The wonderful team at Lane Gorman Trubitt asked me to give a presentation on how nonprofits can best navigate cybersecurity. I never turn down an opportunity to speak with the community about cybersecurity, as the cyber threat landscape is ALWAYS changing. So, ongoing education and action is a MUST. The talk only confirmed to me that so many nonprofits lack the security information they need to secure their data and operations to make sure they can continue to serve their communities.
Here are the highlights from my presentation that will benefit any nonprofit.
The biggest cybersecurity threat that nonprofits face is ransomware attacks. This is when a bad actor hacks into your systems, takes over admin control, disables your data backups and then threatens to destroy or release the info into the public sphere unless…you pay them significant sums ($$$$$$$) of money. It’s on the rise as you can see via the stats here, here, and here. Nonprofits are increasingly becoming targets as you can read about here, here, and here.
Yes, it seems ironic that malicious actors would target nonprofits. After all, they’re on a limited budget, right? The thing to remember is that despite your nonprofit’s budget, insecure IT systems and data provide access to your donors, many of whom have deep pockets. As a nonprofit, it’s your job to protect all your confidential data, especially that of your bank accounts and your donor’s information.
Putting off investing in cybersecurity contributes to the rise of cybercrimes. Think about this, wherever most fish are is where people go to fish. If there’s no fish or the fish aren’t easy to catch, they move on. Investing in cybersecurity makes the waters less friendly for cybercriminals prowling for an easy catch. As you can see on Bitdefender’s Real-Time Cyberthreat Map, the United States has a TON of prey, i.e., they appear often in the Attack Country list.
Also, cybercriminals tend to spend their “nontaxable” income on a whole host of other unsavory lifestyle choices and other crimes including terrorism. Cybercrime is BIG business and the bigger organizations operate just as efficiently as legitimate businesses. For example, the Ransomware as a Service (RaaS) business structure is like drug organizations, with affiliates earning a percentage of each ransomware payment.
Did I already mention that cybercrime pays BIG? According to Cybercrime Magazine, “Last year, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021…and $10 trillion by 2025.”
Just to recap:
- Nonprofits need to invest in cybersecurity, just the same as a for-profit business. The best offense is a great defense!
- Ransomware actors are efficient, high-income earners, and have no moral compass.
- NOT investing in and taking cybersecurity seriously only incentivizes malicious hackers, leading to more cybercrimes.
- Paying a ransom supports illicit lifestyles for bad actors and more wide-reaching crimes including terrorism.
How can a nonprofit protect itself?
Follow these 10 low-cost cybersecurity strategies to protect your nonprofit:
- Evaluate what cybersecurity you currently have in place including your security software stack, policies and procedures. If you are unaware of how to assess this or don’t have a managed IT Services partner with specific security experience, consider hiring a third party to run a cybersecurity assessment. Learn about the one we offer
- Passwords are no longer enough. Implement Multi-Factor Authentication (MFA) for ALL points of entry (Email, VPN, and Admin Access). This ensures that even if a password is stolen, without a second factor of authentication tied to your personal device, they can’t gain access to your IT systems and data.
- Even though passwords alone aren’t enough, they’re still needed and it’s important to follow best password practices including creating complex passwords, changing them frequently, never using the same one twice. Consider using a Single Sign On (SSO) option and a Password Management Solution. These will help your team follow best practices by making it easier for them to login and to “remember” their passwords.
- Cybersecurity requires both tools and policies. Be sure to practice good cyber hygene, implement strong password complexity policies for all systems, and have incident plans in place for when a breach does occur.
- You and your team are the first line of defense against cybercrimes. This is why it’s crucial to conduct regular Phish Testing and Security Awareness Training for everyone in your organization. Consistent training on current and new cyber threats and best practices leads to good cyber hygiene and enhanced cybersecurity.
- Traditional anti-virus is no longer enough. New endpoint tools, such as EDR Endpoint Security, is more robust because it focuses on prevention by detecting suspicious activities, alerting the organization and then responding to threats appropriately.
- Keep software and operating systems up to date. This might seem like a no-brainer but with everything else nonprofits juggle, it can be easy to put off. However, putting off installing updates allows hackers to exploit any security vulnerabilities to get your data.
- Be sure to create an incident response, backup, and disaster recovery plan. In the case of an adverse event, including a security breach, this will ensure that you will be able to get up and running more quickly to continue serving your communities.
- Now that remote work is commonplace, most employees rely on their personal (known as, “bring your own devices” (BYOD)), or mobile devices for work purposes. BYOD devices introduce a number of risks to your organization. Therefore, it’s best to implement Mobile Device Management (MDM) for mobile and BYODs. In addition, think about whether allowing personal devices access to your VPN is worth the risk.
- These days, most breaches aren’t a matter of if but rather when. This means investing in cyber insurance is a no-brainer to protect your mission and the communities you serve. Be sure to verify that the standard policy limit is enough for your business in the case of a breach. You will likely find most cyber insurance carriers are now requiring MFA, EDR endpoint security, and other technologies in place for coverage.
Looking for more information on how to protect your nonprofit from bad actors? Contact us here.