This is a guest blog from CommunityIT
As nonprofit leaders, sometimes we get worried about IT security or are afraid we don’t know enough about IT to take charge of our own protection. At Community IT, we believe IT security can’t be the job of just the IT Director. Your organization is safest when everyone from the bottom to the top contributes to keeping your mission secure from cyber threats.
Some of those threats targeting nonprofits of all sizes include
Persistent and ongoing, brute force attacks to compromise identities, are done with automated tools. Massive databases online contain usernames and password combinations and so hackers will target your nonprofit to see if you have reused any of these combinations.
Spear phishing targets organizations with false emails that look real. Attackers are getting very good at looking at your website and figuring out who your CEO, Executive Director, and Finance Director are and using spear phishing attacks to target them. They then use psychology and a long con to convince you to send a payment to a new bank account number, or other scams.
Organizations are targeted because of the work that you do in the areas of foreign policy, advocacy, countries where you operate, and the people that you serve. Sometimes these attacks are spyware or malware from state-sponsored actors, sometimes just well-funded adversaries opposed to your mission.
Some attacks target vendors in supply-chain attacks or third-party attacks. Your IT vendor for your donor database or online platform could itself be compromised, putting all their clients at risk of infiltration and exploitation.
Ransomware has become a growing threat, especially with cryptocurrency payments that promise anonymity.
On the positive side, we are seeing a lot of great new free and low-cost security tools available to combat these threat types. We are also encouraged to see nonprofit organizations starting to be proactive in terms of improving their cybersecurity. As cybersecurity insurance premiums are rising and the insurance process becoming more rigorous, a lot of organizations are also using that application to take a comprehensive look at best practices in cybersecurity.
In cybersecurity readiness, it is helpful to use a framework of people, processes and technology to organize your approach. Technology tools can’t protect your organization without involving your people and your processes too.
People:
Require MFA, on all accounts, all the time, for everyone. MFA stands for multi-factor authentication. This is the number one thing that you can do to protect your digital identity. And it is free. You already work on a platform that can support MFA. Your staff is used to using MFA to log in to their online banking and many other accounts. Requiring MFA is the most cost-effective way to increase your protection exponentially. Just be careful there are no logins without MFA, especially administrative accounts.
Manage account access with a free password manager. There are many available like LastPass and OnePassword. No one can remember strong, long, hard-to-guess passwords for all the logins we have in a modern office. A password manager will keep you from re-using passwords so that even if one password is put on the dark web, the hackers’ reach is limited.
Process:
Security training. The number one way a hacker will gain access to your IT is if someone on your staff clicks on the wrong email link. Help your people cultivate a healthy skepticism with regular and robust security training. The National Cybersecurity Alliance (https://staysafeonline.org) has a lot of free security training, resources, posters, some e-mail templates, and checklists and guides. This resource is really geared towards individuals and small to midsize organizations and is very accessibly written, even for “non-IT” people. You can also find lots of free resources on cybersecurity at the CISA government site (https://www.cisa.gov/cybersecurity) Frequent, shorter training works better than annual video training. Cultivating a culture of openness and togetherness about security is also crucial; your people should know who to tell when they click on the wrong link (it happens!) and they should not be afraid to report it quickly.
Create written IT policies for your organization. Creating and updating governance documents is a job for leadership or committee. There are free resources online from SANS (https://www.sans.org) including policies, standards, guidelines, and other resources and templates so your committee can start out with guidance. At a minimum, your policies should include an IT Acceptable Use Policy, Privacy Policy, and Incident Response Plan.
Keep on top of updates and news. Take advantage of free cybersecurity courses and websites online geared toward nonprofit IT news. The Community IT webinar series and newsletter are great resources to learn current trends in cybersecurity technology tools and best practices. (https://communityit.com)
We hope this list is helpful as you think about ways to protect your organization and your mission from online scams and hackers. Taking the first step in cybersecurity doesn’t have to break your budget. And while the best time to protect yourself may have been yesterday, the second-best time is to start today!
To learn more, check out our free webinar, "10 Free IT Security Tools" happening on September 28th, 2022 from 9 am - 10 am PT. Read more and register here.