You should never open a suspicious email. You and your staff know that by now. However, hackers know you know, and suspicious email is getting harder and harder to spot.
Along comes an even more worrisome combination – a Microsoft Office vulnerability called Follina that allows a Word document in email to run malware on your computer.
Monday May 30, 2022, the Microsoft Security Response Center provided guidance for IT administrators on this newly discovered Office vulnerability.
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” said Microsoft in the post. “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Given the severity of the issue and how easily the vulnerability can be exploited, Community IT has deployed the remediation that Microsoft has identified to block the Microsoft Support Diagnostic Tool for all our clients. We also highly recommend reminding all staff not to open or click suspicious email links, and to review your process for raising the alert if a staff member does realize they have clicked.
Your MSP or IT provider should also have alerted you of the action they are taking while Microsoft works on a fix. In the meantime, it can’t hurt to re-iterate to staff – if they have any suspicions, don’t open or click. And run back over the procedure when someone realizes they did click, who do they tell? How do they tell them? What are the next steps at your organization and with your IT provider?
Making sure everyone is up to date on your incident response is just good practice.
How Does the Microsoft Follina Vulnerability Impact Nonprofits?
Follina is affecting everyone who uses Microsoft Office to read email.
Follina gives a new avenue to infiltrate systems using exploited, spoofed, or spam emails. Many nonprofits, just like public agencies and small businesses, are vulnerable to email fraud, as busy staff try to get work done and may click before looking.
- Nonprofits should review basic email safety measures and also ensure staff know what to do after an incident and are able to follow the protocol. This tone comes from the top – leadership should expect staff – themselves included – to take cybersecurity and email fraud as seriously as knowing where the fire exits are.
- Do a full reboot at least once a month every month. To do this, power down your laptop and devices completely, then power them back on. Many people like to do this nightly as it helps improve performance.
- Nonprofits should be vigilant in installing authentic security updates as soon as they are released in order to protect crucial systems from attacks.
- Have good written cybersecurity policies and regular training at your nonprofit organization. Having a written and updated IT Policy is essential to being prepared and knowing what to do.
- If you haven’t conducted organization-wide cybersecurity training on detecting suspicious emails, and what steps to take to report phishing, hold a training as soon as possible. We recommend knowbe4.com to help learn how to identify suspicious email in a dynamic way, but there are many security training apps available at low or no cost to nonprofits.
- Your employees, from front desk to Executive Director, need to know what to do with suspicious email. It is crucial that your employees feel confident in reporting suspicious email even after they have clicked on a link.
Typical phishing emails will look legit. When you get an email that says your account has been compromised, an email was not delivered, a package needs to be authorized, etc. – check the email address carefully for small misspellings, and do not click any links or open any attachments. If the email seems to come from a legitimate contact, reach out to them separately – via website or a new email – to address the problem.
All of these cybersecurity plans are pretty easy to put in place and don’t take a lot of budget. Although your organization should always be following these processes, they are especially important to keep your nonprofit from being exploited by the Microsoft Follina vulnerability and its impact on nonprofits.
Ready to put strong cybersecurity in place and reduce your nonprofit cybersecurity risk?
Stay up to date on cybersecurity risks and plan IT support for your entire workforce in-office and remote with our resources.
At Community IT Innovators, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to. As a result, cyber damages are all too common. Whether through a third party vendor or a phishing or ransomware attack on your own organization, you need to be prepared for cybersecurity risks and understand your work and personal security options.
Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure.
We published our completely revised 2021 Cybersecurity Readiness for Nonprofits: Community IT Innovators Playbook to help our community understand the issues.
We also provide a quick and confidential Cybersecurity Self-Assessment Quiz that will help you understand your security profile and identify areas that need work. It takes about 10 minutes to complete and will email you a full report.
We ensure you get the highest value possible by bringing 20 years of expertise in exclusively serving nonprofits to bear in your environment.
If you’re ready to gain peace of mind about your cybersecurity, let’s talk.