Prior to joining Kenna Security, I worked with a number of nonprofits around the world. Each focused on providing shelter, education, health services, and food to children in need. The mission was clear and critical.
Executing that mission wasn’t so easy. Nonprofits run on donated money. Though our goal was to save children, the strategy to drive the mission forward was to focus on donations, extending our reach, and improving services at the lowest possible cost. We hardly considered IT security as an issue because, well, we were focused on helping kids, not fighting hackers. We not only ignored the danger, we were oblivious to it.
I recently joined the Kenna Security Team. Since joining, I quickly realized that the nonprofits (and kids that benefited from it) were actually placed in very real danger. One successful data breach could have brought down the organizations and ended their missions, which in return risks the lives of millions of children and their families around the world.
In a revealing study The Global Cybersecurity Index (GCI) 2017 Report published alarming statistics that unveiled that severe vulnerabilities are prevalent in the nonprofit technology infrastructure. While virtually every large nonprofit “has” security, a recent survey by CohenReznick, showed that more than 70% of nonprofits have not run even one vulnerability assessment to evaluate their potential risk exposure. Even more, 69% do not even have a cybersecurity response plan in place. These stats are particularly frightening when you consider that nonprofits are more than likely to use free open source solutions with well known vulnerabilities and weaponized exploits hackers will use to efficiently effect a breach.
There are “good” reasons for this rather dangerous situation. Limited budgets, staff and expertise are several. Single minded focus on the mission may be another. Whatever the reason, the result is that nonprofits have become an easier mark for hackers than their corporate brethren.
This is alarming given that most nonprofits run on donations transacted using particularly sensitive and valuable information. Accepting money and providing receipts alone requires (legally) sensitive credit card numbers and tax IDs. Even more, anonymous donors to, for example, nonprofit political organizations, will consider their names and other typically “non sensitive” information extremely sensitive, adding even more value to the data. Hackers like high value information.
Worse still, few consider that the personally identifiable information of the affected population is valuable to hackers as well. Sometimes, the same information is used in micro-grants or to fund SIM cards that provide access to basic needs, which can easily be diverted. Other times, hackers are interested in selling the locations of aid workers for distributing malicious reasons.
This makes data privacy existentially important to a nonprofit. Nonprofits depend on a population of hopeful and willing donors to trust them. These donors assume that not only will money they donate be utilized efficiently, but that their act of goodwill won’t be punished because of a data breach. Once that trust is lost, funds will certainly flow to more trusted organizations, ending the nonprofit’s mission which may, in fact, be the hacker’s aim.
So with the lack of resources and funds, what should nonprofits do? Corporate forprofits typically focus on detecting and responding quickly to attacks. These measures often need to be in place for compliance reasons. For all of the reasons outlined above, nonprofits can’t afford to react to a breach. Of course defenses should be in place, but first they need to predict and prevent successful attacks before they happen.
How? These three steps are a good start:
- Assess your risk
Risk assessment can be conducted within the organization or use an outside specialist. From the assessment, one can then determine how vulnerable their IT security is and identify the sensitive data that may be targeted. Due to the constant attack on vulnerabilities, cyber assessments should be updated and reassessed as often as possible to make sure one remains protected from the latest threats. Better still if the assessment can be at-a-glance understood by non-technical users, so well-intentioned staff can take action to reduce the risk.
- Build awareness & educate yourself and team
Make cybersecurity a top priority and security awareness part of the organization’s culture, for example all employees should attend cyber security trainings. There are six ways that the majority of cyber criminals enter a nonprofit’s database.
- Absence of Password Policy – Always make sure that every team member has two-factor authentication on. As well as, enforce a comprehensive password policy, which includes how long passwords need to be and how often passwords need to be changed.
- Unsecured software – Never skimp on software. Still to today there are nonprofits using out of date software and sometimes so old that it’s no longer supported by Microsoft. Make sure your computers and network operating system is always updated. The older the system is the more susceptible to data breaches.
- Open-source software – Saving money by using open source software is asking to be attacked since they tend to be extremely vulnerable.
- Online payment processors – Invest in a reputable online payment processor.
- Not using cloud-based platforms – Cloud-based products are usually free or low cost to nonprofits. By using the cloud, it allows nonprofits to outsource a big part of their security needs to leaders in the market, which then leverages technologies from those who have the budgets and resources to combat evolving threats.
- Your employees (or former employees) – Make sure that when an employee leaves, there are measures to make sure that all devices are wiped clean and access is denied, along with changing passwords and placing a two-factor authentication as well. For current employees, they should be educated on not clicking on unfamiliar emails or attachments since 70-80% of cyberattacks are carried out through email.
- Institute a cybersecurity breach response plan
Should a cyber attack occur, having a plan ready to go will ensure that all appropriate members are noted and react instantly to be able to work together faster and more strategic. When dealing with an attack, it is important to note that timing is critical to whether hackers can cover their tracks or steal more data from your systems.
By utilizing the above three preventive measures, it should assist with creating policies. Cyber threats are increasing and evolving, such as Wannacry, BadRabbit, and NotPetya. By being proactive, nonprofits will be better equipped for the upcoming security threats should it face a cyber attack. In return, nonprofits can continue doing the incredible work that they do and increase their services by fulfilling their impactful mission.