Keeping yourself and your stuff safe in the physical world is quite a straightforward task: you can simply lock your house and car doors. You make it a point to never leave your items unattended in public. Even your debit card, which you use at the ATM or the grocery shop, requires a pin, which you keep private. You have a number of routines in place to keep yourself secure.
But what about your online presence? Do you believe it’s safe? And if not, do you know the ways you can make it safer?
Regardless of your technical expertise, you must not be new to the term ‘cybersecurity. In today’s increasingly insecure digital space, we expect you to make cybersecurity a priority. If you haven’t done it already, now is the time to secure your online presence.
Today, we rely on our smartphones and the internet to connect to the outside world more than ever. As a result, it’s critical to be aware of the hazards and take precautions to secure our data, just as we do with our physical belongings.
Hackers are becoming increasingly smart. So, to protect both your work-related information and the personal information of your supporters, it’s critical to make internet safety a high priority for your nonprofit.
In the post-COVID world of today, nonprofits are more reliant on technology than ever before to catch up on their goals through remote work. The necessity for digital technology integration into all elements of human services organizations has grown as a result of measures to control and prevent the spread of the pandemic.
This can open up a slew of new possibilities, but it also raises the possibility of new security concerns. With the rising number of end-user points, not only are there more avenues to be attacked, but cybersecurity breaches are continuously evolving and hackers are becoming more sophisticated. The organization’s key activities are at stake.
Cyberattacks, ranging from data breaches to large-scale incursions, have become more common as a result of organizations’ drastic switch to the digital working model. The number of cyberattacks that target companies and disrupt industries has increased dramatically in 2021 alone.
In the absence of sufficient cybersecurity and privacy measures, the risk of reputational damage is significant. Due to funding limits and staffing shortages, smaller businesses are particularly vulnerable, but they can profit from adopting established best practices from their larger nonprofit counterparts.
It’s common knowledge that the world’s most precious resource is no longer oil, but data. And nonprofits keep a lot of donor data, making them an enticing target for cybercriminals. Nonprofits aren’t recognized for keeping a lot of cash on hand, so the danger of theft, especially online, may appear to be low. However, keep in mind that most hackers aren’t after your cash, but the priceless information you store.
In both legitimate and criminal markets, payment information, phone numbers, email addresses, passwords, social security numbers, and other personal information have value. They can be sold to whoever needs them, from honest firms trying to expand their sales contact lists to unscrupulous organizations looking to utilize data to commit more crimes, once they’ve been acquired.
Therefore, nonprofit organizations are frequently viewed as a high-value target by hackers for two reasons:
First, nonprofits rely heavily on donations and, as a result, collect personal information such as names, addresses, and contact information from existing and future donors. Because this information is frequently not effectively safeguarded, it is a jackpot for cybercriminals.
Second, many nonprofits have few, if any, cybersecurity rules and training in place to safeguard themselves against such attacks. This makes nonprofits particularly vulnerable to cyberattacks.
A study by Community IT has some shocking revelations. A majority of nonprofits aren’t paying attention to cyber-threats as 70% of nonprofits have not conducted a vulnerability assessment to identify their cybersecurity threats.
Moreover, nonprofits appear unconcerned about cyberattacks with 80% of NGOs not having a cybersecurity policy in place. This is critical because the danger is real: On average, hackers attack around 2,000 times per day. With no reliable cybersecurity in place, the working and personal data of these organizations are always at stake.
The most common types of cyberattacks that can be targeted towards nonprofits include Ransomware, Data Breach, and Forced Downtime.
Ransomware encrypts your online systems and holds them captive until the ransom is paid. In Data Breaches, hackers get access to your collected information and use it for malicious purposes. And in Forced Downtimes, a hacker shuts down your systems so you will experience forced downtime.
Blackbaud, a social enterprise cloud services provider, was attacked as part of a ransomware attack in February 2020. As a result, sensitive personal information, including financial information, was made public. What’s surprising is that it wasn’t until May that they discovered they had been hacked. What’s more shocking is that they publicly reported the incident in July.
The incident serves as a timely warning that any company that collects data, especially organizations, is responsible for maintaining its security. However, data show that organizations frequently do less than the bare minimum to protect the personal information of their donors, employees, and volunteers.
Here are some of the ways nonprofits can enhance their cybersecurity:
Take extra precautions to ensure that devices are not misplaced or lost; if a device is lost or stolen, you should take steps to ensure a remote wipe as soon as possible.
Also, follow any email-related policies that your company has in place. For job-related emails, use corporate email accounts rather than personal ones, especially if the communications contain confidential or personal information. If you must use personal email, ensure sure the contents and attachments are encrypted and avoid subject lines that contain personal or secret information.
When businesses become serious about cybersecurity, it usually begins with a well-publicized breach and/or an introduction to a promoted product or service. You do not need to invest a lot of money to protect your company, contrary to popular assumptions. Begin by analyzing the current products and services in use and determining whether or not they are being used to their maximum potential.
Is it, for example, a requirement at your company that passwords be complex? Is it necessary to update passwords after a specific amount of time? Is there a policy in place that locks the account if a certain number of failed login attempts are made? Many existing security mechanisms are removed for convenience, but they might leave a significant cybersecurity vulnerability in your firm.
Every cybersecurity program’s effectiveness hinges on end-user training and awareness. While many firms have implemented spam filters, even the most advanced technology cannot prevent every phishing assault. 94%of malware was sent over email, according to Verizon’s 2019 Data Breach Investigations Report.
Furthermore, according to Symantec’s 2019 Internet Security Threat Report, “65% of groups used spear-phishing as the primary infection vector.” With email serving as the primary mode of communication, it is vital that end-users receive ongoing training.
Because you’ve shifted everything to the cloud, your cloud provider is now in charge of your company’s cybersecurity. Or is it? Despite the fact that Amazon Web Services, Azure, or Google Cloud provide infrastructure as a service, your company is still responsible for configuration and setup.
They won’t take care of your operating system upgrades or secure your network. Furthermore, if your configuration is improper, your data may be accessible to everyone on the internet. Misconfigurations can be disastrous when it comes to cloud services, which are complicated and powerful.
Multi-factor authentication is one of the most cost-effective cybersecurity options available. Multi-factor authentication necessitates a second validation of the system’s user’s identification. However, in order to safeguard the company, this additional type of authentication must be required at all network entry points.
Multi-factor authentication is included in your Microsoft Office 365 license if your company currently employs it. Otherwise, multi-factor solutions such as Duo, RSA, and Yubikey are available for purchase. Some research on this front should give you the peace of mind that your company’s network is secure.
Usually, you log in to different web services by just entering your username and password. Two-factor authentication, on the other hand, entails verifying your identity not only with a login and password but also with something you have on you, such as your phone.
The benefit of two- or multi-factor authentication is that even if someone has your login information, they won’t be able to access your account unless they also have access to your second way of verification when you set up two-factor authentication.
In two-factor authentication, you’ll receive an additional verification code to enter after you’ve entered your username and password. For this type of authentication, you can select to receive SMS messages or use an app like Google Authenticator to retrieve your code (which is even more secure).
Although some web services will prompt you to enable two-factor authentication automatically, you may still need to go to your security settings to do so. Despite the fact that scammers are becoming more adept in their ability to obtain your login credentials, two-factor authentication remains a gold standard, preventing 99 percent of hacker attempts, according to Microsoft.
Account hacks have been a high-profile and high-impact risk in recent years. Approximately 10% of firms that have not deployed Multi-Factor Authentication (MFA) will have a compromised account on their network this year, according to research.
A compromised account poses a significant risk to a business because it can interrupt operations, reveal sensitive information, or be used to attack partners. Organizations that have implemented MFA are at a significantly reduced risk than organizations that have not.
Today, two-factor or multi-factor authentication is quite popular and a requirement for many cloud-based services as a supplement to password security. MFA combines something you already know (e.g. your password) with something you already have (e.g. your smartphone as the second factor.
The second security factor can be in many shapes you’re already familiar with like a phone call on your personal number, a text message, PIN coded key fob or USB key, mobile authentication apps (such as Google or Microsoft Authenticator), and more.
Two-factor authentication (2FA) is quickly becoming one of the most significant technologies that nonprofits can employ to combat cybercrime threats and strengthen their organizational resilience.
Because 2FA makes it more difficult for a cybercriminal to breach any accounts that nonprofit personnel log into on a computer or mobile device, security is enhanced by folds. These accounts could be bank accounts, accounts used to access cloud-based services such as document storage and sharing, constituent relationship management (CRM) or email accounts, or accounts used by employees to access their office computers.
Another advantage of using MFA is that employees don’t have to update their passwords as frequently (or ever). This is an unusual security improvement that does not need employees to undertake a difficult procedure that they are unfamiliar with.
Any new security procedure will necessitate explanation, training, and employee buy-in. On the other hand, 2FA or MFA are already in your employees’ digital toolbox and extremely easy to implement. Plus, it won’t be a major leap for your IT department if your nonprofit is using a platform that makes MFA simple to adopt.