In today’s world, cyberattack readiness is a must.
Too many nonprofits operate under the assumption that their risk of experiencing a cyberattack is low; they believe they’re too small, or that their data isn’t valuable enough to entice cybercriminals. Unfortunately, this mindset is dangerous. Nonprofits are at risk – and, often, because they dedicate less focus toward security than other organizations, they’re at particularly high levels of risk.
Nonprofit cybersecurity matters.
The good news is that there are steps to take to reduce that risk. Here are areas to address in your organization in order to prepare your nonprofit for a cyberattack: People, policies, and technology.
The misconception that they will not be targeted leads many nonprofit staff to value productivity over security. Helping staff to understand the risks they face is a good first step in enhancing security readiness.
Basic security education is critical. There is now a wealth of resources for organizations looking to enhance their security readiness. At Community IT, we’ve partnered with TechSoup to provide Security Training 101 and 201, and we’ve also offered a series of free webinars on security topics, including policy creation, readiness, and evaluation of the new threat landscape. These resources provide solid information to educate users toward better security postures.
Toward that end, arguably the most important personal security consideration is:
Good Password Practice
Far too many passwords are weak – or, worse, reused in multiple accounts. Instead, users can greatly improve their individual security levels by following best practices.
Passwords should be long and contain a variety of letters, symbols and numbers. All user-chosen passwords must meet the following complexity requirements:
- Must contain at least one alphabetic, one numeric and one symbol character.
- Must be at least 8 characters in length.
Ideally, passphrases should be used to increase length. Increased length provides more security than complexity and is easier for a human to memorize. For example, although it lacks total randomness, the seven extra characters in Blue5Chandelier2@ make it 64 trillion times stronger than lf@j7asFd! – and it’s also much easier to remember.
Using complex passwords is a challenge, so we recommend the use of a password manager. Solutions such as Secret Server Online, Last Pass, or Dashlane are very helpful – both in increasing security and in improving access.
Abiding by these guidelines at a personal level will have a major impact on security at organizational levels, too.
Nonprofits of all sizes need a set of written IT security policies – but in our work with clients, we’ve learned that many have outdated policies that no one references and staff who don’t know what the policies cover. Or, worse, organizations realize too late that they don’t have a policy at all.
You should have written, regularly updated security policies tailored to your organization. These should be viewed as living documents that reflect changes in technologies, priorities, and assets as they develop.
Importantly, your policies should also have the full support and buy-in of the organization’s executive leadership. Your staff should be familiar with your policy, understand the reasons behind it, and should know how to consult administrators with questions.
You and your IT provider (or IT department) should conduct regular staff training to share information on new procedures and threats. Seek to create a collective culture of security responsibility.
At Community IT Innovators, we employ the CIA security framework with our clients – this stands for Confidentiality, Integrity, and Accessibility. The CIA framework helps you assess your data and assign risk levels. Our webinar, Crafting a Nonprofit Security Policy, provides actionable guidance for creating or updating a policy for your organization, addressing different levels of access to data, confidentiality and security, and what policies need to be in place for staff mobile devices.
The final component of strategy (and what most people think of when they consider cybersecurity) is technology implementation and management.
An effective security strategy requires a multi-layered approach. At Community IT Innovators, we combine people and process elements along with robust technology solutions to build an effective security framework.
Let’s take a brief look at some of the levels involved.
Community IT deploys patches from a cloud platform, where we constantly monitor and manage software, ensuring definitions are kept up-to-date and active. Our best practice is to patch workstations weekly and servers monthly. We know that most attacks are perpetrated by exploiting vulnerabilities in the operating system and third-party applications such as Java, Flash and Acrobat, so we work to proactively minimize these risks.
Anti-Virus and Anti-Malware
Contemporary research shows that anti-virus (and anti-malware) is stopping only about 40-50% of malicious software. We do expect to see improvements in anti-virus effectiveness over time, and still view the software as a key component of an effective security strategy. It’s important to note, though, that in order to be effective, any anti-virus solution needs to be managed and maintained on a regular basis.
Backups and Server Recovery
If disaster strikes, or if you are compromised by hackers or a disgruntled employee, you will need to restore from your most recent backup. A good backup strategy is a key component of an effective security plan.
Community IT Innovators sets up a backup regime with both recovery point objectives and recovery time objectives. We backup email, databases, and cloud data as well as on-premise data. Your organization should never be conducting a restore for the first time after a disaster we recommend regularly conducting test restores to make sure your processes work before you need them to.
Predictive intelligence seeks to proactively defend your systems against new attacks and threats. It involves crunching big data to identify ongoing sources of attacks, and also reacting nimbly and immediately as new threats emerge.
If you don’t employ predictive intelligence in your arsenal of defense, you become limited in your ability to keep hackers out and can only react when your systems are already compromised. At Community IT, we deploy a predictive intelligence layer powered by Cisco Umbrella. Umbrella provides zero latency protection against web-based attacks, resolves all DNS queries, and blocks and reports malicious traffic. All DNS queries are resolved by the service and malicious traffic is blocked and reported.
Taken together, these technology considerations – patching, anti-virus and anti-malware software, backups, and predictive intelligence – can lower the risk of a successful cyberattack on your organization.
Take the Next Step to Reduce the Risk of a Cyberattack
Each of the actions we’ve discussed can help you to reduce cyber risk. If you have questions about implementing these tactics – or concerns about your level of preparedness – we can help.
At Community IT, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to after settling for low-cost IT support options they believe will provide them with the right value. The problem is that these options don’t understand or address important vulnerabilities.
As a result, cyber damages are all too common.
Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. And we ensure you get the highest value possible by bringing 25 years of expertise in exclusively serving nonprofits to bear in your environment.
If you see your own organization in these statistics, then it’s time to take action. To take the first step toward nonprofit IT support that drastically reduces cybersecurity risk, get in touch with us today.