Numerous studies have shown that over 90% of corporate breaches start with a phishing email. But don’t let that statistic lead you to believe you can strengthen your controls over email and be safe. Recent reports are indicating that fraudsters are now successfully using voice-generating artificial intelligence software to impersonate executives when perpetrating these crimes.
Unfortunately, far too many nonprofits do not have or know of a policy that identifies how their organization handles cybersecurity risk, equipment usage, and data privacy. Cybersecurity is a real concern that all types of organizations, including all types and sizes of not-for-profits, must address.
This article offers tips and best practices related to both the personal and the technical aspects of cybersecurity that even the smallest nonprofits can employ.
Promote organization-wide awareness
It is increasingly important for organizations and users to understand that the cybersecurity adversaries, also known as “bad actors,” are after people. Bruce Schneier, a seasoned cybersecurity professional, said, “Amateurs hack systems, professionals hack people.” Take spear phishing, for example, where bad actors send emails ostensibly from a trusted sender to get recipients to reveal confidential information.
Every member of an organization is responsible for security. Take the time to educate users on this fact and make security part of your culture:
Provide continual training.
Hold lunch and learns.
Post signs in the break room.
Cover a security topic during team meetings.
There are limitless examples of cyber breaches on the Internet that you can discuss. It takes little effort to talk about security and doing so will save headaches in the long run.
Understand the latest social engineering techniques
Bad actors are getting better and better at using social engineering to get us to provide information or click on links to download malware. Phishing is by far the most common method, followed by email, text, and phone. The days of offering money from a bank in Nigeria are over. Bad actors are getting more sophisticated. They prey on human emotions and personalize messages to make them seem real.
Ask yourself if a request makes sense. If it doesn’t, don’t act on it. Ask someone’s opinion (e.g., your IT service provider). Be especially careful on phones. It is difficult to decipher real-versus-fake on small screens. Links are also harder to verify on mobile devices, because they may not be fully visible without clicking on them.
Amp up your passwords and use multi-factor authentication
Have a unique, complex password for every system you use. If a bad actor cracks one username and password, they are likely to try other systems to see if they can get in with the same credentials and they can do this with amazing ease and speed. If you have trouble remembering multiple passwords, use a password manager to store them in a secure manner. NEVER store them in an Excel or Word file on your computer.
Use multi-factor authentication (MFA) as a second layer of defense whenever it is offered. MFA is when the application you are signing into texts you a code or asks you to log into an app on your phone to get the most recent code to authenticate. This functionality has saved people from breaches many times, yet only 21% of nonprofits have their employees using MFA.
Important note: if you receive a request to enter a code and you aren’t trying to log in, do not use it and change your password on that application immediately.
Make sure you install—and update—anti-virus software
At the bare minimum, have anti-virus software installed on every machine within the organization and keep it up to date. While this is not foolproof, updated anti-virus software can help prevent malware from infecting your machine or network if a user clicks on an infected link. Malware changes constantly, so be sure to install anti-virus software updates as soon as the provider releases new virus signatures.
Install a SPAM and virus email filter
If you have a local email server, look into a SPAM and virus filter to prevent infected emails from getting to your users. If you subscribe to a cloud-based email service, see if they offer this as an add-on. This service will actively scan incoming emails and filter out the ones that are suspicious.
Install a firewall
The term “firewall” sounds expensive, but it doesn’t have to be:
Download a web-based firewall for free.
Buy a relatively cheap firewall to safeguard your Internet connection.
Get “endpoint protection” through your anti-virus package for items like servers, workstations, and mobile devices that are used to connect enterprise networks.
The goal is to shield your computers from exposure to the Internet and discovery by the bad actors. Consider professional installation: for about an hour or two of consulting, an expert can install your firewall and make sure it is configured correctly to protect you.
Take advantage of the benefits cloud providers
Most applications are now available in the cloud via providers that have the resources to keep your data secure. Take email for instance. Large, reputable providers offer cloud-based email service, among other offerings, for a monthly subscription fee per user. While that option may seem more expensive, it’s important to consider the benefits of having that provider supporting your email and maintaining uptime and security.
Use caution when choosing service providers
Many small organizations are outsourcing their IT to service providers. For a monthly fee, the service provider handles all or part of your IT work so you can focus on business operations. Be sure you choose a reputable provider if you go this route. Check references and SOC reports, when available, and choose a provider that is well established. You will also want to be sure their service level agreement regarding uptime, service visits, etc. will meet your organization’s needs.
You may want to look into cyberinsurance. Depending on the coverage, it could be relatively inexpensive and could come in handy should your organization ever be breached. This insurance can help with the costs of reputational damage and recovery, among other potential challenges of a breach.
Cybersecurity is not a new topic, yet many organizations are still finding themselves ill-prepared to handle cyber threats and attacks. A culture of awareness is critical for all organizations, regardless of size, type, or budget. Arming your people with the knowledge and tools they need to safeguard data and systems will go a long way in mitigating the threats the bad actors pose in today’s business environment. In addition, there are tactics and strategies you can employ to further protect your organization against breaches that don’t all cost a fortune. Consider the tips and best practices offered in this article and visit the Cybersecurity Resource Center for additional information.
CGMA Cybersecurity Risk Management Tool
This tool helps companies monitor and manage the risk of cybersecurity threats and respond to potential breaches.
Podcast: Cybersecurity and Ransomware - Protecting Yourself from Attack
Hear cybersecurity expert Brian Edelman discuss recent ransomware attacks in this free podcast.
Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate
Develop your fluency and gain the confidence to make sound strategic decisions regarding cybersecurity risk and learn what you should be doing as a non-IT professional to help protect your organization or clients from cyber threats.
Criteria for Management’s Description of a Cybersecurity Risk Management Program
Use these criteria to design and describe your organization’s cybersecurity risk management program.
 2019, LastPass, The 3rd Annual Global Password Security Report