Nonprofit IT Security: 5 Inexpensive Ways to Secure Your Organization
If you're not concerned about data security as a nonprofit, you should be. Hackers tend not to deliberately target nonprofits the way they do manufacturers and financial institutions, for example. But a lot of hacking is actually automated and based on exploiting targets of opportunity, and a lot of nonprofit IT security is underfunded and unprepared.
Don't assume that hackers will take it easy on you because of the positive work you do or because you don't have a lot of extra money to spend. They have been ruthless in targeting and holding hostage hospitals for days and even weeks, willfully putting people's lives at risk.
In addition, one of the more common tactics hackers use these days is to threaten to release sensitive data publicly. And there are a lot of nonprofits that handle sensitive data that they want to keep private. This is especially important to keep in mind in the current political climate, where internal communications, donor lists and other info can be leaked to score propaganda points or threaten to be leaked to extort a substantial payment.
New Threats Nonprofits Have to Worry About
The main types of threats nonprofits are facing in 2022 are pretty much the main ones they've been dealing with for the last five years or so.
Phishing, which primarily takes the form of emails that trick the recipient into sharing their credentials or opening files containing malware, is still the most common way hackers get into organizations. Other common “attack vectors” include vulnerability scanning — where hackers scan your networks for known, exploitable flaws — and the use of stolen or guessed credentials.
Ransomware is still among the most common and dangerous forms of malware out there. It works by encrypting all of your files and demanding payment for restoring your access to them. The government estimates that victims spent $400 million in ransomware payments in 2020. Other reports put the total cost of ransomware to the economy in the tens of billions.
As mentioned, ransomware gangs have started to combine ransomware attacks with extracting and threatening to release sensitive internal data in recent years. This is referred to as “double extortion ransomware.” A common way to recover from ransomware without paying a ransom is to restore your data from unaffected backups; double extortion ransomware increases the likelihood that you’ll pay regardless.
Here are two newer threats to be aware of:
- Cryptojacking. Hackers have started installing cryptominers on the systems they infiltrate — basically, turning them into processors for some kind of cryptocurrency. In that case, you may notice your computer being slower than usual and/or your CPU usage spiking.
- Deepfake. This is when someone uses video and audio tech to successfully impersonate another person. The hysteria surrounding deepfakes is a little excessive considering its rarity. It's still something to look out for, especially if you're a high-profile organization, you do a lot of work remotely, and/or are involved in the recruiting or hiring process.
5 Inexpensive Ways for Nonprofits to Increase Their IT Security
1. Multifactor Authentication
Multifactor Authentication (MFA) is when you have to provide multiple proofs of identity, such as a code texted to your phone, in addition to a username and password. It ensures that even if someone steals your credentials, they still won't be able to log in to your account. MFA has become a must-have to the extent that insurance companies now require it to qualify for cyber insurance.
Setting up MFA with services, like Microsoft 365, is often easy, taking a couple of clicks, and usually available for no additional cost.
2. SMS Multifactor Authentication
Be careful with this one. There have been cases of hackers using SIM swapping to get access codes for accounts using MFA. The best way to avoid this is to use authentication apps, like Microsoft Authenticator. Instead of sending the access code to a phone number, it allows users to confirm via an app.
3. Cloud and SaaS
Cloud services have been compared to utilities since users purchase resources from them, often paying on a per-use basis rather than having to set up the expensive infrastructure. In fact, with certain tech-like websites and email, it makes as much sense to host rather than dig out your own coal and start your own power plant just for your business.
This extends to security, too. Cloud providers, like Amazon Web Services and Microsoft Azure, and SaaS providers, like Dropbox and Asana, can afford the best cybersecurity systems, tools and employees in the world. So when you use these solutions, it's like you have your own $250,000 cybersecurity expert protecting your assets for the much smaller amount you're paying for the service.
So many successful hacking attempts are the result of people in the victimized organization not understanding basic security best practices, such as:
- Selecting strong passwords
- Not clicking on links or opening attachments in suspicious emails
- Not enabling macros on Microsoft Office files
- Checking the sender address on emails to ensure it matches the "from" name
Share free resources with your employees via email every six months to a year to educate them on or remind them of cybersecurity best practices.
5. External Email Tagging as well as SPF, DKIM and DMARC
As mentioned, email is one of the top ways cybercriminals hack into businesses. External tagging alerts users whenever they're reading an email from outside the organization. This helps protect you from phishing scams, and encourages employees to be more vigilant when clicking on links and opening files in emails in general.
When sending email, sender policy framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) prevent scammers from spoofing your domain, or making the email look like it is coming from your genuine email account.
6. Managed Services
A managed services provider — often a team of five or more IT experts — can manage, monitor and protect your IT 24/7, often for less than hiring a single, in-house IT specialist, which typically costs at least $70,000 in salary, benefits and onboarding costs. In contrast, managed services providers usually charge around $125 to $150 per user per month.
In addition, an in-house employee isn't going to be available around the clock to deal with security problems, and won't have the resources to deal as effectively with as many threats as a full team.
Eric Schlissel is the CEO/chief technology officer at XOverture, which specializes in helping nonprofit organizations set up, manage and support tech they'll love. Eric is a nonprofit tech and cybersecurity thought leader who has been featured in publications, including the Los Angeles Times, Wired, PCMag and more.