Nonprofits should require multi-factor authentication as one of many steps to safeguard their reputation and online security. Community IT Innovators takes nonprofit cybersecurity very seriously and our 2020 Nonprofit Cybersecurity Guide addresses the multiple ways nonprofits can improve their cybersecurity protections.
Securing staff login credentials is one of the most effective steps that nonprofits can take to protect themselves and their data. Beyond using a strong and unique password, adding an additional layer of protection with something you have makes it much more difficult for your account to be compromised. This article will discuss MFA and why your nonprofit should require Multi-Factor Authentication (MFA).
What is Multi-Factor Authentication?
First, you may be familiar with Multi-Factor Authentication (MFA) but not with that term. Basically, this is an additional step to logging into your online account. To login to most accounts, whether your bank or your online workspace, you will need your user name (often public or easily guessed, for example your initials and name, or your email address) and your password (which should be private, not re-used from another account, and not easily guessed). But what if your account is one of many that have been compromised, and somehow a bad actor has learned your username and password?
Multi-Factor Authentication requires an extra step after you have entered your password. A one-time code is sent to a separate device that you have in your possession but the hackers with the list of passwords and IDs do not. This can be a code texted to your phone, a code in a voicemail, a code from a third-party authenticator, a push notification to your phone or a physical hardware token. Nonprofits should require multi-factor authentication, and here are three reasons why.
Reason 1: Account compromise is the number one preventable high-level nonprofit cybersecurity risk
Account compromises continue to be a high profile and high impact threat. We see that about 10% of organizations that have not implemented Multi Factor Authentication (MFA) will have a compromised account on their network during the year.
Having a compromised account is a tremendous liability to an organization because it can disrupt work, disclose sensitive information or be used to target partner organizations. Organizations that have implemented MFA have dramatically lower risk than those organizations that have not implemented MFA. Google’s Project Zero demonstrates just how effective MFA is in blocking these account hijacking attacks.
Reason 2: MFA is simple to use – and most nonprofit staff are already familiar with it on other accounts they use
Multi Factor Authentication is now commonplace and has become a requirement to complement password security for many cloud-based services. MFA combines something you know (your password) with something you have (the second factor). The “something you have” is usually…
- Phone call to a personal device
- Text message sent to a mobile device
- Key fob or USB key with PIN code
- Mobile phone app (such as Google or Microsoft Authenticator)
- FIDO Hardware Token (such as YubiKey)
An additional benefit to implementing MFA is that staff don’t need to change their passwords as often (or ever). This is the rare security upgrade that is not asking staff to perform a complicated routine that is totally new to them.
Reason 3: MFA is simple to implement – and you probably already have the tools you need
Any new security routine will take explanation, training, and buy in from your staff. If MFA is already in their toolbox, making it a requirement is not a huge leap for your staff. And if your nonprofit is using a platform that makes MFA easy to implement, it will not be a huge leap for your IT department either.
If your nonprofit organization uses Office365, then MFA is included in your nonprofit license. If you use GSuite for Nonprofits, then you have access to Google’s free Authenticator app. Other applications such as SalesForce, Dropbox and Intacct also include the ability to add MFA to your nonprofit IT security.
Any change to your nonprofit’s cybersecurity environment depends on several factors for success.
- First, you will need the buy-in of your employees and colleagues. They are the front line in your defense against cybercrime, and you can’t defend yourself from account compromise without them. For more information on change management and nonprofit cybersecurity, you can download our free Guide to Getting Started with Cybersecurity at Your Organization.
- Second, you will need to implement MFA as a requirement. Talk to your IT provider or IT department about the feasibility of making MFA a requirement, develop an implementation plan, and roll it out.
- Third, be prepared for account compromise. This may sound counter-intuitive, but even though requiring MFA will strengthen your cybersecurity considerably, there is no fool-proof security solution. Creating a nonprofit incident response plan with your IT department or provider will give you a better game plan to get back on your feet quickly in the event that an account is compromised, and the process of creating a plan will help you better assess and mitigate the real threats your organization faces.
Have more questions on why nonprofits should require multi-factor authentication (MFA)?
Choosing a strong and unique password combined with MFA is the best way that you can protect your digital identity, both in the personal and professional sphere. Requiring MFA at your nonprofit is a quick and easy step you can take to secure your reputation and deflect hackers.
At Community IT, we know that there isn’t a one-size-fits-all solution for cybersecurity. We accurately assess, implement, and manage cybersecurity solutions for nonprofit organizations. We also work with your employees to educate them on best practices for avoiding attackers. Our experience working with nonprofits allows us to provide cybersecurity solutions that are aligned with the unique culture and needs of your organization. At the end of the day, our cybersecurity services allow you to have peace of mind that your organization is safe from dangerous threats.
If your nonprofit is ready to increase your cybersecurity awareness and change your policies, but you don’t know where to start, we can help. Contact us to start a conversation.