly, security software helps your system limit exposure to viruses and malware by signaling suspicious connections and flagging risks. As we mention above, make sure you’re also activating multi-factor verification to keep your accounts extra safe!
4. Watch Your Mobile Use:
This is especially true as more of us work from home during the pandemic and may be switching between mobile and desktop devices throughout the day. It’s no secret that our mobile devices hold lots of sensitive information these days, which makes them particularly susceptible to data breaches. Here are some key steps to follow to make sure you are well protected:
- Use a strong password or PIN––Security.org has a 'password checker' which allows you to test whether or not your password is secure;
- Only install apps from trusted sources such as Apple AppStore and Google Play;
- Upgrade your operating system when updates are available;
- Consider data encryption for your mobile devices (here is more information from Apple and from the Android Open Source Project);
- Use Apple's Find my iPhone or the Android Device Manager tools to help prevent loss or theft;
- Be mindful of what links and attachments to open on your phone, especially if coming from unsolicited or unknown emails and texts.
This video by the Government of Canada’s GetCyberSafe campaign walks you through the basics of mobile safety:
And this one helps you learn more about the potential risks associated with public wifi connections and how to stay cyber-safe while using them:
5. Train Your Staff:
Once these security best practices are in place, it’s important to make sure that your team is on the same page. Take an hour or two to review and standardize common online safety practices, share strategies, and discuss potential changes to your operations. Ensuring that everyone is following the same basic security protocols can go a long way in reducing the risk of a cyberattack. And, of course, make sure everyone is not recycling passwords or using ones that are easy to guess!
6. Create a Cybersafety Policy:
Once your team is on the same page, you may want to formalize your shared knowledge by documenting your protocols and crafting an internal cybersafety policy. Most nonprofits do not have a plan in place in the event of a cyberattack, and taking a moment to come up with protocols that make sense for your nonprofit will help minimize chaos and lead to faster interventions should a potential threat arise. If you have the budget available, you could also consider hiring a dedicated IT expert or consultant to review and implement your cybersecurity policies.
Security Planner is a platform first launched in December 2017 by Canada’s Citizen Lab. Today, Security Planner runs in partnership with Consumer Reports, an independent, nonprofit member organization that works with consumers to create more fairness, safety, and transparency in the marketplace.
The platform provides recommendations on implementing basic online practices, like enabling two-factor authentication on important accounts, making sure software stays updated, and using encrypted chats to protect private communications. Check out their recommendations page for a hands-on checklist of steps you can take to enhance your online safety. For additional resources, you can also download NTEN’s Cybersecurity for Nonprofits: A Guide, published earlier this year.