Looking for peace of mind? I’d like to give you a free, 30-minute cybersecurity consult.
My name is Matt Eshleman, and as the Chief Technology Officer at Community IT, I have dedicated my career to helping nonprofits protect their networks against cyber attacks.
Let’s talk through your current cybersecurity approach. Pick a time that is convenient for you, and we can chart a path toward a stance that’ll keep your nonprofit protected.
The State of Nonprofit Cybersecurity
Heading into 2020, nonprofit cybersecurity was an increasingly ubiquitous concern; the rate of cybersecurity incidents had steadily increased over the past two decades, and organizations of all sizes and shapes increasingly found themselves at risk. Traditionally, nonprofits have faced unique risks, largely due to the reality that they tend to have more limited defense mechanisms in place than other organizations.
Today, in the shift to all-virtual-everything – cybersecurity is even more crucial. And nonprofits may be even more risk.
In a world where everything must be online, staying secure is both more important and more difficult. Experts estimate that cybercrime costs may double in the aftermath of the outbreak. “Cybercriminals,” notes Robert Herjavec, “thrive on chaos.”
With this backdrop in mind, it’s helpful for nonprofits to have a foundational understanding of what a proper approach to cybersecurity entails. To explain the cybersecurity risk for nonprofits, we’ve put together a guide to cybersecurity for nonprofits in 2020.
We’ll look at questions like:
- What are the statistics around nonprofit cybersecurity?
- What are the biggest risks in nonprofit cybersecurity?
- What are SolarWinds breach updates for nonprofits?
- Does COVID-19 (coronavirus) impact nonprofit cybersecurity?
- How should nonprofits prepare for a cyberattack?
- What should a nonprofit cybersecurity policy include?
- How can nonprofits harden their networks?
- How should nonprofits develop incident response plans?
- How should nonprofits implement managed backups?
- Does my nonprofit need cyberinsurance?
- How can I take the first steps toward better cybersecurity?
By the end, your nonprofit should have a grasp of what’s needed to enhance your cybersecurity readiness.
Ready? Let’s do this. Here’s the nonprofit cybersecurity guide for 2020.
What are the statistics around nonprofit cybersecurity?
The statistics around nonprofit cybersecurity tend to reveal two truths: one, that the frequency of cyber incidents is increasing, and two, that nonprofits often lack proper cybersecurity protocols.
Here are some of the numbers.
1. Hackers attack every 39 seconds, on average 2,244 times a day.
First, let’s set the stage at a general level: There are a ton of cyberattack attempts happening all the time. It’s important to note that these are simply active efforts by cybercriminals – not all of them are successful, and certainly not all attacks are directed against a nonprofit.
Still, though, the sheer volume of attacks paints a stark picture of baseline risk levels. Many people are actively trying to breach networks, steal data, and compromise organizations. This is happening around the clock. The risk is real.
2. By 2020, the estimated number of passwords used by humans and machines worldwide will grow to 300 billion.
Here’s another area of vulnerability that’s been steadily utilized by hackers through the years: insecure passwords.
While the statistic above doesn’t necessarily indicate that there will be 300 billion insecure passwords, other data does suggest that 86% of passwords are weak. In other words, more systems are secured by passwords than ever before – and often, that means that those systems aren’t very strongly secured at all.
3. 56% of nonprofits don’t require multi-factor authentication (MFA) to log into online accounts.
Multi-factor authentication is a means of increasing security when users log into accounts; essentially, MFA requires that users have access to two (or more) sources of information. When you log into a platform and then are required to enter a passcode that’s been texted to your phone, you’re using MFA.
MFA greatly increases the security of accounts – and most nonprofits don’t use it.
4. More than 70% of nonprofits have not run even one vulnerability assessment to evaluate their potential risk exposure.
This statistic might explain why many nonprofits don’t take aggressive cybersecurity measures. Most simply haven’t assessed their own levels of risk. The first step to planning for improved cybersecurity is often to discover where vulnerabilities lie.
5. Only 20% of nonprofits have a policy in place to address cyberattacks.
Finally, on a similar note: 80% of nonprofits don’t have a policy in place to address cyberattacks.
Policies go a long way toward improving response times and mitigating damage (and comprehensive cybersecurity policies can play important roles in reducing risk in the first place). If your nonprofit doesn’t have such a policy in place, take steps to address the issue.
What are the biggest risks in nonprofit cybersecurity?
The numbers bear out the risk of cyber damage. But what are the biggest types of risk?
To start, let’s classify the type of cybersecurity risks nonprofits face by the outcomes that cyberattacks are designed to achieve. There are three outcomes that are most common:
Data breach. A data breach occurs when proprietary or personally identifiable data is accessed without authorization. This can occur through third-party attacks, malicious insider activity, or simple negligence. Breaches happen often, and when they happen to big companies, they make headlines – think the Equifax breach, which exposed the personal data of 143 million people.
Nonprofits rarely operate at the same scale, but the effects of a breach can still be devastating, both in terms of reputation damage and regulatory fees.
Downtime. Some cyberattacks are simply purposed to bring down systems. Sometimes, this is done with intent to compromise the mission of an organization; there are many nonprofits that have active ideological opponents. Sometimes, attacks aren’t targeted; an employee may accidentally bring a malware-infected device onto the network, for example, which could end up shutting down critical systems.
Regardless of intent, though, downtime can impede essential work.
Ransom demand. Finally, some cyberattacks are purposed to elicit ransom payments. These are termed ransomware.
Ransomware is meant to shut down an organization’s systems until payment is delivered to the hackers. Once payment is made, hackers will (supposedly) provide access to a key that unlocks functionality. Some organizations simply make the payment and hope the hackers keep their end of the bargain; some (like the city of Baltimore, Maryland, last year) go to any means necessary to get systems online – an approach which often carries huge costs.
Cyberattack Delivery Methods
Another way to classify risk is by attack delivery method; while most cyberattacks are purposed toward one of the three outcomes listed above, there are a nearly endless variety of delivery methods.
Here are a few of the most common:
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. These attacks attempt to overwhelm a system’s resources so that it simply can’t respond to requests.
Phishing and spear phishing attacks. Phishing and spear phishing attacks use content from spoofed trusted sources to attempt to gain personal information. The most common version of this is email phishing – for example, nonprofit HR employees may receive a spoofed email from the “CEO,” requesting the receipt of W2s for a list of employees.
Drive-by attack. Drive-by attacks use insecure websites to affect the machines of visitors. Hackers insert a script on the page that might install malware, for example. This method is particularly challenging to address because it doesn’t rely on any user activity to enable the attack.
SQL injection attack. Database-driven websites are particularly vulnerable to SQL injection. These attacks use an SQL query to the database to gain unauthorized access to data on the server.
Malware attack. “Malware” is a broad category of cyberattack, but in general, it refers to software that’s installed in your system without your consent and is then used to cause harm. It may self-propagate (meaning spread to other machines or applications), or it may simply execute its function in a single place.
What are SolarWinds breach updates for nonprofits?
The backdoor compromise of the SolarWinds Orion network management application is having a dramatic impact on the 18,000 organizations that installed the software with the malicious code in it. Already we know of at least 5 government agencies and a private company, FireEye, who have confirmed that their networks were compromised.
According to Microsoft, a number of think tanks and NGOs were also impacted. Community IT Innovators is providing SolarWinds Breach Updates for Nonprofits to start the conversation on next steps your organization may need to take as more information becomes available.
Does COVID-19 (coronavirus) impact nonprofit cybersecurity?
The answer to this question is almost certainly “Yes,” but there isn’t a clear answer to its follow-up: “How?”
How will the development of COVID-19 impact nonprofit cybersecurity? Here are the likely scenarios (many of which are already being played out).
Phishing attacks will make use of the situation. This is already happening; emails – like the one below – are structured to capitalize on uncertainty, incentivizing recipients to take actions they might not under normal circumstances.
Cybercriminals will create tools to take advantage. Already, researchers have discovered an Android app that purports to track COVID-19 cases, but on download, is actually a ransomware attack, locking users’ phones and demanding a payment of $100 in bitcoin.
Fake tracking sites have also been reported. These are designed to spoof existing sites (like the John Hopkins tracking page) while delivering malware via drive-by methods to site visitors.
The increase in remote work will open new vulnerabilities. Finally, the mass shift to digital work channels will make cybersecurity more difficult. Users who would normally be in-office have been forced to go remote, and many of these people aren’t trained in cybersecurity best practices. They’re likely to be using personal devices to access work, introducing entirely new sets of vulnerabilities into their organizations. Many organizations are using video conference apps and platforms such as Zoom without training staff on security best practices to follow.
And the remote systems that nonprofits have set up were constructed hurriedly, with more mind paid to making work possible than to making things secure. If you are already using Microsoft Teams for nonprofits, you do have a secure platform for video calls, and we have published tips and advice on utilizing it.
The unfortunate reality is that the coronavirus situation is a boon for cybercriminals. Nonprofits should reconsider their approaches to cybersecurity in light of these changes.
How should nonprofits prepare for a cyberattack?
To this point, we’ve confirmed that nonprofits are at risk of cyberattacks, have reviewed some of what those risks are, and have observed how the developing situation with COVID-19 could increase cybersecurity risk.
In other words, we’ve painted a pretty negative picture.
There’s good news, though: nonprofits can reduce cybersecurity risk. And, while the methods of reducing risk can become complex in application, in principle they’re fairly straightforward. Here’s how to prepare your nonprofit for a cyberattack.
As research by NTEN and others shows, nonprofits often don’t have documentation in place – but they should. Robust cybersecurity policies can lessen the likelihood of an incident in the first place, and response documentation can give teams quick paths forward to minimize damage in the event of an attack.
Nearly 60% of nonprofit organizations don’t provide any sort of regular cybersecurity training to users. Training users on best practices is an impactful way of reducing risk; ignorant user action leads to far too many successful attacks. Community IT Innovators has partnered with TechSoup to provide basic Cybersecurity 101 training, and we also provide ongoing user training to all clients. Training end users to create strong unique passwords is critical. Learn how to create an excellent password here.
Make systems redundant.
Systems should be redundant, meaning that there should be multiple instances of mission-critical data and systems so that if one instance is compromised, recovery is possible. Basically, nonprofits should diligently back things up. This greatly reduces the damage that a cyberattack can cause.
In addition to backing things up, nonprofits should also take steps to harden systems. Doing this effectively will likely involve a risk assessment. Generally, solutions involve implementing antivirus or other security software, and may include proactive monitoring as well. Nonprofits should require multi-factor authentication on all accounts, also.
And, last, but not least:
The best way to counter cybersecurity risk for nonprofits is to work with an expert IT firm that can enact all of these principles in your environment. Give us a call to get started.
What are cybersecurity best practices for charter schools?
At Community IT, we continue to learn and share our cybersecurity best practices for charter schools with our community. The opportunities for positive technology experiences and mission delivery in the nonprofit education sector are always accompanied by very real security concerns. As remote learning has evolved so rapidly recently it is not surprising that institutions are having trouble keeping up. Having a trusted technology partner to help navigate vendors and help desk support is essential to a successful implementation of any new education technology platform.
What should a nonprofit cybersecurity policy include?
First, let’s define our term: A policy is a set of rules, principles, and guidelines formulated or adopted by an organization in order to reach its long-term goals. (This differs from a single guideline, standard, or procedure in giving more comprehensive direction.)
Nonprofits of all sizes need a set of written IT security policies – but in our work with clients, we’ve learned that many have outdated policies that no one references and staff who don’t know what the policies cover. Or, worse, organizations realize too late that they don’t have a policy at all.
You should have written, regularly updated security policies tailored to your organization. These should be viewed as living documents that reflect changes in technologies, priorities, and assets as they develop.
Nonprofit cybersecurity policies should include:
Buy-in. Importantly, your policies should also have the full support and buy-in of the organization’s executive leadership. The policies that don’t, won’t be adhered to.
Acceptable use. Your cybersecurity policy should detail how and where organizational technologies can be used. For example, can users download personal apps to their machines? Can they access on-premises systems from remote locations? Clarifying how technology systems can be used reduces users’ risk.
Data management practices. Your policy should cover data management. How should files be named? Where should they be stored? How should they be backed up? Answering these questions in your policy will increase your data security.
Identity and account practices. Finally, a comprehensive approach to cybersecurity policy should include identity and account practices. This may include who has access to which accounts, granular role definition, how administrator accounts are named, and information on password best practices.
It’s important to note that, in addition to having top-level buy-in, your policy must have organization-wide adherence. Your staff should be familiar with your policy, understand the reasons behind it, and should know how to consult administrators with questions.
You and your IT provider (or IT department) should conduct regular staff training to share information on new procedures and threats. Seek to create a collective culture of security responsibility.
At Community IT Innovators, we employ the CIA security framework with our clients – this stands for Confidentiality, Integrity, and Accessibility. The CIA framework helps you assess your data and assign risk levels. Our webinar, Crafting a Nonprofit Security Policy, provides actionable guidance for creating or updating a policy for your organization, addressing different levels of access to data, confidentiality and security, and what policies need to be in place for staff mobile devices.
How can nonprofits harden their networks?
Hardening a nonprofit network is an important part of reducing cybersecurity risk. Here’s what it may entail.
At a basic level, firewalls simply prohibit unauthorized access to a network. The metaphor of a postal office is often used to describe their function; these tools look at the address of letters (data packets) and send them back if the address seems suspicious. More advanced firewalls can also “look inside the envelope” – that is, flag packets for potential malicious content.
Technology patching essentially means ensuring that platforms are up-to-date and active. Patches are most often delivered from a cloud platform. Our best practice is to patch workstations weekly and servers monthly. Most attacks are perpetrated by exploiting vulnerabilities in the operating system and third-party applications such as Java, Flash and Acrobat, so nonprofits should proactively minimize these risks.
Anti-Virus and Anti-Malware
Contemporary research shows that anti-virus (and anti-malware) is stopping only about 40-50% of malicious software. We do expect to see improvements in anti-virus effectiveness over time, and still view the software as a key component of an effective security strategy. It’s important to note, though, that in order to be effective, any anti-virus solution needs to be managed and maintained on a regular basis.
How should nonprofits develop incident response plans?
Incident response plans are designed to increase the efficacy of action in the event of a cyberattack. Having a well-designed plan can greatly reduce the time of response and play a big role in minimizing cyber damage. Conversely, organizations that don’t have plans in place will struggle to react effectively to cybersecurity incidents.
Here’s what nonprofit incident response plans should entail.
Key internal and external crisis teams. Plans should also document and clarify the roles and decision-making responsibilities of these parties.
Communications protocols and chains of command. These protocols might include scenarios for multiple breach or incident scenarios (i.e. communication might flow differently in the event of a data breach than it might in the event of a ransomware attack).
Reporting requirements. Any external or regulatory reporting requirements should be identified. This might include payment card industry requirements, HIPAA reporting requirements, or other regulatory protocols.
External forensics strategy. Plans should account for any external assistance that may be needed in the event of an attack and develop those lines of communication proactively.
Finally, plans should be updated as contexts change (for instance, as internal players and external contacts change) and should also be tested to ensure that they work effectively. These measures can ensure cybersecurity readiness.
How should nonprofits implement managed backups?
Backups ensure that data and systems are protected in the event of a cybersecurity incident. Managed backups can be a helpful tactic in a nonprofit cybersecurity strategy. To understand how, let’s first define our term.
A backup is, essentially, a copy of data and systems that can be used if a live version is compromised. If a ransomware attack were to happen, for instance, a nonprofit with recent backups would be able to revert to those to get back up and running, instead of capitulating to the hackers’ demands.
The word “managed” denotes the fact that the process of backing up data is managed by a third-party provider. Enlisting the help of security experts ensures the effectiveness of the backup process and ensures that it happens consistently.
With the definition clarified, here are a few recommendations for your nonprofit’s approach to managed backups.
Consider implementing multi-site redundancy.
Instead of storing all backups onsite, we recommend replicating your data to data centers at various locations across the United States. This further protects your data by reducing the chances that a regional crisis will impact all instances of your backups.
Choose options that can scale.
You’ll need to determine how many instances of your data you’ll keep at a time. You may only keep backups for a few months to reduce the amount of storage needed – but the risk of this approach is that, if an attack goes undetected for a longer period of time, your backups may all be compromised.
Choose a scalable solution; as your business grows and your data backup needs become greater, your storage space should also grow to meet demands.
Automate backup processes.
Ideally, backups should be automated so that your users don’t have the responsibility of manually backing up systems. The process should also be automatically monitored to ensure that it happens consistently and completely every time. Third-party providers can work with you to set up automation.
Ensure backups can be easily accessed and implemented.
Finally, be sure that you can access and implement your backups quickly. It does no good to know that your data exists if it can’t be utilized. It’s worthwhile to test this so that you’ll be prepared for quick action in the event of a cybersecurity incident.
Does my nonprofit need cyberinsurance?
Cyberinsurance is increasingly a point of consideration for nonprofits – but determining your need for it is complex.
Generally, cyberinsurance works like other forms of insurance. Organizations pay a premium and receive varying types and degrees of coverage against cybersecurity damages. That’s the basic principle – but things quickly get complicated.
Here are a few questions to ask to assess your need for cyberinsurance.
How vulnerable is your organization?
Generally, if you are processing payment information or storing personal data, your organization may be vulnerable to extensive cyber damages. In these cases, seeking coverage may make sense.
However, note that cyberinsurance, like other forms of insurance, varies in cost based on your level of risk. So, if you truly are higher risk, you’ll pay more for insurance.
What will be covered?
This is a crucial point. There are many examples of organizations with extensive cyberinsurance packages going uncovered for damages. In 2013, for example, a health provider called Cottage Health System was held financially responsible for a data breach, even though the organization had cyber insurance – they were found to have been negligent in their cybersecurity upkeep, voiding their protection.
Coverage varies policy by policy and may also vary depending on your organization’s actions. Don’t pay for insurance without ensuring you comply with requirements and that your coverage applies to the areas where it’s most needed.
What cybersecurity measures have you taken?
Finally, consider your organization’s approach to cybersecurity. Obviously, a proactive and strategic approach to cybersecurity can reduce your risk, possibly reducing your need for cyberinsurance in the first place. As we’ve seen, though, it can also impact the cost you would pay for cyberinsurance. If you take a strategic approach to cybersecurity and identify an area where coverage would be helpful, you may be able to get an affordable premium.
Ready to take the first steps toward better cybersecurity?
Congratulations – if you’ve made it here, you’ve reviewed the foundations of cybersecurity for nonprofits. Hopefully, the information you’ve covered provides a solid foundation for approaching cybersecurity strategy at your nonprofit organization.
If you want to take the next step toward better security, let’s talk.
At Community IT Innovators, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to after settling for low-cost IT support options they believe will provide them with the right value.
As a result, cyber damages are all too common.
Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. And we ensure you get the highest value possible by bringing 25 years of expertise in exclusively serving nonprofits to bear in your environment.
If you’re ready for nonprofit IT support that drastically reduces cybersecurity risk, get in touch with us to schedule a free consultation.