A Sensible Approach to Cybersecurity for Not-For-Profit Organisations
The state of cybersecurity
Cybersecurity is a ubiquitous concern for all organisations in 2021; the rate of cybersecurity incidents has steadily increased over the past two decades and risen steeply in the past 3 years.
Organisations of all sizes and shapes find themselves at risk and none more so than non-profit organisations who have always faced unique risks and typically tend to have more limited defences in place than other organisations.
It’s helpful for non-profit organisations to have a foundational understanding of what a “good” approach to cybersecurity entails.
What are the statistics around cybersecurity for not-for-profit organisations?
As if you needed any convincing, after all, you are reading this article, here are some recent statistics that speak for themselves…
There are thousands of hacking attempts made every day — There are cyberattack attempts happening all the time, and while it is important to note that these are simply active efforts by cybercriminals, most are unsuccessful, and most are not directed against non-profit organisations. But this extraordinary rate of activity does speak to the dangers as criminals are actively trying to breach networks and steal data. This is happening around the clock and the risk is real.
By 2020, the estimated number of passwords used worldwide reached 300 billion — Another area of vulnerability that’s been steadily utilised by hackers through the years: insecure passwords. While the statistic above doesn’t necessarily indicate that there are 300 billion insecure passwords, other data does suggest that on average 86% of passwords are weak, meaning that not only are more systems secured by passwords than ever before but most of those systems aren’t very strongly secured at all.
Most non-profit organisations don’t require multi-factor authentication to log into online systems — Multi-Factor Authentication (MFA) requires that users have access to at least two independent means of authorisation to access a system. MFA greatly increases the security of accounts, and most non-profit organisations don’t use it.
More than 70% of non-profit organisations have never had a vulnerability assessment to evaluate their exposure to risk — This statistic might explain why many non-profit organisations don’t take aggressive cybersecurity measures. Most simply haven’t assessed their own levels of risk. A logical first step to improved cybersecurity is to discover where your vulnerabilities lie.
Only 20% of non-profit organisations have policies in place to address cyberattacks — Policies go a long way toward improving response times and mitigating damage, as well as having an important role to play in reducing risk in the first place.
What are the cybersecurity risks for a not-for-profit organisation?
When a not-for-profit organisation is attacked, there are three outcomes that are the most common:
Data breach — A data breach occurs when data is accessed without authorization. This can occur through third-party attacks, malicious insider activity, or simple negligence. The effects of a breach can be devastating, both in terms of reputation damage and regulatory fees.
Downtime — Some cyberattacks are simply purposed to bring down systems. Sometimes, this is done with the intent being to compromise the mission of an organisation; there are many non-profit organisations that have active ideological opponents. Sometimes, attacks aren’t targeted; an employee may accidentally bring a malware-infected device onto the network, for example, which could end up shutting down critical systems. Regardless of intent, though, downtime can impede essential work.
Ransom demand — Ransomware is a type of malicious software that is designed to shut down an organisation’s systems until payment is delivered to the hackers. Once payment is made, hackers will (supposedly) provide access to a “key” that unlocks functionality. Some organisations make the payment and hope the hackers keep their end of the bargain, but this is a dangerous approach that fails as often as it succeeds, can itself be illegal and, even when successful, runs the risk that hackers will see the victim as a soft-target and attack them again in the future.
How can you protect your not-for-profit organisation?
So, we’ve painted a bleak picture so far, so let’s get positive!
The good news is that there are sensible steps to take to reduce the risks. Here are some areas to address in your organisation to protect yourselves from a cyberattack:
The misconception that they will not be targeted leads many non-profit staff to value productivity over security.
Helping staff to understand the risks they face is a good first step in enhancing security readiness. Basic security education is critical. There is now a wealth of resources for organisations looking to enhance their security readiness.
At Supreme Systems we’ve partnered with industry-leader KnowBe4 to provide cyber-awareness training that incorporates simulated attacks, monitoring, reporting and multi-media training resources. This solution works in the background and is non-disruptive, while being proven to increase the ability of your staff to both identify and respond to attacks properly.
Good Password Practice
The single most important step that individuals can take towards protecting their organisation, and yet far too many passwords are weak, or worse, reused in multiple accounts. Security levels can be greatly increased by following best practices.
Unique passwords should be used for every account or system that a user has access too, this has the obvious benefit that a breach of one will not immediately lead to a breach of many.
All user-chosen passwords should meet the following complexity requirements:
· Contain at least one of each of the following character types: alphabetic uppercase, alphabetic lowercase, numeric, and symbol.
· Be at least 8 characters in length. Ideally longer.
Passphrases can be used to increase the length of passwords. Although they lack total randomness, the extra length does provide extra security, and they are easier for a human to memorise. If you adhere to the complexity requirements above when creating a passphrase, they are an option.
However, an even better solution is a password manager, which will do the generating and remembering of passwords for you, allowing for unique, long, complex, and completely random passwords to be used, without inconveniencing your users.
Abiding by these guidelines at a personal level will have a major impact on security at organisational levels.
Not-for-profit organisations of all sizes need a set of written IT security policies.
But experience has shown us too that many organisations have outdated policies that no one references or staff who don’t know what their organisation’s policies are or what they cover. Even worse, many organisations only realize too late that they don’t have a policy at all.
You should have written, regularly updated security policies tailored to your organisation. These should be viewed as living documents that reflect changes in technologies, priorities, and assets as they develop.
Importantly, your policies should have the full support and buy-in of the organisation’s executive leadership and your staff should be familiar with your policies, understand the reasons behind them, and should know how to consult administrators with questions.
The final component of strategy (and what most people think of when they consider cybersecurity) is technology implementation and management.
An effective security strategy requires a multi-layered approach. Let’s take a brief look at some of the essentials…
Software protections — Contemporary research shows that anti-virus (and anti-malware) is stopping only about 40–50% of malicious software. We do expect to see improvements in anti-virus effectiveness over time, and still view the software as a key component of an effective security strategy. It’s important to note, though, that to be effective, any anti-virus solution needs to be managed and maintained on a regular basis.
Hardware protections — The internet is the primary means of entry for cyber-criminals to attack your systems — no surprise there. So, it makes sense that one of the most critical security components is the Firewall that sits at this point of entry. It is vital that your firewall is kept updated and is configured properly.
Patching and updating — Most cyber-attacks are perpetrated by exploiting vulnerabilities in operating systems and applications. For this reason, it is essential that your systems are supported by the respective developer/manufacturer and that you continually update them with the latest patches to proactively minimize these risks. A good IT service provider will include “patch management” as a part of their IT support services, or you should ensure that your internal IT personnel have a regular schedule for deploying updates.
Backups and Recovery — If disaster strikes, or if you are compromised by hackers or a disgruntled employee, you will need to restore from your most recent backup. A good backup strategy is a key component of an effective security plan, be automated, to prevent human error, and have both onsite and offsite components so that you have multiple sources to recover from. Your organisation should regularly conduct test restores to make sure your processes work before you need them to.
Taken together, these technical considerations can lower the risk of a successful cyberattack on your organisation considerably and are critical components too in our next 2 subjects, cyber-insurance, and certification/compliance.
Cyber-insurance is increasingly a point of consideration for non-profit organisations but determining your need for it is complex.
Cyber-insurance works like other forms of insurance, you pay a premium and receive varying types and degrees of coverage against cybersecurity damages. Just like other forms of insurance, cost varies based on your level of risk. So, if you are at higher risk, you’ll pay more for insurance.
Taking a proactive approach to cybersecurity will reduce your risk, reducing your need for cyber-insurance in the first place, but generally, if you are processing payment information or storing personal data, your organisation may be vulnerable to extensive cyber damages and seeking coverage may make sense, in which case you’ll need to ensure a holistic view of cybersecurity is taken to ensure you meet the requirements for insurance and well as keeping premiums affordable.
Certification and compliance
An oft-overlooked component of cyber-security, achieving a cyber-security standard, such as the UK Government & National Cyber Security Centre (NCSC) sponsored Cyber Essentials scheme, is in fact a strong step to consider early.
The very process of becoming certified will involve auditing your organisations IT systems and identifying where the risks are and ensuring sensible mitigations and policies are in place.
The added benefit is that your organisation can demonstrate to stakeholders and other interested parties your commitment to data security by displaying your certification status, not only at your physical location(s) but also electronically on your website, social marketing, and in email signatures, etc.
Working with a certification partner, such as Supreme Systems, will ensure the process of becoming certified is non-disruptive and delivered on a schedule that works for you.
Ready to take the first steps toward better cybersecurity?
Congratulations, you’ve made it here. You’ve reviewed the foundations of cybersecurity and hopefully, the information we’ve covered provides a solid starting point for implementing cybersecurity strategy at your not-for-profit organisation.
If you’re ready for IT support and managed services that drastically reduce your cybersecurity risk, get in touch with us.