Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
2021 Nonprofit Cybersecurity Incident Report
Join CTO and Nonprofit Cybersecurity expert Matthew Eshleman as he walks through the third annual Community IT Nonprofit Cybersecurity Incident Report.
This report looks at the different types of attacks that occur at small and mid-sized nonprofit organizations. Is your nonprofit prepared?
Matt also shares advice on security improvements that provide protection against the most common attacks. Learn the role of leadership in placing a value on cybersecurity preparedness for your nonprofit and the long term planning that should accompany your immediate assessment of your security risk.
Learn about real cyberattacks on nonprofit organizations and how they responded to these attempted hacks. Matt gives you the tools you need to protect your organization and staff from cybercrimes.
Many of these tips you can put in place quickly and train your staff on immediately.
You may also be interested in downloading our completely revised 2021 Cybersecurity Readiness for Nonprofits Playbook, or seeing the webinar walk through of this Playbook.
As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt joined Community IT as an intern in the summer of 2000 and after finishing his dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University, he rejoined Community IT as a network administrator in January of 2001. Matt has steadily progressed up at Community IT and while working full time received his MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference, Non-Profit Risk Management Summit and Credit Builders Alliance Symposium. He is also the session designer and trainer for TechSoup’s Digital Security course. He presents updated tips to protect your login credentials throughout the year.
Matt is excited to present this 2021 nonprofit cybersecurity incident report.
2021 Nonprofit Cybersecurity Incident Report
Johan Hammerstrom: Welcome to the February, 2021 Community IT Innovators webinar. Thank you for joining us for today’s webinar in which we are going to be reviewing the results of our annual Nonprofit Cybersecurity Incident Report. Today, our Chief Technology Officer, Matthew Eshleman will be reviewing the results of our annual survey on cybersecurity incidents in the Nonprofit Sector. We will be discussing which security incidents were the most common in 2020, and the types of attacks that all Nonprofit Organizations should be defending themselves against.
Good afternoon, my name is Johan Hammerstrom and the CEO of Community IT and the moderator for this webinar series. The slides and recording for today’s webinar will be available on our website and YouTube channel later this week. If you’re watching on YouTube, please subscribe to our channel to receive automatic updates when we post new webinar recordings. You can use the chat feature today during the live session to ask questions throughout the webinar, and we’ll do our best to respond.
Now, before we begin, I’d like to tell you a little bit more about our company. Community IT is a 100% employee-owned company. Our team of 36 staff is dedicated to helping nonprofit organizations advance their missions through the effective use of technology. We’re technology experts, and we’ve been consistently named a top managed services provider by Channel Futures and we received this honor again in 2020. And now I’d like to ask today’s presenter, our Chief Technology Officer Matthew Eshleman to introduce himself.
Matthew Eshleman: Thank you, Johan. It’s great to be with you all again here today. So in addition to hearing my voice, I also see my face, not just the one on the slide. As Johan mentioned, I’m the Chief Technology Officer here at Community IT and I’ve just celebrated my 19th anniversary full-time and it’s been great to be on this journey with this employee-owned company as we’ve supported literally thousands of nonprofit organizations throughout that time.Today we’ll be talking about the results from our Nonprofit Cybersecurity Incident Report. This is a report that we’ve done now for three years. The original report was looking at data from 2018, 2019, and now we’ll be looking at data that was submitted to our service desk in 2020.
As Johan said, he’ll be monitoring the chat, so if there’s questions please submit them and we’ll do our best to get to them. Thanks to those who submitted chat questions in advance. I believe we’ll have responses to most of those questions that were raised during the presentation today. So thanks again for joining us and I look forward to digging into this report because it’s been interesting to see how the data has evolved and changed over the past three years.
What we’ll be talking about today is providing an overview of the
- cybersecurity landscape. Again, I always think it’s good whenever we’re talking about these reports and analyzing incidents to understand the world in which we are living. No topic about cybersecurity is going to be complete without acknowledging the tremendous changes that our work has undergone over the past year.
- We’re coming on the one-year anniversary of when many of us transitioned to full-time work from home.
We’ll talk a little bit about
- how we approach cybersecurity,
- the framework that we use and
- the lessons that we’ve learned from these reports throughout the past couple of years,
Then, we’ll really
- dig into the data in terms of understanding the types of incidents that we are categorizing and then
- looking at the report data itself and then finally hope to
- wrap up and leave you with some recommendations for steps that you can take to support your own organization and improve your organization’s security.
So just before we jump into that, I’d love to get a sense of the folks that are here today and how many staff are in your organization. So go ahead if you’re able to go ahead and chat or respond to that in terms of the org size 1 to 20, 21 to 50, 51 to 100 or more than a 100.
So if we can go ahead and get that poll filled out though would be great. We find the different organizations of different sizes will have different technology needs and maybe different resources available to them. It’d be good to just get a sense for the size of the organizations represented here today. So thanks for the response and it looks like the predominance of folks here are representing some smaller organizations (48% 1-20). So I think you will find a lot to take away from the session here today.
So as we talk about the cybersecurity landscape, I think the things that we know about the sector and about the space is that we really see persistent and ongoing brute force attacks against your online digital identity.
If you can log into something from anywhere, the bad guys can too and so we just see those persistent attacks all the time in all the logs, in Office 365, in Workspace, there’s just persistent brute force attacks going on against those identities at all times. We’re also seeing a lot of sophisticated spear phishing and that’s a trend that will really get highlighted in the report data and we’ll talk about the definitions for that. That has been something that’s been on a dramatic upward trend over the last couple of years.
We’re also seeing organizations targeted because of the work that they do. I think that’s particularly highlighted around the think tank and the policy space. Organizations that are doing work on various issues and influence for government. They tend to be targeted very much by what we call advanced persistent threat actors, and we’ll talk about that a little bit later.
And then we’ll also see that there’s a pretty notable impact of attacks that are targeting vendors. Vendors like us as a managed service provider and then vendors that are providing services to nonprofit organizations. That specifically is something I wanted to highlight here this year. If we’re talking about cybersecurity and the world that we’re living in, I think it’s helpful to look at the incidents that have really impacted nonprofit organizations.
I’d hope at this point, organizations are aware and cognizant of the risk that they face as an organization. It’s not just something that happens to Sony and Home Depot and big vendors.
These attacks are happening to organizations of all sizes and vendors of all types. Just in the last year, in 2020, the vendor MIP, that makes accounting software, suffered a ransomware attack where a portion of their hosted resources were taken offline because of their systems being impacted by a ransomware attack where the files were encrypted. So that was a ransomware attack I believe in March. The organization BoardSource, which provides hosting resources and platforms to support board engagement suffered an email breach and as a result, one of their mailboxes was then used to send out malicious attachments to everybody in their contacts list and so if you were a board source customer, you may have gotten a notice saying, “Hey, this happened.” But again, that was an email compromise that impacted that vendor.
Probably the most impactful attack last year was suffered by Blackbaud. So Blackbaud suffered a ransomware attack against their hosted infrastructure. So organizations that were using Blackbaud hosted services were impacted by this in July where Blackbaud ended up actually paying a ransom to the threat actors that compromised their network in order to ensure that the data that had been stolen was actually destroyed.
That was a very major impact and I think a lot of organizations at that point realized, hey, you know, we need to have incident response policies in place. We need to understand where our data is. We need to understand the vendors that we’re working with, so that we can have an adequate response. And so in that case, many organizations needed to take steps to then do a breach notification to everybody in their database to say, hey, a portion of our network or this aspect of our systems was compromised and we don’t have control of that data, and so now we need to let you know that that happened and here’s what we’re going to do as a response.
I think that made it very apparent for many organizations that incident response policy and planning is a critical piece of cybersecurity. So that was a really, I think notable attack. And then maybe a little bit closer to home for me. I live in Baltimore City, but just in Baltimore County in November, their IT infrastructure was victim to a ransomware attack that took out many of their IT systems for the schools and I know that they’re still working to recover that. They were hosting things, a lot of things on premises and so their student information system was impacted. They were doing backups, but the backups were actually done in the same server environment, or the same network, and so they were encrypted as well. The IT systems were really dramatically impacted by that ransomware attack so much so that teachers’ lesson plans were lost, grades were lost and they’re actually still in the process of recovering.
So for many people, they don’t have grade records for many students for a couple of years and so they’re still in the process of compiling and redoing all of that information. So it’s a very major attack, highlighting some of the weaknesses in their backup and disaster recovery strategy.
Finally, we ended up the year with perhaps the most sophisticated and complex cyberattack of all time which affected a company called SolarWinds and their Orion platform, which was used mostly by government and large enterprise. It had actually been compromised by what appears to be the Russian APT29 threat actor group. They embedded malware in that organization’s source code so that when it was deployed, they were able to gain remote access to those networks and then launch sophisticated attacks from within the network.
There were just a lot of different attacks that happened last year that touched on and impacted organizations in the nonprofit space.
(11:50) Here we can see, Microsoft has been heavily involved in researching and responding to a lot of these incidents. We can see here an infographic that they put together that talks specifically about the SolarWinds attack in terms of the breakdown of the number of organizations or companies that were impacted.
We can see a large number were information technology firms, and so we know from the initial vendor that was compromised, which was FireEye. They actually probably did the textbook example of how to respond to a cyberattack in terms of being open and upfront, performing a thorough investigation, being very clear and transparent about what happened when it happened, what they’re doing, what are the next steps.
They provided a roadmap for many of us to show what it’s like to respond to an incident in the correct way, as opposed to the criticism against Blackbaud. The Blackbaud incident, I think it actually occurred back in May, it took them a long time to come forth with information. It wasn’t very clear in terms of their communication. That presents acontrapoint to how organizations and vendors need to be able to respond if and when they are compromised themselves.
And while this attack appears to be largely targeted against government agencies, that was the ultimate goal, some portions of think tanks and NGO organizations were also caught up and impacted, as well. I think we’ve got a link to the Microsoft report that talks about this. It’s scary reading, it’s fascinating reading and I think just shows howimpactful these events can be.
Cybersecurity Impacted by COVID
I think as we look at the impact that COVID has had in cybersecurity, we can really see it in a couple of places. So one is – understanding that the threat actors are largely financially motivated lets us see this increase in COVID related spam and spear phishing. Again, the threat actors are very topical. They’re very engaged in terms of what’s going to get reactions now. We saw a big spike when it first came out in terms of communications. These guys would use communications around COVID and “here’s information and links.”
I think now we’re starting to see also COVID related things in terms of malicious emails that will predicate communications on vaccine sign-ups or other links.
We also saw some content around stimulus check information. So things like that where the adversaries are really aware of current topics and they are using that in these confidence schemes that they’re perpetrating against all of us.
I think the other thing that we know about COVID is weak home network security practices. For many organizations. the IT practice is, you come to the office. The office has a good firewall, you have a very reliable internet connection. You have wireless that’s been set up and secured and making that transition to work from home full-time, the same protections just weren’t in place. Maybe people had a desktop computer, but they couldn’t take it home, and so now they’re sharing a computer trying to get work done at home. Maybe they have an old wireless router that doesn’t have the latest security protocols. There’s kind of a long list of things that maybe aren’t at the same level at your home office, your home IT set up, that you would have working in an office location.
I think that presented a bigger surface area to get exploited during this past year. And then I think on top of that, I have the note here about potential for data leakage and that’s the topic of where and how people are accessing information. If you’re in the office with a work computer that’s pretty straightforward and a clear way to access it, but many organizations are scrambling to make files accessible from the cloud and accessible for non-work devices.
We had a lot of personal devices that were accessing work resources and now that data is maybe saved or synced on devices that are outside the organization’s control. I think in general, the nonprofit sector benefits from a lot of confidence and trust in its staff and employees. But at the same time, I think that does represent a growing risk area, growing area of concern to say, “Hey, what’s going to happen to those files whenever that person leaves the organization or transitions away?”
Now, we’ve got organizational data on personal computers and we don’t really have a way to get it back or control it or secure it. I think that’s going to be a big challenge. We’re seeing that more and more organizations are realizing that the cloud is great and it’s great from an accessibility perspective, but it also presents some risk too, in terms of, how that data access can be managed.
Applicability to More Remote Work
So speaking of that, more remote work because I think the management and the reporting is harder. It’s really easy when everybody’s in the office, joining the server, make sure everything’s up to date. Working remotely, if you weren’t prepared for that transition, that would’ve been really difficult. I think that remote work again, we talked about it, opens up some security holes in terms of using older technology when things that weren’t up to date, firewalls and such. That presents more risk to the organization.
Device management or mobile device management is really critical to make sure that the devices that you do have connecting to your work resources are up to date, are secured, are patched, are encrypted, so you can have confidence in the integrity of your data.
We’re fortunate in that we manage about 5,000 endpoints and those systems check in with our cloud managed server. That’s an Amazon; it’s accessible from anywhere and so even though our clients may not be in the office and haven’t been in the office for some time, if they have a management device, if they have our device management agent on their computer, they’re getting antivirus, they’re getting updates. We’re able to report on the encryption status, we’re able to deploy application updates as they’re needed, and that really improves the overall security. In a way it’s really hard if everything you have to manage device updates is really network centric on device centric, I really think it shows that proactive planning pays off.
If you haven’t done it already, I think the laptop is here to stay. In organizations, I think it’s been in general a slowtransition from purchasing desktops to now laptops. But now I think it’s going to be universal to understand and see the flexibility and manageability that getting laptops gives to an organization. It is more expensive; they don’t last as long. But if you can give somebody a device and they can take it with them and work from wherever, it really gives the organization a lot more flexibility in terms of how you’re going to support and manage your users.
Our Approach to Cybersecurity
(20:10) So all of this really combines in terms of helping inform our approach to cybersecurity. If you’ve joined some of our webinars before, this graphic may be familiar. But it helps us to think about how we’re going to support, manage and define our approach to cybersecurity, which is really to focus on starting with security policy.
Understanding what the rules of the road are so to speak; building that for security awareness. So for training making sure that your staff are educated and aware of what’s going on, and then building on top of that really technology blocks to support the identity, the data, the devices, your network perimeter, which now is basically everybody; everybody’s an island. And your web security, and then all layered on top of that with a layer of predictive intelligence, there’s a lot of really great technology solutions out there that can be put in place.
And what I would say is that it’s just important to cover your bases first. Make sure the policy is in place. Make sure your staff is trained and up-to-date before it makes sense to invest in those technologies.
Foundational Cybersecurity Practices
More specifically, organizations need to make sure that they are really following a cybersecurity roadmap, and we’ll talk a lot more about this with our next report.
We basically put out two big documents a year.
One is the Incident Report; that comes out first. We look at all the incidents that impacted nonprofit organizations over the past year.
Then a couple of months later, I think we’re targeting for April, we’ll put out our Cybersecurity Playbook, which really provides a more comprehensive roadmap in terms of how to invest in technology. What’s the right order, what things to focus on? But we know really clearly that these foundational cybersecurity practices should be in place at every organization and what that looks like is making sure that the organization has an IT Policy.
I think first starting with IT, in terms of the groundwork for you and your organization, things like the password policy, data retention and then expanding that ultimately to an incident response policy so that you have a process and a roadmap in place that you can follow in the event that something like the Blackbaud breach happens again. How are you going to respond? Who’s playing what role? Who do you need to communicate with? So policy is really the starting point.
We also mentioned operating systems and third-party patching. It may sound boring, but the basics like keeping your systems up to date is really important and one of the benefits that our clients have from us is that we’re able to make sure that that’s happening. It doesn’t matter if they’re physically in the office or working from home. We can make sure that their computers are up to date no matter where they’re at. And so keeping devices up to date and secured against the most recent vulnerabilities is a really key piece of a foundational approach to cybersecurity.
We talked about cyber security awareness training, and I think there were some questions about that earlier. We’ve done a lot of work around this and Johan can chat out a link to our YouTube channel where we have some training that you can share with staff and then there’s also free resources at TechSoup. I designed and led the Cybersecurity 101 and 201 courses there. Those are free as part of the COVID response bundle that can provide some resources to get you started with staff security awareness training. I really like the KnowBe4 security awareness platform, because it allows you to combine some test phishing with really bite-sized training in an online format, and so that’s what we use and recommend, but you can get started with some free resources as well.
I talked about rounding out some of the foundational practices to have in place. Antivirus, that’s kind of table stakes, you want to make sure that that’s in place and more importantly making sure that it’s up-to-date. It’s not doing anybody any good if it’s broken or not working.
One of the other pieces that we put in place is web filtering, because what we know is that in malicious attacks, we do see some malware and traditional viruses, but we also know that threats can come through web-based content as well. Having web filtering in place is a key element as well.
And then finally, multi-factor authentication. We’ll see in the data just how effective that is, but multifactor authentication as a way to protect your online identity is really key. Combining something that you know, which is your password, along with something that you have, which is your phone usually, is a way to really ensure the security of your data.
So now we’re going to talk a little bit about some of the definitions. There’s always lots of jargon in cybersecurity. Hopefully, I’m not using too much of it and we’ll provide some definitions here so we can all have a common language. The first one is a threat actor. The threat actor is just the person perpetrating the attack. It could be an individual, it could be a network, could be a corporate rival. I don’t think we have too many of those in the nonprofit sector. It could be a state sponsored adversary. This is an external bad guy that’s the person or entity that’s doing the work, and according to the Verizon Data Breach Investigations Report, while those APT actors get the most headlines, they actually only account for about 10% of the breaches with 86% of those attacks being financially motivated and just 4% caused by advanced threats.
There’s a lot of buzz about APT29 and all the really super sophisticated cloak and dagger stuff, but the reality is most attacks are going to be financially motivated and every organization has money. That’s the important thing to realize is that your organization has your financial assets. You’ve got personally identifiable information about your staff. You have relationships, you have connections, all of those things are valuable and can be monetized by the threat actors.
We call this the nonprofit incident report; the definition of an incident is just the event that compromised the integrity, confidentiality or availability of an information asset. We get a lot of information about these incidents and we attempt to categorize them so that we have a better handle on what exactly is going on.
Then the breach would be the conclusion of that. A breach would start off as an incident, so something that happened and then results in the confirmed disclosure of data to an unauthorized party. An incident could be, hey, I got this suspicious email, so that’s an incident. The breach would be, I clicked on it, I gave away my password and I got hacked. A breach is a subset of incidents that have some confirmed loss of control or loss of access to your own data.
Types of Incidents
So in terms of the types of incidents that we see and classify, there’s lots of different ways to go about this. This is our approach.
We’ve categorized things into nine different categories here and starting off with spam.
- The largest category of incidents that we see is just, unwanted, inappropriate email just sent in bulk, not very sophisticated. Everybody gets it. It’s pretty ubiquitous, and most folks at this point, you just delete it and you go on your way.
We’ve got malware which will be going to a top level category of malicious software typically reported as we see it to our service desk in a ticket.
- Hey, my computer’s running slow. I got this pop-up. What’s going on? We would classify that as malware.
Then moving onto some sophisticated, significant risk, which will be account compromise.
- That would be the unauthorized use of a digital identity by someone other than the assigned user. We would see this being the example of somebody losing control of access to their email, rules being created to funnel messages into a sub folder, use an account used by somebody else to blast messages to partner organizations, maybe download information from their OneDrive. That would be an example of an account compromise.
We have spear phishing.
- Spear phishing, it was in that same category of unwanted email, but spear phishing is more malicious because it combines some unique knowledge about your organization with that message. Spam: generic, Viagra ads, buy this, sign up for that. Easy to identify, easy to ignore. Spear phishing would be an example of when it combinesinformation. It maybe references your boss or your executive or your finance director. It includes a link for you to click on something to provide more information and it’s usually the first step towards other actions to get your account information or commit wire fraud or have a financial aspect to it as well.
Wire fraud is actually a criminal definition.
- That would be the actual illicit transfer of funds to somebody else. Stolen gift cards, wire transfer fraud where banking and routing information is manipulated, that would be wire fraud. You actually lose money directly.
We have some viruses,
- which I would distinguish from malware as being much more serious. It actually could be a precursor to some ransomware, remote access Trojans, that kind of thing where they’re actually doing something malicious beyond just showing a pop-up or slowing your computer down.
We’ve got a supply chain attack.
- An attack that’s initiated through a partner of the organization. There’s an example in 2019 of a group of Texas county governments that were all impacted by ransomware that was actually delivered through a remote support tool from their managed services provider. That would be an example of a supply chain attack. The SolarWinds attack is an example of a supply chain attack where the organization was compromised through another means or through another method.
We’ve heard this term mentioned before, the advanced persistent threat.
- That would be a state sponsored actor that’s really focused on persistence. As I talked about, think tanks are particularly targeted because the APT actors don’t want to go in and wreck stuff in your network. They want to go in, they want to see who you’re emailing. They want to see who you’re connected with to build up information about individuals in the organization, what they’re working on, both for information gathering and potentially for nefarious or blackmail purposes afterwards. So that’s what we know from working with the FBI on some of these responses is that they’re interested in leverage points and intel gathering.
And then finally, ransomware.
- We’ve talked about that as being a pretty significant and impactful attack and one that a number of different nonprofit vendors have suffered this past year. That’s when we’ve got an attack which drops some malicious software and that software encrypts the file so you don’t have access to them. Then you’re typically asked to pay a ransom to decrypt the data so that you can have access to it. If you’re in good shape, you’ve got backups in place, this is a severe but a recoverable event. That’s why backups are always a key part of any good cyber security plan.
So I’m gonna take a pause here and get a drink of water, and we’ll go ahead and take a look at the incidents that our clients submitted to us over the last year.
All right, so we can see here that we reviewed and classified about 690 security incidents over the course of 2020, in these different categories.
You’ll notice we didn’t have any supply chain attacks last year and we had zero wire fraud. So that’s great. We’ve had those in some previous years.
The number one incident that we see facing nonprofit organizations is spam. I think that’s no surprise there, it’s ubiquitous. It affects every organization and our goal in this is really to communicate to our clients and say, hey, if you get something suspicious, send it to us. We want to know about it. We want to see it. We want to look at it because we want to be able to identify if it is malicious. It’s a lot easier to look at something and say, “Oh, no this is legitimate, we’ve checked it,” than it is to say, “Oh, wait, you clicked on that. That was actually, that was bad and so — “ and then going through a response process from that perspective.
We see the most issues submitted around spam, which I think is a good thing.
The second most common incident is spear phishing and you’ll see this in the next slide where we look at some year over year data. It’s on an upward, really significant upward trajectory in terms of the amount of incidents that we’re seeing around spear phishing. So I think this is the thing that causes the most consternation or frustration to clients is “Hey, I got this message, it said it was from my executive director. Look, here’s their name. How can you block this?” And often it’s very difficult in traditional spam filters. They are not able to address it because there’s not that much information in the emails. Many of us have allowed all messages from our executive director or finance people, and so they go around spam filters, and so the adversaries really take advantage of that as a way to initiate those confidence schemes.
Many organizations have really great websites that all talk about, with everybody’s smiling face, and who they are and who they work with and all those relationships. So the adversaries are looking at that and say, “Oh yeah, well, I know I can send a message to this accounts payable person, and I’ll pretend to be the finance director, or here’s the HR Associate. I’m going to pretend to be the HR Director.” So we can see these just happening again and again and again. It really is frustrating for users to get this flood of stuff, and it’s really difficult to protect against unless you’ve got some additional technology tools in place to prevent it.
Malware came in third for us this year and I think this number has really increased a little bit by some new security tools that we deployed. For both for the spear phishing and the malware, we’ve started being a little bit more aggressive in terms of deploying more sophisticated tools that are automatically detecting this stuff and alerting our backend teams so we can prevent the issues from happening for our clients. I think that contributed a certain amount to these numbers.
We’ve adopted a new endpoint detection response tool that really generated some noise because it was finding things that were not viruses, but malicious software that didn’t need to be there. We are going to go and just clean a lot of that stuff out. So malware came in a third.
Fourth, which I think is the most significant, is the number of account compromises. That’s when somebody other than the authorized user logged into an account. We are typically seeing this as, for example, somebody who typically works in Virginia and all of a sudden there’s a login from New York or they typically work in San Francisco and we’ve got a login from Iran. This is something that impacted a large number of organizations last year.
I think one of the things combining with the COVID and working remotely is it made it a lot more difficult to track down and troubleshoot. Instead of looking at the logs and saying, “Oh, here this organization, they always log in from this Virginia IP, it never changes, it’s always consistent.” Now, we’ve got people working remotely from their homes where they normally live. We had a lot of organizations that had staff go move back home or transition to other areas.
So now, instead of looking through the logs for the one or two locations that don’t seem to make sense, we’re looking at logs and people are all over the U.S. They’re using VPNs and they’re doing other things and so it’s made this a lot harder to really nail down. The troubleshooting and response times have been impacted because it’s a lot more complex to troubleshoot these issues now. Account compromise is a pretty significant impact here for organizations, and we’ll see some more details about that here as we go on.
In the lesser categories, we really had few viruses. Seven viruses across about 5,000 end points that we support, I think is a really low prevalence. We’re doing a lot of stuff for our clients to help protect against this in the first place. We’re doing all the managed updates. We are providing antivirus, we’re doing web filtering, we’re doing system updates.
So our managed clients are in a good spot, better than the average network in terms of those practices that really contribute to the relatively low prevalence of viruses.
As we see in the broader sector, ransomware being the most impactful example, these things exist out there and I’m glad to see this low number. We’re not really going to roll back protections, but we want to keep adding additional tools and technologies in place to keep driving this number even lower and stay on top of it.
We did have a couple of cases of working against advanced persistent threat actors. That typically has involved our think tanks and policy partners, working with some government agencies to help do the response and remediation in those cases. They’re very sophisticated attacks and it means organizations in that space really need to be attentive to their security controls and policies because it is really clear that they’re being targeted with various sophisticated attacks. It’s important to have all the I’s dotted and T’s crossed so that those organizations are secure.
Wrapping up the year, we actually did have one example of a ransomware. We had an organization get a crypto attack that came through a compromise of a service account. That was the first one we’ve had in three years and fortunately, we had good backups in place and were able to recover and restore things within a day or so.
It highlights the need to make sure that all the security controls are in place across the whole organization. So just having MFA in place for a handful accounts isn’t good enough. We need to make sure that everything is covered.
Compare Year over Year
Let’s take a look at what we had year over year. As I mentioned, this is now the third year that we’ve done this report. In 2018, we actually categorize 233 incidents. This year we categorize 690 incidents. So we’ve seen a 300% increase overall in the number of security incidents that we are classifying and responding to.
There’s a little bit of graph magic that’s happening here. On the left-hand scale, it’s zero to 450. On the right-hand side, you’ll see it’s minus five to 35. So there are some scaling differences here. The most prevalent issue we talked about was spam, and you can see that’s leveled off a little bit. I think people are able to identify it. They are still submitting it and submitting a lot, but just generally able to deal with it better. I think we also deployed more spam filtering solutions last year to help cut this number down.
We can see we’ve got the spear phishing number here. We can see that is at 183. I think last year it was like at 69, and then in 2018 it was 14 messages. So we can really see just a dramatic increase in the amount of spear phishing that’s going on. Those messages that look like they’re coming from the executive director that have the malicious links to download the encrypted file to pay the invoice. That number has just rocketed up from 14 in 2018, all the way up to 183 cases in 2020.
Then we can see the other number that really has a dramatic increase is the number of account compromises. We had 15 last year in 2019, and that doubled to 32, and so that was a pretty significant increase. Digging back on here of those 32 account compromises, only 2 involved accounts that had multi-factor authentication enabled. One of those accounts was part of an advanced persistent threat attack that we worked with some three letter agencies on and then one of them had MFA enabled, but then responded to a phone call authorization incorrectly or by accident. There were 32 account compromises, but only two of those were involving user accounts that had multifactor authentication enabled.
That really shows the importance of some of these security controls and when you have them in place, you can really cut down the risk for your organization. We can see wire fraud and we got some stuff going down. Didn’t have any examples of that. Viruses, relatively low prevalence overall for the last couple of years and increased slightly. Malware, that number did go up quite a bit and I’m attributing that to mostly the deployment of some additional tools identifying some latent threats that had been laying around.
So that’s the comparison year over year, and one thing I’m kind of curious to see, what threats or how has your organization been able to either respond or see what’s going on in responding to cybersecurity threats at your organization?
I’d love to see what organizations have a plan for improving cybersecurity or is it something that’s underway, waiting on approval, or are you getting started? (poll 45:50)
Just to get a sense of the audience here, in terms of where you’re at on your journey of protecting yourself against some of the threats that we can see here. We’ll just leave that up for another minute or so.
Great, Thanks for sharing that. So it looks like, most folks are underway (58%) with their improvements, and so that’s really great, really great to see.
The trends that we can see now, really having focused attention on this over the last three years and understanding what’s going on, we really see that cybersecurity incidents continue to climb. This is not something that’s going away or is being reduced, but it’s something that is happening more and more every year. One month in, we can see that that pace is going to continue. I don’t think we’re going to see less risk or fewer threats facing us in the coming year. It’s something that’s only going to continue to climb.
I think this past year, it was particularly impressed upon us, the risk that third-party vendors and partners can play.It’s important for organizations to understand all the different partners that they are working with and engaging with. Making sure they have a clear understanding of the terms of service and what your vendors are going to be providing and understanding how they’re going to be handling your data and the relationships that they have, as well. Understanding and having a clear sense of who the partners are, what data they have and how are they using it. Do they have any partners they are using that you also need to be aware of?
Have a clear understanding. It’s not out of sight out of mind. Just because you put it in the cloud doesn’t mean you need to never think about it anymore, but I think it means you need to be even more attentive about those details.
I talked about it last slide, but again, MFA is extremely effective in terms of being a security control that you can put in place that really has a significant impact. As I said, we responded to 32 account compromises last year. Only two of them had enrolled in MFA, and so I think it’s just another clear example of making MFA a mandatory control that your staff need to enroll in is just absolutely critical and needs to be put on every system that you can access from the cloud.
Most vendors at this point are including MFA as a free option. So you don’t need to pay extra for it. It’s included in Google Workspace, it’s included in Office 365, it’s included in Dropbox. All you have to do is turn it on and that’s all. Salesforce is going to be mandating MFA here in another year, and so that’s a step that I think is really important to take. It’s important to take it now because the number of data breaches that are occurring in passwords being just sent out there and flooded, it’s just really phenomenal.
You can almost assume somebody’s going to get your password at some point, so being able to put that extra layer of protection on, that multi-factor challenge, is absolutely essential in my view.
And that account compromise level, we saw double the amount of account compromises in 2020 as we did in 2019. Even though we increased the number of accounts that we had enrolled in MFA. So I think at this point, about two-thirds of our customer base have enrolled in MFA, which is fantastic, but we still have a third to go. It’s something that every organization needs to make sure is part of their roadmap and it’s something that they need to implement universally. Not just staff accounts, anything that you can log into from the cloud needs to have multifactor authentication enabled on it.
Some more takeaways that we discovered in looking at the data, and reflecting back on it, is that these advanced persistent threats are only increasing their efforts and targeting policy organizations and think tanks. Now, especially we’re seeing that as there’s a lot of transition and turnover into the new administration. Here especially in DC, organizations are having a lot of folks go into government. Any organization that has staff people heading into the government needs to be really attentive in terms of their cybersecurity controls, because they have a target on their back. Advanced persistent threat actors are going to use sophisticated tools to target those organizations and their staff. It’s not just going to be limited to their work accounts, also their personal accounts. It could be family accounts as well, but if you’re in that think tank space, cybersecurity and having effective control is absolutely critical.
The other thing that we see is that if you’ve been compromised once, more attacks are likely. We can see this in looking at the data over a couple year period. If we see an organization has had an account compromised or two, they tend to actually have a lot more spear phishing attacks or a lot more spam and even have more account compromises, if they haven’t turned on multi-factor universally. It seems like once the word gets out, on the dark web that information is shared, and organizations or IDs can become known as softer targets. So if you’ve been attacked once it’s likely that you’ll see some fallout from those attacks over the next couple of months, or even years. Your name is out there as being an organization that’s had a compromise in the past and so maybe predicated to have more attacks in the future.
We also see that social service organizations are more susceptible to business email compromise messages. Organizations that are really relationship focused tend to be more susceptible to clicking on those links and going down the road of the response there. That’s important to know and understand, and maybe invest in some protections in that area if you’re in that line of work. It shows up here again, MFA is really effective in preventing account compromise. Make sure that you can go ahead and turn that on, so that your account is as protected as it can be.
Anatomy of an Attack
With all this big picture stuff, I thought it’d be helpful just to share an example: an anatomy of an attack. This is something that we see in the support tickets to describe how these things work. This is something we put together in hindsight, after connecting the dots because all the information wasn’t made available at the initial incident.
We had a case where a user submitted an email to our support ticket saying, “Hey, this looks like a suspicious email. Is it a suspicious email?” So our help desk team looked at it and said, “Yep, this is not a legitimate message even though it came from an existing vendor.” The organization had a partner, it was a legitimate partner address. It wasn’t spoofed. It was from them and it had this invoice linked to an encrypted invoice and we identified it as actually a malicious link. Go ahead and delete that message. Then it turns out that the user actually didn’t delete the message. They must have clicked on it and the link itself actually went to a fake Office 365 login page.
So they put in their username and password, nothing. It didn’t work. So then they thought this looked suspicious, but they didn’t communicate that they’d actually submitted their password.
This was on December 18th. Then we had a follow-up ticket in January where one of our automated tools triggered because it had detected a suspicious login from an unauthorized source or an authorized location. Then we found out that this was actually the same user that had submitted the email about the suspicious account. Here about three weeks later, their account was actually compromised.
It shows this path where something starts off as a spear phishing message. Somebody clicks on the account, clicks on a malicious link, they type in their username and password and then that goes to the threat actors. Then at some point, not that long afterwards, they’re able to log in with that user’s account. There was no brute force attack looking through logs. It was just a single login and so it was pretty clear that they had access to the user’s password.
So in hindsight, it’s important to share and to educate staff that if you get a message, anything that’s suspicious, let us know, let’s take a look at it. If you click on something and put in some password information that doesn’t work, let us know. We want to know anything and everything that happened. It’s no big deal.
If you click on something and put in your password, that’s fine. It would have been way better on that first message to say, “I clicked on this and I put my password in, but nothing happened.” Then we could have said, “Well this is a malicious link. You probably went to a password harvesting site. Let’s go ahead and reset your password now, and let’s make sure that multi-factor authentication is working.” Then we could’ve stopped that on December 18th instead of then having to follow up and respond reactively to something a couple of weeks later. That’s an example of how it’s important to be open and have good communication with your IT team to make sure that they’re aware and can respond to the issues that may come up.
And then finally, as we just wrap up here, I know we’ve got a couple of minutes left and I can stick around for questions if there are any, if this all seems like a bit much.
Secure Your Network
There’s a long list of cybersecurity controls, and if you’re not quite sure what to do right now,
I highlight these three things:
- make sure you have an IT acceptable use policy because I think that helps lay the groundwork; helps you think about what’s important for you as an organization. Identify the systems that you’re using, understand where the data is, answer some of those things in terms of how we handle personal devices, how we handle passwords, that kind of thing.
- I would then encourage you to implement a security awareness training program. Like I said, if you’re going to invest any money, invest in people. You get the best outcomes because you can educate them to not click on the links, to identify what might be suspicious, and that is a tremendous value.
- And then finally implement multi-factor authentication. I keep harping on it, but it really is the most effective tool to protect and secure your organization.
At Community IT, we have a range of cybersecurity services that we can provide ranging from some self-assessment surveys to help guide you in the right direction, all the way to fully managed cybersecurity services and assessments and planning. So if you do need to look for a resource or a partner, our exclusive focus is on nonprofits and it gives us a unique perspective into the cybersecurity needs that you have and we can provide services that are really tailored to the needs of nonprofits.
Just to get you started, if you want to drop an email to [email protected] I can send you a report from a tool that we have, which is a dark web scanning tool, which basically scans and scours the dark web and reports on any of your accounts that may be compromised and out there.
What we can use this to do is identify accounts that may be at high risk and then target those accounts to reset passwords, to make sure multifactor authentication is enabled, to provide some education, people using work accounts for personal services.
I’m happy to provide that as a free report if you just drop a note into [email protected] and we’ll go ahead and get that resource to you here in the next couple of days.
All right. Johan, you want to talk about our next webinar?
Johan Hammerstrom: Yes. One month from now, on Wednesday, March 17th at 03:00 we are going to be having a webinar on Slack versus Teams versus Zoom.
We’re looking at the similarities and the differences between these different solutions. We have clients that use all three, we have spoken with nonprofits organizations that aren’t sure which one to use and we’re gonna run through them. You’ll come out of it with a much better understanding of these different solutions in the slightly adjacent solution spaces they occupy.
So look for the invite to that webinar in your inbox, please register for it and we look forward to seeing you next month.
Matthew Eshleman: Great. Were there any questions that came in that we didn’t get answered during the session?
Johan Hammerstrom: Yeah, we were able to answer most of the questions that came in directly through the chat. There was one question that I wanted to present to you, now at the end of the webinar.
How would you say that the recent trend of supply chain attacks is impacting nonprofits as compared to how it is impacting for-profits? And I really wanted to stump you. That’s why I saved this particular question, because the whole supply chain attack question is a fascinating one, but also difficult.
Matthew Eshleman: I don’t have as much insight into the impact on the differences in the for-profit world, because our focus has been exclusively on nonprofit organizations. We’re an employee owned company and so we can see things, I think from that perspective. I’m not sure actually, if there would be that much of a difference. I think both nonprofit organizations and for-profits have made the shift to the cloud pretty well. I think nonprofit organizations have actually done a much quicker job of transitioning in and adopting cloud services. With that, I think nonprofit organizations tend to be a little bit more casual when it comes to IT Policy and restrictions that need to be in place in order to do this stuff.
I’m thinking about going to the RSA Conference a couple of years ago, and for big enterprise and regulated industries, they’ve had these significant IT security controls in place for a long time, right? So device encryption and everything has to be managed and locked down and you can only come from these trusted endpoints. From that perspective, I think big business has had these sophisticated security controls in place for a lot longer. The nonprofit sector in general is much more open, and doesn’t have the same kind of legal compliance requirements that some big businesses may have now. That’s not a universal statement, but I do think most nonprofits have been relatively lax in setting up and putting restrictions in place in terms of people using personal devices to access work or organizational data.
And I think that is going to be a challenge, because when you look at it from the perspective of what happens whenever our staff person walks away with our synced Dropbox of all of our organizational data, and we can’t really do anything about it because it’s on their personal computer and we don’t control that? I think that is something that organizations are now beginning to realize the impact of those decisions to allow a pretty open policy. So I’m not sure if that was a concise answer, but I think it’s what we’ve seen happening with nonprofit organizations and this shift to cloud technology.
Johan Hammerstrom: Great. Thank you, Matt and thank you for the presentation today. I’m always curious to see what the Nonprofit Cybersecurity Incident Report has to say about the previous year. So definitely appreciate you putting that together and sharing that with us today.
Matthew Eshleman: Great. Well, thank you and I think there’ll be a survey that comes up. Again, appreciate any feedback, constructive or otherwise, that you may have and we always look forward to the input that we get to make these webinars better for our audience.
Johan Hammerstrom: Great, and thank you all to everyone who joined us today, for those of you who stuck with us for going over a little bit.
You can re-watch this webinar on our YouTube channel. We have all of our webinars posted there. We encourage you to go and subscribe and to come back next month until then, take care.
Thanks so much for attending. Community IT does these free webinars for our community, and we love sharing our knowledge and experience. If you have more questions or are having trouble with your IT at your nonprofit, please get in touch with us on our website so we can start a conversation or schedule an assessment.
Downloading any of our free resources there will get you signed up for our webinar reminders and you could attend our next webinar in real time and ask our experts your own questions. Never miss a new video by subscribing here on YouTube.