Simple Cybersecurity Steps for Nonprofits

The old adage is that no good deed goes unpunished, and this is most true when it comes to non-profits and their security. Attackers have learned that non-profit companies are usually easier targets because of their leaner budgets and reduced staff. While you and I might not target a non-profit because of our moral leanings, attackers do not share that morality.

 

I have worked at a couple of non-profits and have had several non-profits as clients and have comprised the following list of steps you can take to help secure your cybersecurity stance. The following tips are good for any business type but are especially true for non-profits.

 

Limit Oversharing

 

Have you ever had to sit next to your weird uncle at a wedding? He starts telling you stories about things you have never wanted to know before. Whether it’s the stories about his younger romantic engagements, his over-the-top glory stories of savings lives and inventing products or his latest medical concern in extreme details, you just simply want him to stop.

 

One of the greatest tools attackers have is open source intelligence (OSINT), which is information about your target that is already available in the public domain. OSINT can be anything from passwords and usernames to important dates and company details. This OSINT can be generated from database leaks, previous employees and contacts or even our own social media profiles.

 

While on the surface this type of information seems innocent enough, in the right hands it can be leveraged to perform devasting attacks. One of my previous clients had shared on social media that their CEO was out of the country and promoted the work they were doing. An attacker took that information and crafted targeted email and texts to certain employees pretending to be that CEO. The imposter CEO claimed their laptop had broke and their credit cards were not working since they were out of the country. They then proceeded to instruct multiple employees to get BestBuy gift cards and send them the codes. Luckily the employees who had been through security awareness training didn’t send any money, but a couple who had not received the training unfortunately did.

 

I am not saying social media is bad, or not to use it. The takeaway here is to limit what information we are putting out into the world. This is much more difficult for non-profits, as you want to share the victories.  Find a way to share those victories in a way that is safe, such as waiting until travelers are back in the states, sanitizing posts and webpages for company details and most importantly, training employees.

 

Maintain Consistent Security Awareness Training

 

In a hypothetical situation where a company can only choose a single cybersecurity defense strategy, my recommendation 100 out of 100 times will always be employee training.

 

I have never stormed a castle before, but I think if I had to, I would try the Trojan Horse approach. In the Trojan War, the Odyssey tells a tale of Odysseus coming up with an ingenious plan where the Greeks would build a massive wooden horse as tribute to the Trojans for “winning” the war. Several of the Greek soldiers would hide in the horse and the rest would pretend to sail away. The Trojans opened their gates and wheeled the horse into the center of the city where they proceeded to celebrate. As they slept off the celebration the Greeks snuck out of the horse and opened the gates for the rest of the army.

 

In the tale Odysseus recognizes that the city walls are impenetrable. So instead of wasting countless men to failed attacks, he decides to use his enemy’s human nature against them. In the same vein, we could have the most advanced next generation firewalls, EDR’s, network scanners and a team of offensive hackers looking for vulnerabilities, but it would all be lost if Suzy in accounting falls for a phishing email.

 

Security awareness training has consistently been shown to lower cyber security incidents when its implemented and maintained. While non-profits have limited budgets, typically security awareness training is relatively cheap compared to comprehensive technical solutions.

 

Implement the Basics of Secure Logins

 

There is some low hanging fruit that every company can do that will drastically improve your security stance.

 

Do not reuse passwords. Not only for yourself but also within the office. I cannot tell you how many companies I have consulted for that have an “Adobe password”, or any other service.

 

Setup MFA on EVERYTHING. MFA or Multifactor Authentication is critical for secure logins. MFA apps like Google authenticator are best but even just having email or text codes is a massive improvement.

 

Regularly change passwords and audit access. If you have employee turnover you should change every password that employee had access to. In general, you should be setting your passwords to expire every 90 days or less.

 

Backups are Vital

 

While backups in of themselves do not usually fall under the cyber security umbrella, it is important to spend a little time discussing them for a number of reasons.

 

First, no matter how robust your cyber security solution is, there is always a chance for failure. This is especially true whenever people are involved. There is a common misconception amongst the public that every time a successful cyber-attack takes place, a hacker is spending countless hours writing thousands of lines of code in order to “take over” someone’s computer. A lot of times people accidentally compromise their own computers. Things like clicking a malicious link in an email, downloading a piece of software that looked legitimate or even just not keeping up to date on updates all lead to compromise.

 

Second, even non-malicious incidents by employees can have devastating consequences without backups. I can’t count the number of employee workstations I have cleaned malware off of after the employee swore to me that they didn’t click, download, or do anything at all to get malware. Sometimes, by the time the employee alerted anyone to the malware on their computer, it had already taken root in the network. If that malware is ransomware, as was the case a handful of times, then you are truly left with two options. You can pay the ransom to these attackers, or you can restore from good backups. Not only is restoring from backups usually cheaper, it’s also a good idea in case the attacker left a backdoor behind.

 

Finally, backups are a relatively cheap return on investment. As storage prices continue to fall, backup solutions are dropping with them. However, regardless of their cost, even a complex, expensive backup solution will always be cheaper than the alternative of not having your company’s data.

 

While any backup is better than no backup, there are a couple quick rules about backups your company should try to follow.

 

1) Backups should run frequently, preferably on a schedule – It doesn’t do you any good if your last known backup is from 6 months ago. Setting up a scheduled backup task is a great way to make sure you have up to date backups.

 

a. Pro tip – Enable VSS (Volume Shadow Copy) on your Microsoft Windows Based machines. VSS can be setup to make shadow copies of files at regular intervals. This makes it incredibly easy to restore accidentally deleted files.

 

2) Backups should be audited regularly to make sure all necessary data is covered – Regardless of polices, standards and procedures, employees tend to store critical information in the weirdest places. It’s a good idea to continually check to make sure that all necessary data is backed up.

 

3) Backups should be secured and encrypted – The last thing you want is an unencrypted copy of your company’s data falling into the wrong hands. Most modern backup solutions offer some level of encryption.

 

4) An offsite copy of your backup should be encrypted and sent to a server, or location that is not at your company’s main campus – this one is self-explanatory. If your building burns to the ground, your local NAS, hard drive or tape backup solution is going to be burned with it. Many IT providers offer an offsite backup solution including cloud providers.

 

Conclusion

 

Non-profits play a vital role in our communities, often operating on tight budgets and with limited resources. Unfortunately, this makes them attractive targets for cyber attackers. By implementing a few key practices, such as limiting oversharing, maintaining consistent security awareness training, and ensuring secure login procedures, non-profits can significantly enhance their cybersecurity posture.

 

Remember, the human element is often the weakest link in cybersecurity. Investing in your team’s awareness and training can be one of the most cost-effective measures to prevent cyber incidents. While technical defenses are essential, they must be complemented with a vigilant and well-informed staff.

 

Finally, regardless of how much we prepare, we cannot be prepared for everything, which is why its vital to make sure your backup solution works. You should take time to test your backups, verify you can restore from them and that all critical data is being backed up. Check to make sure your disaster recovery plans are updated, and that people know what their roles are in the event of a disaster.

 

By taking these proactive steps, non-profits can better protect their sensitive data and continue their good work with greater peace of mind. No good deed should go punished by a cyber-attack.
Eric-Burger

Jonathan Weick

With over 15 years of cybersecurity and IT experience, Jonathan Weick is the owner of a small business providing cybersecurity solutions and IT support. He is a Certified Ethical Hacker with a Sec+ certification. Outside of work, he enjoys hiking and camping with his wife and dog, Stan.

August 7, 2024

Become a Member

Whether you’re with a large team or a solo entrepreneur looking to start the next great cause, we have a membership package that will help you grow your network and your cause.