For more information on how to prepare your nonprofit for a cyberattack we have listed some cyber attack preparedness tips for nonprofits and collected some resources together below.
The world needs our nonprofits now. You cannot pursue your mission if you are out of operation from a cyber attack. We hope these tips are helpful to keep our community up and able.
How to Stay Informed on Cyber Threats to Nonprofits
Community IT is a member of Infragard, a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of US critical infrastructure. Community IT also follows guidance from industry leaders such as Mandiant, who are also sharing updated insights on potential cyber threats.
What Your Nonprofit Can Do to be Prepared for Cyberattack
It is important to take this time to ensure that every organization has taken some basic precautions to help ensure the security of its IT systems. The United States Cybersecurity and Infrastructure Security Agency (CISA) recommends these basic practices.
- Enable multifactor authentication;
- Set antivirus and anti-malware programs to conduct regular scans;
- Enable strong spam filters to prevent phishing emails from reaching end users;
- Update software as recommended by the vendor; and
- Filter network traffic.
In addition, at this point all nonprofit organizations should:
- Have an Incident Response Plan in place that describes the critical systems in use, and how the organization will respond if one or all of those systems are compromised or inaccessible. This video gives a detailed walk-through on creating an Incident Response Plan.
- Have implemented MultiFactor Authentication on all accounts
- Have backups of critical organizational data in a disconnected/off-site system that can be quickly restored in the event of data loss
These recommendations are part of a cybersecurity framework that we have developed and refined over our long history of working with nonprofit organizations. If you are not already a Community IT client and aren’t sure about your cyber attack preparedness and need tips for your nonprofit, you can download a free pdf of our Nonprofit Cybersecurity Readiness Playbook to learn about your organization’s risks and how to think about protecting your mission from cyber attacks.
Bottom Line: Cyber Attack Preparedness Tips for Nonprofits
What can you do to protect your nonprofit right now?
Require MFA on all devices, for all staff. Any system that requires logging in should be set up with strong, unique passwords, and should require Multi-Factor Authentication (MFA). Now is a good time to review your passwords and account access. Each system you access should have a strong and unique password. Commercial password organizers like Lastpass or 1password can generate new secure passwords and manage them for you. Google and Apple have built-in password managers, too.
Pay attention to application update notifications from your software vendors and install them promptly. Install any security updates. If you are not sure how to do this, ask. Hackers trying to access your systems need … access. Organizations need to be vigilant about blocking public access to internal systems, and patch systems as soon as patches are available.
Do a full reboot at least once a month every month. To do this, power down your laptop and devices completely, then power them back on. Many people like to do this nightly as it helps improve performance.
Prioritize Cybersecurity Governance documentation and training. Have good written cybersecurity policies and regular training at your nonprofit organization. This is essential to being prepared and knowing what to do. This is not an instant process, and also must be reviewed and renewed regularly. If you do not have these policies and training in place now, make a commitment to implement them to be better prepared for future threats. Even taking a few of the steps outlined here will help protect your organization immediately.
Be vigilant about phishing emails. If you haven’t conducted organization-wide cybersecurity training on detecting suspicious emails, and what steps to take to report phishing, make plans to hold that training as soon as possible. We recommend knowbe4.com but there are many security training apps available at low or no cost to nonprofits that can help you ensure your employees, from front desk to Executive Director, know what to do with suspicious email. It is crucial that your employees feel confident in reporting suspicious email even after they have clicked on a link.
Typical phishing emails will look legit. When you get an email that says your account has been compromised, an email was not delivered, a package needs to be authorized, etc. – check the email address carefully for small misspellings, and do not click any links or open any attachments. If the email seems to come from a legitimate contact like your bank or accountant, reach out to them separately – via website or a new email – to address the problem. Learn more in this video on preventing financial fraud at your nonprofit.
Require data back up on an off-site system. If you don’t know if your IT provider can restore from back up or how often backups are created, ask. The time to find out is not after a ransomware attack has penetrated your systems and shut down your IT.
Community IT is proud to support the nonprofit community. Our IT support lets you focus on your mission.
We published our completely free Cybersecurity Readiness for Nonprofits: Community IT Innovators Playbook to help our community understand the issues and be prepared for cyber attacks. Nonprofits are a target in general and sometimes are specific targets because of the work you do.
We regularly present free webinars at Community IT about cybersecurity issues. And you can contact Matt Eshleman, our CTO and nonprofit cybersecurity expert, for an initial assessment. The cybersecurity resources from our free library are available here.